Community

Catherine_T · ‎02-05-2021

*July 14, 2021 Update*

We are pleased to announce that as of July 14, 2021, SIM card changes have been re-enabled in My Account.

We temporarily disabled all online SIM swaps in March, to protect our customers from SIM swap fraud.

We have now implemented an additional step in the form of a 2 factor-authentication code to secure this process.This code can be sent via SMS or email, and must be verified to complete the SIM swap.

For more details, please see below.

All the information below can be found in this Help Article.

---------------------------------

*March 8, 2021 Update*

To protect our customers from SIM swap fraud, we have temporarily disabled all online SIM swaps through Self-serve. To change your SIM card, please submit a ticket here

Customer safety and security is our priority, and we are working on permanently securing the online SIM swap process. In the meantime, we recommend that you continue following the steps outlined below to protect against fraudulent activities.

-------------------------------

Hey Community,

We’ve noticed some cases of SIM swap fraud, and wanted to help our customers better understand what SIM swap fraud is, what to do if you’ve been targeted, and how to prevent it in the future.

All the information below can be found in this Help Article.

What is SIM swap fraud?

Efforts by fraudsters to gain unauthorized access to customer accounts with the goal of accessing banking information is on the rise. As part of our commitment to protect our customers’ personal information, we have robust security protocols in place that are designed to protect the privacy and security of our customers.

SIM swap fraud, or SIM jacking, is a type of fraud that occurs when fraudsters gain access to your Self Serve account, to replace your SIM card information with their own. After replacing your SIM card, all communications will be redirected to the fraudster’s device. They will then be able to intercept recovery SMS/calls, and gain access to your personal banking, ecommerce, email and social media accounts.

How does SIM swap fraud happen?

Fraudsters can obtain customer Self Serve account credentials through malware, phishing attempts or data breaches on websites where login credentials are the same as your Self Serve account.

What do I do if I’ve been targeted by SIM swap fraud?

If you have been targeted by SIM swap fraud, we recommend you take the following actions to secure your account:

Change your Self-Serve account password and security question immediately to lock the fraudster out of your account

Put your phone into Lost/Stolen mode to suspend the fraudster’s service, to do this follow the below steps:

Log in to you Self-Serve account
Go to Plans and Add-Ons, then select “lost/stolen phone”
Select “suspend service”

Then, submit a ticket here - our Moderator team will be able to restore your original SIM card.
We also recommend contacting your financial institutions to ensure your banking and credit card accounts have not been accessed, and checking your social media accounts for any suspicious activity. Make sure you change your passwords to these accounts immediately.
You may also want to report the fraud to your local police and the Canadian Anti-Fraud Centre at 1-888-495-8501, as well as contact the two national credit bureaus to request a copy of your credit reports and place a fraud warning on your file (Equifax Canada Toll free:1-800-465-7166 and TransUnion Canada Toll free: 1-877-525-3823).

How to protect against SIM swap fraud?

Given the increase the telecommunications industry has seen in fraudulent activity like SIM swaps and unauthorized porting, we recommend that Canadians take the following steps to protect themselves:

Protect your information: limit the amount of personal information about you online; fraudsters can use this information to verify your identity when attempting to swap your SIM. Be careful to not click on phishing emails (and texts) that ask you to provide and/or validate private information.
Guard your phone number: don’t add your phone number to any online accounts where it is not necessary. The fewer accounts you have associated with your number, the lesser your risk.
Use strong and unique passwords for each of your accounts: using the same password across multiple accounts is a hacker’s jackpot. When you use the same password across different accounts, remember that once they successfully hack one account, they’ve hacked them all. We also recommend that you change your passwords, including your Self-Serve password regularly.
Set up authentication methods that aren’t text based: often, online accounts will require you to set up two-factor-authentication (2FA) for added protection; with 2FA, you need to authenticate yourself with something in addition to your username and password, such as a code that is sent to your device by text. With SIM swap fraud on the rise, you may want to use something other than your phone number for 2FA like an authenticator app or security key.

While Public Mobile is actively working on ways to help keep our customers safe, please make sure to stay vigilant, and be aware of any suspicious activity.

