cancel
Showing results for 
Search instead for 
Did you mean: 

SIM Swap Fraud

Catherine_T
Retraité / Retired
Retraité / Retired

*July 14, 2021 Update*

 

We are pleased to announce that as of July 14, 2021, SIM card changes have been re-enabled in My Account

 

We temporarily disabled all online SIM swaps in March, to protect our customers from SIM swap fraud.

 

We have now implemented an additional step in the form of a 2 factor-authentication code to secure this process.This code can be sent via SMS or email, and must be verified to complete the SIM swap.

 

For more details, please see below.

 

Jade_S_1-1626272487403.png

 

All the information below can be found in this Help Article. 

 

---------------------------------

 

*March 8, 2021 Update*

To protect our customers from SIM swap fraud, we have temporarily disabled all online SIM swaps through Self-serve. To change your SIM card, please submit a ticket here

 

Customer safety and security is our priority, and we are working on permanently securing the online SIM swap process. In the meantime, we recommend that you continue following the steps outlined below to protect against fraudulent activities.

 

-------------------------------

 

Hey Community,

 

We’ve noticed some cases of SIM swap fraud, and wanted to help our customers better understand what SIM swap fraud is, what to do if you’ve been targeted, and how to prevent it in the future. 

 

All the information below can be found in this Help Article. 

 

What is SIM swap fraud?

 

Efforts by fraudsters to gain unauthorized access to customer accounts with the goal of accessing banking information is on the rise. As part of our commitment to protect our customers’ personal information, we have robust security protocols in place that are designed to protect the privacy and security of our customers.

SIM swap fraud, or SIM jacking, is a type of fraud that occurs when fraudsters gain access to your Self Serve account, to replace your SIM card information with their own. After replacing your SIM card, all communications will be redirected to the fraudster’s device. They will then be able to intercept recovery SMS/calls, and gain access to your personal banking, ecommerce, email and social media accounts. 

 

How does SIM swap fraud happen? 

 

Fraudsters can obtain customer Self Serve account credentials through malware, phishing attempts or data breaches on websites where login credentials are the same as your Self Serve account. 

 

What do I do if I’ve been targeted by SIM swap fraud?

 

If you have been targeted by SIM swap fraud, we recommend you take the following actions to secure your account:

  • Change your Self-Serve account password and security question immediately to lock the fraudster out of your account

 

  • Put your phone into Lost/Stolen mode to suspend the fraudster’s service, to do this follow the below steps: 
    • Log in to you Self-Serve account
    • Go to Plans and Add-Ons, then select “lost/stolen phone”
    • Select “suspend service”

 

Catherine_T_1-1612535117310.png

 

 

  • Then, submit a ticket here - our Moderator team will be able to restore your original SIM card. 
  • We also recommend contacting your financial institutions to ensure your banking and credit card accounts have not been accessed, and checking your social media accounts for any suspicious activity. Make sure you change your passwords to these accounts immediately. 
  • You may also want to report the fraud to your local police and the Canadian Anti-Fraud Centre at 1-888-495-8501, as well as contact the two national credit bureaus to request a copy of your credit reports and place a fraud warning on your file (Equifax Canada Toll free:1-800-465-7166 and TransUnion Canada Toll free: 1-877-525-3823).

 

How to protect against SIM swap fraud? 

 

Given the increase the telecommunications industry has seen in fraudulent activity like SIM swaps and unauthorized porting, we recommend that Canadians take the following steps to protect themselves:

  1. Protect your information: limit the amount of personal information about you online; fraudsters can use this information to verify your identity when attempting to swap your SIM. Be careful to not click on phishing emails (and texts) that ask you to provide and/or validate private information. 
  2. Guard your phone number: don’t add your phone number to any online accounts where it is not necessary. The fewer accounts you have associated with your number, the lesser your risk.
  3. Use strong and unique passwords for each of your accounts: using the same password across multiple accounts is a hacker’s jackpot. When you use the same password across different accounts, remember that once they successfully hack one account, they’ve hacked them all.  We also recommend that you change your passwords, including your Self-Serve password regularly.
  4. Set up authentication methods that aren’t text based: often, online accounts will require you to set up two-factor-authentication (2FA) for added protection; with 2FA, you need to authenticate yourself with something in addition to your username and password, such as a code that is sent to your device by text. With SIM swap fraud on the rise, you may want to use something other than your phone number for 2FA like an authenticator app or security key.

 

While Public Mobile is actively working on ways to help keep our customers safe, please make sure to stay vigilant, and be aware of any suspicious activity. 

 

- The Public Mobile Team

 

197 REPLIES 197


@ShawnC13 wrote:

@Camera4617 wrote:

That's what I said earlier, if PM cannot do some extra protection, just remove it. My tradeoff if I ever need this option (and for 20 year haven't had ) is to go to store and do it there. Prove your identity somehow and it's all good. 


