topic Re: SIM Swap Fraud: 2 factor-authentication in Announcements

SIM Swap Fraud: 2 factor-authentication

J_PM — Wed, 14 Jul 2021 14:18:21 GMT

Hey Community,

We’re pleased to announce that as of July 14, 2021, SIM card changes have been re-enabled in My Account.

We have now implemented an additional step in the form of a 2 factor-authentication code to secure this process. This code can be sent via SMS or email, and must be verified to complete the SIM swap.

For more details, please see below.

All the information below can be found in this Help Article.

What is SIM swap fraud?

Efforts by fraudsters to gain unauthorized access to customer accounts with the goal of accessing banking information is on the rise. As part of our commitment to protect our customers’ personal information, we have robust security protocols in place that are designed to protect the privacy and security of our customers.

SIM swap fraud, or SIM jacking, is a type of fraud that occurs when fraudsters gain access to your Self Serve account, to replace your SIM card information with their own. After replacing your SIM card, all communications will be redirected to the fraudster’s device. They will then be able to intercept recovery SMS/calls, and gain access to your personal banking, ecommerce, email and social media accounts.

How does SIM swap fraud happen?

Fraudsters can obtain customer Self Serve account credentials through malware, phishing attempts or data breaches on websites where login credentials are the same as your Self Serve account.

How do I know if I’ve been targeted by a SIM swap fraud?

You may have been a target of SIM swap fraud if you have suddenly lost service for no apparent reason. If this is the case, please follow the below steps to confirm your SIM card information has not changed.

Log in to your Self Serve account
Select “Change SIM card” from the main page

Confirm that the last four digits of the SIM card in Self Serve match the one in your device. If the digits do not match, you may have been targeted by a SIM swap fraud.

What do I do if I’ve been targeted by SIM swap fraud?

If you have been targeted by SIM swap fraud, we recommend you take the following actions to secure your account:

Change your Self-Serve account password and security question immediately to lock the fraudster out of your account

Put your phone into Lost/Stolen mode to suspend the fraudster’s service, to do this follow the below steps:

Log in to you Self-Serve account
Go to Plans and Add-Ons, then select “lost/stolen phone”
Select “suspend service”

Then, submit a ticket here - our Moderator team will be able to restore your original SIM card.

We also recommend contacting your financial institutions to ensure your banking and credit card accounts have not been accessed, and checking your social media accounts for any suspicious activity. Make sure you change your passwords to these accounts immediately.
You may also want to report the fraud to your local police and the Canadian Anti-Fraud Centre at 1-888-495-8501, as well as contact the two national credit bureaus to request a copy of your credit reports and place a fraud warning on your file (Equifax Canada Toll free:1-800-465-7166 and TransUnion Canada Toll free: 1-877-525-3823).

How to protect against SIM swap fraud?

Given the increase the telecommunications industry has seen in fraudulent activity like SIM swaps and unauthorized porting, we recommend that Canadians take the following steps to protect themselves:

Protect your information: limit the amount of personal information about you online; fraudsters can use this information to verify your identity when attempting to swap your SIM. Be careful to not click on phishing emails (and texts) that ask you to provide and/or validate private information.
Guard your phone number: don’t add your phone number to any online accounts where it is not necessary. The fewer accounts you have associated with your number, the lesser your risk.
Use strong and unique passwords for each of your accounts: using the same password across multiple accounts is a hacker’s jackpot. When you use the same password across different accounts, remember that once they successfully hack one account, they’ve hacked them all. We also recommend that you change your passwords, including your Self-Serve password regularly.
Set up authentication methods that aren’t text based: often, online accounts will require you to set up two-factor-authentication (2FA) for added protection; with 2FA, you need to authenticate yourself with something in addition to your username and password, such as a code that is sent to your device by text. With SIM swap fraud on the rise, you may want to use something other than your phone number for 2FA like an authenticator app or security key.

