Telecommunications company Medion Australia has paid a fine of almost $260,000 after a compliance failure left its customers open to a bout of costly scams.
An investigation by The Australian Communications and Media Authority (ACMA) found Medion Australia failed to complete required customer verification checks for more than 1,600 SIM-swap requests.
Medion’s compliance failures resulted in nine known cases of people having their SIMs illegally swapped, five of whom suffered financial losses totalling more than $160,000.
ACMA emphasised that under industry rules introduced back in 2022, telcos are required to conduct multi-factor identity authentication checks before performing high-risk customer requests such as account changes, disclosure of personal information or SIM-swaps.
In some scathing remarks directed at the telco, ACMA chair Nerida O’Loughlin described said rules as “very effective” in preventing SIM-swap fraud, noting telcos have had “more than enough time” to bulk up their verification processes.
“SIM-swap fraud can cause significant harm as scammers may then be able to gain access to your online banking accounts and other personal information,” said O’Loughlin.
“In this case, criminals have taken advantage of Medion’s compliance failures.
“The rules have now been in place for well over 12 months, so telcos have had more than enough time to ensure they have robust verification processes.”
Medion has since paid a penalty totalling $259,440 for failing to comply with customer identification rules.
This isn’t the first time Medion has been called out by ACMA for compliance failures.
In April 2021, an ACMA investigation found the telco failed to carry out mandatory identity verification processes on 57 occasions when porting mobile service numbers.
While Medion initially got away with a formal warning, ACMA has responded to its more recent compliance failures with less patience – issuing not only a fine but further demanding improvements from the company.
Furthermore, the telco has committed to a two-year undertaking which will see the company appoint an independent consultant to review its compliance with customer ID rules.
Medion, which is based in Sydney’s Chatswood, is further expected to “make improvements where needed” and regularly report its progress to the ACMA.
The company sells its SIMs under the AldiMobile brand in Australia.
What are SIM-swap scams?
SIM-swap scams work by exploiting a victim’s personal details in order to fraudulently request a new SIM card connection from a provider.
By contacting a victim’s provider under the guise of being the valid account owner, scammers attempt to swap out an active SIM card and ultimately take control of a victim’s mobile number.
If successful, any text messages or calls intended for the victim will instead arrive at a new SIM held by the scammer, enabling them to exploit the phone number to access personal information and crucial two-factor authentication messages used in login processes for other services – such as email accounts, social media, and banking.
In order to bypass a telco’s verification processes, scammers will typically try to collect as much personal information about a victim as possible – whether through phishing, prior data leaks, or other simple attack methods.
Medion’s bout of SIM-swapping scams contributes to a long-running wave of identity theft attacks targeting Australians, which last year caused over $8.1 million in losses, according to the Australian Competition and Consumer Commission’s Scamwatch.