What store would you be going to and who are you showing your identity to?  None of the retail locations have account access, even the PM Kiosks can only do setup and nothing to do with account issues.  Or are you saying pick up a sim at a retailer and then prove identity to the PM Moderators (which could still take 48 hours *or more*)

 

The PIN option mentioned seems like a reliable, responsible way ahead now it is to see if PM can implement and we know that around here it is at about the same speed the government implements practical solutions.


I agree that this would be more secure, but how would someone even know that the person processing the changes is trustworthy?  There also is the problem with if this is what's required to perform a SIM card change, it'll inconvenience customers to the point that they might switch to a different carrier if they absoltuely have to go to the store.


@Jb456 wrote:

Just remove "change sim" from the account. If legit people need to change their sim card then they open a ticket for moderators. Problem solved!


I don't have perfect answers, but all that's required to verify account ownership are either the self serve credentials or the account PIN. Someone who's able to perform a SIM swap would already have that information anyway.


@kb_mv wrote:

@will13am @Anonymous We already have the PIN associated with our account, so they wouldn't be starting from scratch on implementing this.


The difficulty with the PIN is how it's only 4 digits.  Also, when it starts being used on a widescale, that can become more of an opportunity of people who shouldn't have the PIN being able to use it to gain access through pure exporsure to an account.

@mimmo lol you're right I just changed my password recently. not sure why I thought there was an email verification process

 

in that case, it's very interesting that they don't. 🤔


@Anonymous wrote:

@Jb456 wrote:

But if everyone is talking about asking for a PIN.

 

Maybe at the same time PM should fix the 18554Public number where you can access anyone's account. 


Sure. Why not. But again, all anybody can get is Available Funds and due date and redeem all the vouchers they want. But sure. While they're there.


I'd be inclined to side with @Jb456  on this one. 

 

The fact that anyone with another person's cell number can get that person's balance and next due date is disconcerting.  That information may help them 'convince' an unsuspecting Mod that they are the customer, when they may not be...  it's just another piece of a hacker's toolbox. 

 

Yet, Public Mobile still allows that type of access instead of PIN protecting it.

mimmo
Retired Oracle / Oracle Retraité

@gpixel wrote:

they cannot always change the password because they need the email password or sms authentication to work. if they don't have either than changing the password will most likely lock them out. 

 


@gpixel   are you sure to change password all that is asked is existing password.  if they got into the account they have your login and password so they can easily change password with two clicks.  there is no sms authenticaton here.

Anonymous
Not applicable

@Jb456 wrote:

But if everyone is talking about asking for a PIN.

 

Maybe at the same time PM should fix the 18554Public number where you can access anyone's account. 


Sure. Why not. But again, all anybody can get is Available Funds and due date and redeem all the vouchers they want. But sure. While they're there.

But if everyone is talking about asking for a PIN.

 

Maybe at the same time PM should fix the 18554Public number where you can access anyone's account. 

Oops.jpeg

Camera4617
Town Hero / Héro de la Ville

@mimmo wrote:

Why not do both pin and remove sim change.

 

My biggest concern / question is why are the hackers not changing passwords once they access the account... Seems counterintuitive to change sim and not account password.

 


@mimmo That is my biggest concern too, as since they are in your account, why not to change password (everyone knows how to do it) and give themselves more time to do what they are after. For me it is more that they change sim without even getting into your account and then no 'good' password can help you. Like they have some 'back door' to do it. 

 

Well, I would love to be 'wrong' here. 

Camera4617
Town Hero / Héro de la Ville

@kb_mv My password is secure as a password can be. I'm an IT professional and I know very well what I do online and how to stay safe. If you think that your 'ArUL46g4dYFKsA' password is 'safe and secure', then good for you. That is a good password if you want to protect yourself from somebody quickly seeing and remembering, but for 'data breach' or computer algorithm, that is just combination of letters and numbers, and it will be cracked at some point if somebody wants to do it. You do your part to protect yourself (as I do) but PM needs to do their part too (as much as they can). And with today's technology, that is not hard nor expensive. That's my point here, not how to 'protect myself'. I'm doing it already. 

mimmo
Retired Oracle / Oracle Retraité

Why not do both pin and remove sim change.

 

Pm noticed porting fraud and removed the ability for customers to do it  for a year. Why not remove the sim change feature till a more robust method is implemented.  I think the inconvience of messaging mods to request a sim change far outweighs  having to contact bank's etc...

 

My biggest concern / question is why are the hackers not changing passwords once they access the account... Seems counterintuitive to change sim and not account password.

 

 


@Camera4617 wrote:

I just don't want to keep checking if I have service and my phone number is in danger to be taken. 


@Camera4617 You don't need to keep checking if you have a proper secure password and you practice good online security. If you use your password anywhere else you should go in and change it to something like this: ArUL46g4dYFKsA

 

All of my online accounts have random generated passwords and I feel secure.

