cancel
Showing results for 
Search instead for 
Did you mean: 

SIM Swap Fraud: 2 factor-authentication

J_PM
Public Mobile
Public Mobile

Hey Community, 

 

We’re pleased to announce that as of July 14, 2021, SIM card changes have been re-enabled in My Account

 

We have now implemented an additional step in the form of a 2 factor-authentication code to secure this process. This code can be sent via SMS or email, and must be verified to complete the SIM swap.

 

For more details, please see below.

 

Jade_S_0-1626272276129.png

 

All the information below can be found in this Help Article. 

 

What is SIM swap fraud?

Efforts by fraudsters to gain unauthorized access to customer accounts with the goal of accessing banking information is on the rise. As part of our commitment to protect our customers’ personal information, we have robust security protocols in place that are designed to protect the privacy and security of our customers.

SIM swap fraud, or SIM jacking, is a type of fraud that occurs when fraudsters gain access to your Self Serve account, to replace your SIM card information with their own. After replacing your SIM card, all communications will be redirected to the fraudster’s device. They will then be able to intercept recovery SMS/calls, and gain access to your personal banking, ecommerce, email and social media accounts. 

 

How does SIM swap fraud happen? 

 

Fraudsters can obtain customer Self Serve account credentials through malware, phishing attempts or data breaches on websites where login credentials are the same as your Self Serve account. 

 

How do I know if I’ve been targeted by a SIM swap fraud?

 

You may have been a target of SIM swap fraud if you have suddenly lost service for no apparent reason. If this is the case, please follow the below steps to confirm your SIM card information has not changed. 

 

  1. Log in to your Self Serve account 
  2. Select “Change SIM card” from the main page

Jade_S_1-1626272013870.png

 

 

  1. Confirm that the last four digits of the SIM card in Self Serve match the one in your device. If the digits do not match, you may have been targeted by a SIM swap fraud.

 

What do I do if I’ve been targeted by SIM swap fraud?

If you have been targeted by SIM swap fraud, we recommend you take the following actions to secure your account:

  • Change your Self-Serve account password and security question immediately to lock the fraudster out of your account

 

  • Put your phone into Lost/Stolen mode to suspend the fraudster’s service, to do this follow the below steps: 
    • Log in to you Self-Serve account
    • Go to Plans and Add-Ons, then select “lost/stolen phone”
    • Select “suspend service”

 

 

Jade_S_2-1626272013568.png

 

 

  • We also recommend contacting your financial institutions to ensure your banking and credit card accounts have not been accessed, and checking your social media accounts for any suspicious activity. Make sure you change your passwords to these accounts immediately. 
  • You may also want to report the fraud to your local police and the Canadian Anti-Fraud Centre at 1-888-495-8501, as well as contact the two national credit bureaus to request a copy of your credit reports and place a fraud warning on your file (Equifax Canada Toll free:1-800-465-7166 and TransUnion Canada Toll free: 1-877-525-3823).

 

How to protect against SIM swap fraud? 

Given the increase the telecommunications industry has seen in fraudulent activity like SIM swaps and unauthorized porting, we recommend that Canadians take the following steps to protect themselves:

  1. Protect your information: limit the amount of personal information about you online; fraudsters can use this information to verify your identity when attempting to swap your SIM. Be careful to not click on phishing emails (and texts) that ask you to provide and/or validate private information. 
  2. Guard your phone number: don’t add your phone number to any online accounts where it is not necessary. The fewer accounts you have associated with your number, the lesser your risk.
  3. Use strong and unique passwords for each of your accounts: using the same password across multiple accounts is a hacker’s jackpot. When you use the same password across different accounts, remember that once they successfully hack one account, they’ve hacked them all.  We also recommend that you change your passwords, including your Self-Serve password regularly.
  4. Set up authentication methods that aren’t text based: often, online accounts will require you to set up two-factor-authentication (2FA) for added protection; with 2FA, you need to authenticate yourself with something in addition to your username and password, such as a code that is sent to your device by text. With SIM swap fraud on the rise, you may want to use something other than your phone number for 2FA like an authenticator app or security key.

 

While Public Mobile is actively working on ways to help keep our customers safe, please make sure to stay vigilant, and be aware of any suspicious activity. 

 

- The Public Mobile Team



 

43 REPLIES 43

@clarad001 

Do this....

