Up to 12,000 customers of TravelSIM have been directly targeted by a clever scam, though the company denies that its database has been hacked.
The SIM cards are widely sold in Australia Post outlets and mobile phone stores, and offer cut-price global roaming if a traveler uses the TravelSIM card in their phone rather than their home carrier's SIM.
People who have used a TravelSIM in the past were directly targeted with an email titled "5 Coupon Discount for [username] - Save 35% TravelSIM"
The email linked to a third-party payment provider Plimus, and gave instructions on loading the purchased recharge voucher into a TravelSIM account.
The problem? Although it didn't seem like a classic phishing email (it didn't ask for a TravelSIM username and password, or link to a faked website, for example), it was bogus -- the payments weren't being collected by TravelSIM, and the recharge vouchers were not real.
TravelSIM sent out an advisory email yesterday to all its customers warning that the discount recharge offer was a scam.
Responding to enquiries from Australian Business Traveller, TravelSIM CEO Jamien Zimmerman said the company had "no proof as yet" that its database had been hacked.
However, he also said, "If NASA, the Pentagon, Australian Banks and the Australian Government can all be hacked than in reality no business is 100% immune.
"It is important that consumers understand this and just like all other parts of life be aware that there are scammers and fraudsters out there. If it looks too good to be true or doesn't look right, there is probably something wrong going on."
Zimmerman said that although it appeared customers were directly targeted, "the evidence points to a generalized scam at this stage."
However, two Australian Business Traveller staff who had previously used TravelSIM cards received the scam email, while no-one else on staff did.
TravelSIM customers at risk of identity theft
We asked Zimmerman what information scammers might have been able to access if they had hacked the TravelSIM database.
He said customer passwords were stored in a one-way encrypted format that could only be decrypted if someone knew the correct password already, and that TravelSIM did not store payment details in its database.
However he did not say whether personal details of customers, that could be used in further identity theft, could have been leaked, such as home addresses, dates of birth, and so on.
The TravelSIM website also keeps a log of all the phone numbers a user has called.
Zimmerman said TravelSIM had reported the scam to Australian and US law enforcement and was working with an external IT audit company to review its security procedures and gather evidence.
"This is a timely reminder for everyone involved that in this day and age our personal information needs to be kept secure and we will be reviewing our security procedures and measures to ensure that we are taking all necessary measures to protect our customers' privacy."
The payment provider, Plimus, has shut down the pages linked from the original scam email, so no further payments can be collected. However, existing TravelSIM customers should watch out for signs of identity theft. A good place to start checking is with Veda Advantage, Australia's central credit monitoring bureau. You can request a free copy of your credit report, and it will show any new credit applications that have been made in your name.
Have you been affected by the TravelSIM scam, or do you know more? Email us.
The scam email targeted to TravelSIM customers is below:
From: [email protected]
Subject: 5 Coupon Discount for Dan - Save 35% TravelSIM
Date: 25 October 2010 5:08:59 AM AEDT
5 Coupon Discount: xls035 ( Save 35% ) TravelSIM ReCharge
BUY NOW: 25$ (link to payment provider removed by AusBT)
BUY NOW: 50$ (link to payment provider removed by AusBT)
BUY NOW: 100$ (link to payment provider removed by AusBT)
BUY NOW: 200$ (link to payment provider removed by AusBT)
Register for Handset TopUp by selecting which simcard to attach from the My TravelSIM page
When you require more funds in your TravelSIM Account:
With the TravelSIM SIM card in your mobile phone
Find the Sim (Travelsim) menu in your phones menu system
Select the Add credit option
It will ask you to enter a PIN code:
Enter the code:*50 (to add $50 AUD)
Enter the code: *100 (to add $100 AUD)
Enter the code: *200 (to add $200 AUD)
You will see a message on your phone asking you to wait for SMS
You will get an SMS after a while informing you of the outcome of your request
If you do not receive an SMS, please check your balance to see if it has increased before you try again or contact customer service.
The email TravelSIM sent out to its customers
It has come to our attention that customers have recently been targeted with a hoax email leading to a false TravelSIM payment page.
The email asks TravelSIM customers to purchase false discount coupons for TravelSIM recharge. When the link in the email is clicked on, a false payment page opens with a secure order form with a URL address similar to this:
Under no circumstances should you click on the link, reply to the email or provide any of the requested details.
To purchase TravelSIM TopUp (recharge) visit the TravelSIM web site: www.travelsim.net.au or contact TravelSIM on 1300 851 676.
TravelSIM will not send you emails offering discounted coupons for TravelSIM Topups / ReCharges. Only reply to emails that come from TravelSIM email addresses ˆ they will always end in : @travelsim.net.au
Customers who have received the email and are concerned should contact the TravelSIM Support Centre on 1300 851 676 or suppo[email protected]