cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
z10user4
Mayor / Maire

Re: SIM Swap Fraud: 2 factor-authentication


@darlicious wrote:

@Haiggy 

At no time do you have to use your real name to activate and create your pm account.


 @darlicious : Payment card entry seems to want real information. But then the name and address is not visible after that.

I agree not to login using an email address. Especially when it's a key to the account.

I still have reservations about the email address verification method. The SMS would need a phone and SIM...why is one replacing the SIM?...it's gone. They almost never "go bad". So SMS is mostly useless. That leaves email. I repeat...PIN at clicking Change SIM. Can't see the last 4 yet.

darlicious
Mayor / Maire

Re: SIM Swap Fraud: 2 factor-authentication

@z10user4 

Agreed. When using lost/stolen to suspend the bf can still get important verification codes from anyone offering the voicecall option which is most financial institutions and credit cards.

 

If you use a credit card.....and if it happens to be yours.....

SD08
Retired Oracle / Oracle Retraité

Re: SIM Swap Fraud: 2 factor-authentication


@z10user4 wrote:

@darlicious wrote:

@Haiggy 

At no time do you have to use your real name to activate and create your pm account.


 @darlicious : Payment card entry seems to want real information. But then the name and address is not visible after that.

 


@z10user4   I've had my credit card name not match the name on the self-serve account before and I was able to leave it like that for many months. Perhaps it doesn't matter until it comes time to actually charge the credit card, but you can get around that by having the names match when you top up enough to cover several months in advance, and then change the account name for the rest of the time until you need to top up again.

z10user4
Mayor / Maire

Re: SIM Swap Fraud: 2 factor-authentication

 @SD08 : Slight difference. The profile info can be anything. The credit card entry (yes darlicious..._almost_ always) needs to have the right info. That screen and the profile screen don't need to match. But I have read of one regular who said the names needed to match. But that's not been my experience.

darlicious
Mayor / Maire

Re: SIM Swap Fraud: 2 factor-authentication

@SD08 

The name on the credit card does not need to match the name on the account. It only needs to match with the credit card issuers info on their account. In the case of a gift card it doesn't need to match anything if that info is not linked to the card.

BlueB
Town Hero / Héro de la Ville

Re: SIM Swap Fraud: 2 factor-authentication

@darlicious 

Wow, he survived a full cycle???  First time in 22 months - seriously a momentous occasion to celebrate!  I still struggle to understand how someone needs to go through something so regularly.  Heaven forbid you lend him your car... you'll need to report it lost and replace it atleast 5-6x a year!!! ...the mods must also love you! 😂

 

As for the voice option - I think that's a great idea too.  I'm not sure about it being an oversight, because how often do people actually need their SIMs changed, or similar service performed (requiring 2FA)?  The reason I ask this because sending an email or SMS is relatively simple from a systems implementation perspective.  A voice call, however, isn't so simple, requiring an additional voice/IVR system... (and we all know how I feel about additional 'stuff' - potentially higher prices.)

 

The underlying authentication design of how there are atleast 3 different "accounts" for example, could be improved, which goes back to your point about changing login usernames/etc.  I suppose a mod could do this, but how often do we usually need to do this too?

darlicious
Mayor / Maire

Re: SIM Swap Fraud: 2 factor-authentication

@BlueB 

I believe they have now disabled it but their was an option to change your self serve account email. The problem was it didn't change it on the back end so password resets got sent to the original email address. Which is probably the original design of that function was to give the account holder the ability to change the login username to not another email but username only they know and if a password reset is needed it gets sent to the accounts registered email as intended.

daki28
Model Citizen / Citoyen Modèle

Re: SIM Swap Fraud: 2 factor-authentication

I think this is a decent solution for now. Is it perfect, probably not but it will give users option to change sim card if they need to do it. I'm not in favor of having pin as that is additional piece of information most of users will not remember/take a note of, so having SMS or email should be ok. I'm reading about possibility of 'hacked email' and I must say that in that case I'm not sure how PM can help you. We need to protect ourselves in multiple ways like with using strong unique passwords, 2FA for critical logins (email, bank, etc). Having option to get an email is probably even better than SMS cause most of people will actually need this to either replace missing or broken SIM card, so not being able to receive SMS to start with. Maybe just we could have an option to add a separate recovery email that would be 'masked' and not visible to somebody who logged in into your account. 

BlueB
Town Hero / Héro de la Ville

Re: SIM Swap Fraud: 2 factor-authentication

@darlicious 

Yes, I know what you're referring to and believe that function is still there (thanks to @z10user4 for pointing that out to me).  Again, too complicated and at this point............!

 

@daki28 

I agree that this is a good solution for now.  The more Public Mobile has to set up and maintain, the higher the risk that we'll see some price increases or some sort!  🙂

Haiggy
Model Citizen / Citoyen Modèle

Re: SIM Swap Fraud: 2 factor-authentication


@darlicious wrote:

@Haiggy 

At no time do you have to use your real name to activate and create your pm account. You can edit those details of your profile at anytime by logging into your self serve account. Changing the account holder name has been employed as an effectuve means of preventing fraudulent ports.


Yes, that's exactly what I was trying to say. If you wanted to port out, you'd likely want your name to match the request though, so you'd have to change it at that point only when you're ready to initiate a (legitimate) port-out request yourself.

Need Help? Let's chat.