 

  1. Clear your browser.
  2. Reboot your device.
  3. Open one tab only.
  4. Use secret/incognito mode.
  5. Firefox, chrome or safari work best.

All else fails the CSA's can still swap the SIM card for you.

clarad001
Great Neighbour / Super Voisin

I am not able to swap my sim card, I recently lost my phone and I keep getting an error screen. its been all day

 

clarad001_0-1628205351254.png

 

 

 

homer
Model Citizen / Citoyen Modèle

Good job! Even with 2FA, people also need to refrain from giving your verification code to anyone suspicious. 

@Pawprints1986 

 

2FA is currently for SIM number changes. I will certainly pass along your sentiments for porting to the broader team. 

 

Thank you, 

Jade 

sa7375
Town Hero / Héro de la Ville

More info on SIM Swap Fraud in an article sponsored by Mozilla Firefox.

 

Read this, not in isolation, but as a complement to the article by @J_PM posted at the beginning of this thread. 

 

@LGme 

If your card has been charged but the sim cards are not working you have likely activated the accounts but the sim cards did not provision correctly. This happens occasionally. You will need to contact the moderators to reprovision the sim cards to each account.

 

Use the information from the first account/sim card to contact the moderators with and you can then communicate the info for the second account. You should recieve a response in under an hour from what I have noticed today.

 

Send a private message...   Contact the moderators by sending a private message and leave a detailed message explaining your issue and the info to verify your account by including the following information:  

 

  1. Full name and address on pm account. ( Or province and postal code for newer accounts.)
  2. Email, phone # and pin #.

 

If  you cannot remember your pin # include at least three ( if they apply)of the following:

 

  1.  Date of birth (n/a on newer accounts.)
  2. Last payment, date, amount, type and last 4 digits.
  3. Alternate phone number if any.
  4. Security question and answer.
  5. Plan amount, any add ons or promos on account.
  6. Last 4 digits of sim card.
  7. Any rewards in your account.
  8. Autopay y/n?
  9. Account #.
  10. Frequently called/texted phone numbers in the last 30 days.  

 

The average wait time is 2 to 4 hours but be prepared to wait up to 48 hours for non urgent requests. Current wait times are about one hour and are probably even less as I have had some very quick responses in tne past week.

 

Keep an eye on your private message box the envelope icon next to your avatar for a little number to pop indicating a message from the moderators. Responding promptly will speed up service times.

 

 Do not post any of this info in the community only in your private messages when communicating or contacting the Moderator_Team.

 

  To send a private message to the moderators click below : https://productioncommunity.publicmobile.ca/t5/notes/composepage/note-to-user-id/22437

Yummy
Mayor / Maire

@LGme wrote:

 Please resolve the problem by today or I will submit a google review accordingly to my terrible experience with Public Mobile.

my cell number is: 647-***-****

 

Edited by moderator *


Madam/Sir.

Please, understand this forum is not monitored nor resolution provided by Public Mobile staff.

Every answer or attempt to assist is provided by PM customers like you and me.

There is no need to threaten or be upset. It will not work.

As 'softech' suggested, please provide more info what you did in order for the rest of us to help you out.

If we are NOT able to assist, way to contact Moderators will be provided.

 

P.S. Never post personal info in public forum...

@LGme  did you use 2 different email addresses for the 2 accounts?

Did you request porting or just picked new numbers?

 

did you put your SIM into a phone and try it?  If so, what is showing on top of the screen?  did it show Public Mobile?

 

 

LGme
Great Neighbour / Super Voisin

Hello;

I tried to activate 2 SIM cards for my kids and it wasn't been successful, but it appear the charges on my credit cards, every attempt I did they still charge to the credit cards but it never work the activation.   could you pleaser resolve this problem, ASAP, I am very upset, and I am getting very frustrated, since I can call you guys or nothing.   Please resolve the problem by today or I will submit a google review accordingly to my terrible experience with Public Mobile.

my cell number is: 647-***-****

 

Edited by moderator *

BearFBI
Deputy Mayor / Adjoint au Maire

@Korth True, and that's a good point. 

@BearFBI 

 

You and I and others have suggested this sort of implementation many times in the past.

 

It's not completely bulletproof security. But every barrier they install will help reduce the number of victims for these sorts of thefts.