While Public Mobile is actively working on ways to help keep our customers safe, please make sure to stay vigilant, and be aware of any suspicious activity.

- The Public Mobile Team

Re: SIM Swap Fraud: 2 factor-authentication

Dunkman — Wed, 14 Jul 2021 14:23:03 GMT

Nice work Public mobile.

This will be helpful and more convenient for customers.

Re: SIM Swap Fraud: 2 factor-authentication

softech — Wed, 14 Jul 2021 14:34:53 GMT

nice move to introduce 2FA

Re: SIM Swap Fraud: 2 factor-authentication

LEGO — Wed, 14 Jul 2021 14:45:04 GMT

Very good news! Thank you!

Re: SIM Swap Fraud: 2 factor-authentication

Staliger — Wed, 14 Jul 2021 14:45:24 GMT

@J_PM Thank you very much for improving the system and make it safer for our Community!😊

Re: SIM Swap Fraud: 2 factor-authentication

Anonymous — Wed, 14 Jul 2021 16:46:14 GMT

Nice work. Edit: (with reservations see further post)

(thank you for the bravo Jade_S) I'll reserve full acceptance until we see about any other fraudulent account activity.

Re: SIM Swap Fraud: 2 factor-authentication

LurganIeUk — Wed, 14 Jul 2021 15:24:24 GMT

Fantastic, that we are being kept up to date. This helps us when we refer a friend and allows us to provide our friend with up to date assistance, if needed.

Re: SIM Swap Fraud: 2 factor-authentication

hTideGnow — Wed, 14 Jul 2021 16:06:11 GMT

Best is that user can now check their SIM number (last 4 digits) again

but one observation, masking out the phone number and email at the SIM request is not useful. When you are able to access My Account for SIM change, you can access the phone number and email there without trouble. So, there is no added security with the mask

Re: SIM Swap Fraud: 2 factor-authentication

sa7375 — Wed, 14 Jul 2021 16:11:14 GMT

A suggestion for PM to Consider

When a user changes his SIM, PM should automatically and immediately send the user an SMS as well as an email that your SIM card number has been changed. There is a good chance that the user will get one of the two — either the SMS or the email — and be alarmed in time to initiate actions that you suggest.

The banks, the email providers like Gmail etc, already do this when a user changes the password or other critical account changes.

Re: SIM Swap Fraud: 2 factor-authentication

Anonymous — Wed, 14 Jul 2021 16:31:36 GMT

@hTideGnow wrote:

but one observation, masking out the phone number and email at the SIM request is not useful. When you are able to access My Account for SIM change, you can access the phone number and email there without trouble. So, there is no added security with the mask

This is insightful. Simply that masking is pointless here. I still think the 4 digit PIN would have been a better solution. But at least we have something more self-serve, not needing the mods.

The weak point is still the email. Someone could have already hacked your email. The not so weak point is whether someone has stolen the phone with the SIM in it and wants to take control of the account or port out afterwards.

Come to think of it...no I don't like this solution. But again...it's more self-serve now. I guess we'll see how often SIM-jacking and port-outs will occur.

Re: SIM Swap Fraud: 2 factor-authentication

SD08 — Wed, 14 Jul 2021 16:28:04 GMT

Thanks to PM for adding this balance between customer convenience and security.

Re: SIM Swap Fraud: 2 factor-authentication

ShawnC13 — Wed, 14 Jul 2021 16:37:42 GMT

Great news Jade!!! Glad to have this feature back and will help the members so much!

Re: SIM Swap Fraud: 2 factor-authentication

softech — Wed, 14 Jul 2021 17:35:44 GMT

I agree with @Anonymous

We seen before that people got simjacked and unable to logon to My Account. So, either their My Account was compromised first or the email was first compromised and then My Account.

But of course, many people requiring SIM swap because they lost their phone or the old SIM was broken and hence they were unable to receive the SMS and an alternate way is needed, sadly in this case, email....