- The Public Mobile Team

HALIMACS · ‎02-05-2021

@kb_mv wrote:
@Anonymous wrote:
@kb_mv : I was rightly corrected on that idea that well what about a lost or stolen phone? There's no receiving an SMS then. So I retreated back to the idea of the PIN required when changing the SIM.
@Anonymous I had not considered that. PIN it is....

It is absolutely up to PM to do everything reasonably possible to stop SIM swapping from happening at source. I'm not fully convinced they are. It is THEIR systems (and/or Mod's - hope not???) which are allowing an unauthorized user to make significant and impactful changes to their REAL customer's accounts.

It is equally important for ALL users to do the same diligence - and some have no clue (even after extensive coaching) how to mitigate against themselves from being a target.

This message from PM is a small start in that it at least recognizes that PM considers this to be worthy of air-time on the Community. But what about all those users who could care less to read or follow Community postings? Indeed, it seems most SIM hack victims result in users creating a Community account after the hack to plead for help.

@Anonymous , with a PIN option, if the hacker sent a Mod request to change the PIN before doing anything, how does that get processed & get communicated back to the rightful customer? Is it via text to the registered phone number or by private message to the user's attached Community account?

kb_mv · ‎02-05-2021

@Anonymous wrote:
@kb_mv : I was rightly corrected on that idea that well what about a lost or stolen phone? There's no receiving an SMS then. So I retreated back to the idea of the PIN required when changing the SIM.

@Anonymous I had not considered that. PIN it is....

Anonymous · ‎02-05-2021

@kb_mv : I was rightly corrected on that idea that well what about a lost or stolen phone? There's no receiving an SMS then. So I retreated back to the idea of the PIN required when changing the SIM.

kb_mv · ‎02-05-2021

@Camera4617 @Anonymous I wonder how difficult it would be to implement the SMS authorization that is used for port outs to this?

Camera4617 · ‎02-05-2021

@Anonymous I'm the same, I like doing as much as I can do on my own. But the question here is how often do you do this? I have a cell phone for 20 years and never had to change SIM (unless I changed provider). This just makes it easier for SiM hijacking. So, if PM cannot protect me by adding some extra layer of security like pin, sending code to phone or separate password for SiM change, then I'd rather not to have that feature.
Some other 'small' things.. I'm trying to change my password and just getting 'incorrect password format'. Turns out it is that password cannot be longer than 20 characters. But why? And why PM doesn't tell me that. What does it cost them to store extra few bites of data and our accounts will be more protected to start with.

softech · ‎02-05-2021

@RobertQc we have member got simjacked earlier and the mod gave these phone numbers:

647-837-7030.
1-844-474-4141

but honest.. not useful. It goes straight to the voicemail. It didn't just say reply within 48 hours.. it says 2 business days!!!

RobertQc · ‎02-05-2021

@softech wrote:

I know there also 2 Fraud Hotlines.. sounds great.. BUT.. we called there

@softech Where did you find these numbers to call? I know the numbers for Canadian Anti-Fraud / Equifax / Transunion. But the numbers for telus/bell fraud. I would like to write them down. Thx

softech · ‎02-05-2021

@Catherine_T you have a link to sumbit a ticket, which is in fact still just the Chatbot (Originally I was so happy I thought PM started a new ticket system/queue for SIM Swap...sadly not!!) Can you confirm how quick your team will response? Issue now is it takes way too loooooooooong for mod to reply in such situation.

I understand the SLA is 48 hours, it is ok for normal Q&A, but in case of SIM Swap Fraud (or also other Fraud issues), can't you prioritize the ticket and have a better response time like within 2 hours?

I know there also 2 Fraud Hotlines.. sounds great.. BUT.. we called there, it goes directly to voicemail. the voice mail message also clearly said you will reply within 48 hours. So, the hotline is not so hot afterall. (Imagine you call 911 and you got a voicemail saying they will call back within 8 hours.. )

Also, responding within 48 hours is not the worst part. As you know, these ticket has lots of back and forth. The first response is within 48 hours and you asked the user some questions. They reply it and chances are it will be at least another 2-8 hours wait if not 48 hours. This back and forth at least 2 or 3 times so issue wouldn't get resolve for at least 3 or 5 days. For Fraud related issue, I think it is too long.