 

Think of things from the perspective of a thief. How would you go about stealing your own phone number, account, information, or passwords? Or perhaps, how would go about stealing them from your partner, one of your friends, a friend-of-a-friend acquaintance?

 

This form of authentication is basically just a small improvement from before ... now the thief needs to know your Self-Serve login and have access to your device (along with it's screenlock PIN/code/etc) to steal your service. If you've been targeted, you've been lazy or sloppy, or you've trusted the wrong person(s) then this added barrier won't stop you from still being a victim.

BearFBI
Deputy Mayor / Adjoint au Maire

Wow nice work ! 

 

This is the first ever thing Public implemented that I actually suggested once. 

 

This was definitely needed !

carlaspapa
Town Hero / Héro de la Ville

@J_PM 

It's good to hear that public mobile is keeping our accounts secure. Not that I've had to use it but it's good to have the same change feature back in our accounts.

Pawprints1986
Town Hero / Héro de la Ville

Will this 2fa be applied to porting as well? If you don't need to change your Sim? Isn't it as of now that you need to see a text within x amount of time (and account name and such match your correct legal info?)

 

I'm just wondering if this change makes both processes more secure, or just Sim number changes? 

Haiggy
Model Citizen / Citoyen Modèle

@darlicious wrote:

@Haiggy 

At no time do you have to use your real name to activate and create your pm account. You can edit those details of your profile at anytime by logging into your self serve account. Changing the account holder name has been employed as an effectuve means of preventing fraudulent ports.


Yes, that's exactly what I was trying to say. If you wanted to port out, you'd likely want your name to match the request though, so you'd have to change it at that point only when you're ready to initiate a (legitimate) port-out request yourself.

BlueB
Deputy Mayor / Adjoint au Maire

@darlicious 

Yes, I know what you're referring to and believe that function is still there (thanks to @Anonymous for pointing that out to me).  Again, too complicated and at this point............!

 

@daki28 

I agree that this is a good solution for now.  The more Public Mobile has to set up and maintain, the higher the risk that we'll see some price increases or some sort!  🙂

daki28
Model Citizen / Citoyen Modèle

I think this is a decent solution for now. Is it perfect, probably not but it will give users option to change sim card if they need to do it. I'm not in favor of having pin as that is additional piece of information most of users will not remember/take a note of, so having SMS or email should be ok. I'm reading about possibility of 'hacked email' and I must say that in that case I'm not sure how PM can help you. We need to protect ourselves in multiple ways like with using strong unique passwords, 2FA for critical logins (email, bank, etc). Having option to get an email is probably even better than SMS cause most of people will actually need this to either replace missing or broken SIM card, so not being able to receive SMS to start with. Maybe just we could have an option to add a separate recovery email that would be 'masked' and not visible to somebody who logged in into your account. 

@BlueB 

I believe they have now disabled it but their was an option to change your self serve account email. The problem was it didn't change it on the back end so password resets got sent to the original email address. Which is probably the original design of that function was to give the account holder the ability to change the login username to not another email but username only they know and if a password reset is needed it gets sent to the accounts registered email as intended.

BlueB
Deputy Mayor / Adjoint au Maire

@darlicious 

Wow, he survived a full cycle???  First time in 22 months - seriously a momentous occasion to celebrate!  I still struggle to understand how someone needs to go through something so regularly.  Heaven forbid you lend him your car... you'll need to report it lost and replace it atleast 5-6x a year!!! ...the mods must also love you! 😂

 

As for the voice option - I think that's a great idea too.  I'm not sure about it being an oversight, because how often do people actually need their SIMs changed, or similar service performed (requiring 2FA)?  The reason I ask this because sending an email or SMS is relatively simple from a systems implementation perspective.  A voice call, however, isn't so simple, requiring an additional voice/IVR system... (and we all know how I feel about additional 'stuff' - potentially higher prices.)

 

The underlying authentication design of how there are atleast 3 different "accounts" for example, could be improved, which goes back to your point about changing login usernames/etc.  I suppose a mod could do this, but how often do we usually need to do this too?

@SD08 

The name on the credit card does not need to match the name on the account. It only needs to match with the credit card issuers info on their account. In the case of a gift card it doesn't need to match anything if that info is not linked to the card.