Let's see how it goes and hope for the best.

Re: SIM Swap Fraud: 2 factor-authentication

BlueB — Wed, 14 Jul 2021 17:37:02 GMT

Great to see that the option for self-serve SIM Swap is back... particularly for @darlicious's significant other who seems to go through a new SIM every month! 😂

In terms of security, I agree that time will tell whether this is an effective solution or not. It's a great step in the right direction, and the added challenge will definitely make things more secure. How secure it really is will all depend... if somebody really wants access to your account/SIM/whatever, there are many ways of doing it through any variety of ways, social engineering, technical espionage, or however else.

Re: SIM Swap Fraud: 2 factor-authentication

smp99 — Wed, 14 Jul 2021 18:11:42 GMT

I may be missing something here but I think a 2FA using an Authenticator application that supplies a 6 digit code every 30sec or so, would have been an ideal solution.

Re: SIM Swap Fraud: 2 factor-authentication

BlueB — Wed, 14 Jul 2021 18:16:18 GMT

@smp99

While a TOTP code (or similar) is a good idea, the "ideal solution" is often tricky to define. In particular, the logistics behind it would be difficult.

For example, let's say this is set up upon activation. Will the average Public Mobile user know how this works? If the user changes phones or loses their phone, how would they have access to the application? This would need to be set up well in advanced and maintained by the user (and Public Mobile). There are also backend considerations for Public Mobile to maintain... more systems and maintenance = higher cost.

Although it's one secure way of handling things, not sure how feasible it actually would be. The moderators here have been very helpful with problems, and I think it's a small inconvenience for us to involve them for the "occasional" SIM card swap (and now- self serve!) than to pay more every month because this would surely increase the expenses on their end. 🙂

Re: SIM Swap Fraud: 2 factor-authentication

will13am — Wed, 14 Jul 2021 18:23:22 GMT

It is nice to see this feature make a come back in the self serve and with security feature this time.

Re: SIM Swap Fraud: 2 factor-authentication

Haiggy — Wed, 14 Jul 2021 18:30:56 GMT

Another step would be that since Public Mobile is all prepaid, you do not need to use your real name on the account, and can be updated to your real name later if you actually did want to make a legitimate port-out request yourself.

Re: SIM Swap Fraud: 2 factor-authentication

darlicious — Wed, 14 Jul 2021 18:42:28 GMT

@J_PM

It's good to see pm has implemented a compromise between customer self-serve and account security. However given some of the observations by fellow members that 2FA may not be possible or a customer does not have access to their account or possibly has not created one does the ability to perform a sim swap with the moderators operate in the same manner?

Seeing as I have performed this action more than probably anyone here and do so on behalf of the bf who hasn't a clue how to do any of this..... I cannot perform a sim swap for him if the phone or sim card is lost. Why is there no possibility of recieving the code via a phone call? It makes the verification code accessible without the device and the lost/stolen feature has suspended service.

Could we not have an option to change the email and/or phone number used for 2FA? As its been pointed out the blanked out email and phone number is already accessible in the account and a likely source of a breach or hacker or a thief. From an account management side without access to the phone or email it makes a sim swap within the account a non-starter. Not having the phone call option is a huge oversight in my opinion.

I still believe having the ability to change the login username from the accounts email would greatly improve account security especially since that ability to perform that action already exists.

@BlueB

The bf did indeed go thru entire last 30 day cycle without enabling lost/stolen and had his rewards actually apply upon renewal! The second time in 22 months that I did not have to contact the moderators to have them applied manually.

Re: SIM Swap Fraud: 2 factor-authentication

darlicious — Wed, 14 Jul 2021 18:46:13 GMT

@Haiggy

At no time do you have to use your real name to activate and create your pm account. You can edit those details of your profile at anytime by logging into your self serve account. Changing the account holder name has been employed as an effectuve means of preventing fraudulent ports.