I hope PM will give a high priority to SIM Fraud ticket and will agree to response A LOT quicker.

thanks

Anonymous · ‎02-05-2021

@Camera4617 : I like doing as much as possible myself with my account. I don't like going cap in hand to beg and plead and wait for some moderator to get around to my request. It's now quite silly that we have to ask moderators for a Telus/Koodo port. Come on, we're all in the same company. If anything, it should be the other way around. Or to change the email on the account. etc.

Camera4617 · ‎02-05-2021

@Anonymous I fully agree with your statement. All mentioned in original post is something that we (who visit forum often) know on how to protect ourselves, but what PM is doing to protect us. If you ask me, SiM swapping should not even be a feature on site, or if it is there then it should be protected separately from login password. I'd prefer to be asked to go to store and change it there if I have to and I don't see need to do this often if ever. Phone number is 'critical' part of our identity and wanted or not, we have to use it for many things.

smp99 · ‎02-05-2021

Hey Community,

How to protect against SIM swap fraud?

Given the increase the telecommunications industry has seen in fraudulent activity like SIM swaps and unauthorized porting, we recommend that Canadians take the following steps to protect themselves:

4-Set up authentication methods that aren’t text based: often, online accounts will require you to set up two-factor-authentication (2FA) for added protection; with 2FA, you need to authenticate yourself with something in addition to your username and password, such as a code that is sent to your device by text. With SIM swap fraud on the rise, you may want to use something other than your phone number for 2FA like an authenticator app or security key.

This point alone about not using your cell number as a 2FA method I feel is one of the main points people should take from this very good post. If you are a victim of SIM-Swap, the "I forgot my password" reset info on any number of websites, would be sent to the fraudsters device and not yours.

What would be really nice is if PM offered 2FA using an Authenticator app for its own SelfServe Accounts.

Thanks for this good explanation. Hopefully it will help some.

Anonymous · ‎02-05-2021

@Catherine_T : How about some actual news. How about a real announcement of how you actually care about your customers and have implemented a PIN at the point of Change SIM?

This whole rambling thing is old news and doesn't do or say anything useful. We all already know this and have been saying all of this time and again as these frauds have mounted in numbers.

If you cared, you would have implemented the porting confirmation on your own rather than waiting for the CRTC to mandate it. If you cared you would implement a PIN required at the point of an account using the Change SIM function on your own rather than waiting for the CRTC to mandate it (if they do).

Just do it. If you care. Otherwise, it's all useless fluff to put up appearances.

RobertQc · ‎02-05-2021

@Catherine_T wrote:
Fraudsters can obtain customer Self Serve account credentials through malware, phishing attempts or data breaches on websites where login credentials are the same as your Self Serve account.

@Catherine_TIf they are gaining our self-serve account access by knowing our password, why wouldn't they change the password first so we can't lock them out?

Seems like a fail on their part, till they smarten up.

What do we do when they start changing our password / account information before sim swap and we can't even prove the account is ours to reset our password?

Triguy · ‎02-05-2021

It is good to know that PM is aware of it but customers have to be vigilant about their own personal information and online security.

computergeek541 · ‎02-05-2021

@kaytus wrote:
Finally, it posted the official post about the SIM Swap.

Thank you MOD.

Have a wonderful day

Catherine_T isn't moderator. She is in the marketing department and is the Commmunity manager.

computergeek541 · ‎02-05-2021

Thanks for acknowledging this. It's important to remember that customers need to take responsibility for the secuirty of their own accounts.

@Catherine_T

I think a serious issue that needs to be address is how the private messaging screen and the post a new message screen look almost identical. I do not know if that would be your department or @David_J who would look into that, but I even find myself that I sometimes have to take another look if I'm sending a message privately or if I'm posting in the message forum.

kaytus · ‎02-05-2021

Finally, it posted the official post about the SIM Swap.

Thank you MOD.

Have a wonderful day