Anonymous
Not applicable

 @SD08 : Slight difference. The profile info can be anything. The credit card entry (yes darlicious..._almost_ always) needs to have the right info. That screen and the profile screen don't need to match. But I have read of one regular who said the names needed to match. But that's not been my experience.

SD08
Retired Oracle / Oracle Retraité

@Anonymous wrote:

@darlicious wrote:

@Haiggy 

At no time do you have to use your real name to activate and create your pm account.


 @darlicious : Payment card entry seems to want real information. But then the name and address is not visible after that.

 


@Anonymous   I've had my credit card name not match the name on the self-serve account before and I was able to leave it like that for many months. Perhaps it doesn't matter until it comes time to actually charge the credit card, but you can get around that by having the names match when you top up enough to cover several months in advance, and then change the account name for the rest of the time until you need to top up again.

@Anonymous 

Agreed. When using lost/stolen to suspend the bf can still get important verification codes from anyone offering the voicecall option which is most financial institutions and credit cards.

 

If you use a credit card.....and if it happens to be yours.....

Anonymous
Not applicable

@darlicious wrote:

@Haiggy 

At no time do you have to use your real name to activate and create your pm account.


 @darlicious : Payment card entry seems to want real information. But then the name and address is not visible after that.

I agree not to login using an email address. Especially when it's a key to the account.

I still have reservations about the email address verification method. The SMS would need a phone and SIM...why is one replacing the SIM?...it's gone. They almost never "go bad". So SMS is mostly useless. That leaves email. I repeat...PIN at clicking Change SIM. Can't see the last 4 yet.

@Haiggy 

At no time do you have to use your real name to activate and create your pm account. You can edit those details of your profile at anytime by logging into your self serve account. Changing the account holder name has been employed as an effectuve means of preventing fraudulent ports.

@J_PM 

It's good to see pm has implemented a compromise between customer self-serve and account security. However given some of the observations by fellow members that 2FA may not be possible or a customer does not have access to their account or possibly has not created one does the ability to perform a sim swap with the moderators operate in the same manner?

 

Seeing as I have performed this action more than probably anyone here and do so on behalf of the bf who hasn't a clue  how to do any of this..... I cannot perform a sim swap for him if the phone or sim card is lost. Why is there no possibility of recieving the code via a phone call? It makes the verification code accessible without the device and the lost/stolen feature has suspended service.

 

Could we not have an option to change the email and/or phone number used for 2FA? As its been pointed out the blanked out email and phone number is already accessible in the account and a likely source of a breach or hacker or a thief. From an account management side without access to the phone or email it makes a sim swap within the account a non-starter. Not having the phone call option is a huge oversight in my opinion.

 

I still believe having the ability to change the login username from the accounts email would greatly improve account security especially since that ability to perform that action already exists.

 

@BlueB 

The bf did indeed go thru entire last 30 day cycle without enabling lost/stolen and had his rewards actually apply upon renewal! The second time in 22 months that I did not have to contact the moderators to have them applied manually.

Haiggy
Model Citizen / Citoyen Modèle

Another step would be that since Public Mobile is all prepaid, you do not need to use your real name on the account, and can be updated to your real name later if you actually did want to make a legitimate port-out request yourself.

will13am
Oracle
Oracle

It is nice to see this feature make a come back in the self serve and with security feature this time.  

BlueB
Deputy Mayor / Adjoint au Maire

@smp99 

While a TOTP code (or similar) is a good idea, the "ideal solution" is often tricky to define.  In particular, the logistics behind it would be difficult.

 

For example, let's say this is set up upon activation.  Will the average Public Mobile user know how this works?  If the user changes phones or loses their phone, how would they have access to the application?  This would need to be set up well in advanced and maintained by the user (and Public Mobile).  There are also backend considerations for Public Mobile to maintain... more systems and maintenance = higher cost.

 

Although it's one secure way of handling things, not sure how feasible it actually would be.  The moderators here have been very helpful with problems, and I think it's a small inconvenience for us to involve them for the "occasional" SIM card swap (and now- self serve!) than to pay more every month because this would surely increase the expenses on their end.  🙂

smp99
Deputy Mayor / Adjoint au Maire

I may be missing something here but I think a 2FA using an Authenticator application that supplies a 6 digit code every 30sec or so, would have been an ideal solution.