Camera4617
Town Hero / Héro de la Ville

@ShawnC13  OK, but that was one of the options and if it is not possible, then something else needs to be done. My point is that need to change SiM card is not something you do all the time and I'm happy to do some extra steps in order to be more 'secure' and not lose phone number. Is that PIN or something else, I'll leave that up to PM. Otherwise, I'm sure many customers will not be happy and stay with them, regardless of great pricing and rewards. I just don't want to keep checking if I have service and my phone number is in danger to be taken. 


@Camera4617 wrote:

That's what I said earlier, if PM cannot do some extra protection, just remove it. My tradeoff if I ever need this option (and for 20 year haven't had ) is to go to store and do it there. Prove your identity somehow and it's all good. 


What store would you be going to and who are you showing your identity to?  None of the retail locations have account access, even the PM Kiosks can only do setup and nothing to do with account issues.  Or are you saying pick up a sim at a retailer and then prove identity to the PM Moderators (which could still take 48 hours *or more*)

 

The PIN option mentioned seems like a reliable, responsible way ahead now it is to see if PM can implement and we know that around here it is at about the same speed the government implements practical solutions.

 


I am happy to help, but I am not a Customer Support Agent please do not include any personal info in a message to me. Click HERE to create a trouble ticket through SIMon the Chatbot *

kb_mv
Mayor / Maire

@dabr As somewhat of a regular I felt the same way when I saw the thread posted. We have seen an awful lot of these recently. I thought PM was going to provide some insight as to what they saw as the way forward. Alas....

When I saw this topic in the Announcement heading, I was initially relieved thinking PM had made some changes which would prevent SIM jacking (at least mostly) from occurring in the first place.  However, that doesn't seem to be case and it's seriously disappointing. 

 

All the information in this announcement is mostly already known by regulars to this forum.   Most of the SIM-jacking (seems) to happen to people who rarely visit this site and are only aware something is wrong when they're suddenly no longer able to use their phones.  Some of us don't use our phones (that is for phoning/texting purposes) on a regular basis, so we may not become aware that a SIM-jack has even happened for a long period, by which time serious damage to all sorts of accounts can be done.  Plus the wait time to get a response from moderators after submitting a ticket/message just takes way too long (especially when they're backlogged) and just further compounds an already unacceptable situation.

 

I don't understand why requiring a PIN (the one we already have for making changes via 611 should suffice?) to change SIM in the self serve account cannot be quickly implemented.  IMO that would at least reduce a lot of these SIM-jacking incidents.   

 

BTW changing a PIN (IIRC as it's been awhile since I did this) usually requires DOB plus couple of other verification questions.

 

Sorry about the rant, but I just think this problem should have been sorted out a while ago!

sa7375
Town Hero / Héro de la Ville

Forewarned is forearmed, and thank you for the heads-up, @Catherine_T.

 

Implementing a two-factor authentication (2FA ) by PM for change of SIM might be well worth the consideration. 

 

 

 

Camera4617
Town Hero / Héro de la Ville

That's what I said earlier, if PM cannot do some extra protection, just remove it. My tradeoff if I ever need this option (and for 20 year haven't had ) is to go to store and do it there. Prove your identity somehow and it's all good. 

Anonymous
Not applicable

@Jb456 wrote:

Just remove "change sim" from the account. If legit people need to change their sim card then they open a ticket for moderators. Problem solved!

 


It would be interesting to see the frequency of these if they were to remove it. I wonder that there's another method hackers are using.

But if I needed service due to something about the SIM then I wouldn't really want to have to wait. I'd rather run out to a store and then change the SIM myself rather than wait.

@rhkjcfp  I wouldn't say more work to do as it's not likely everyone is changing their sim card on a weekly basis. I've had to do one change since 2018 as I lost my phone while on vacation. 

 

Shouldn't be a big impact on mods.

 

rhkjcfp
Good Citizen / Bon Citoyen

Agreed. The trade off is the Mod has more work to do.

Just remove "change sim" from the account. If legit people need to change their sim card then they open a ticket for moderators. Problem solved!

 

 

 

Anonymous
Not applicable

 @will13am : The new PIN still goes to the account's number via SMS.


@HALIMACS wrote:

@kb_mv wrote:

@Anonymous wrote:

 @kb_mv : I was rightly corrected on that idea that well what about a lost or stolen phone? There's no receiving an SMS then. So I retreated back to the idea of the PIN required when changing the SIM.


@Anonymous I had not considered that. PIN it is....


It is absolutely up to PM to do everything reasonably possible to stop SIM swapping from happening at source.  I'm not fully convinced they are.  It is THEIR systems (and/or Mod's - hope not???) which are allowing an unauthorized user to make significant and impactful changes to their REAL customer's accounts.

 

It is equally important for ALL users to do the same diligence - and some have no clue (even after extensive coaching) how to mitigate against themselves from being a target. 

 

This message from PM is a small start in that it at least recognizes that PM considers this to be worthy of air-time on the Community.   But what about all those users who could care less to read or follow Community postings?   Indeed, it seems most SIM hack victims result in users creating a Community account after the hack to plead for help.

 

@Anonymous  , with a PIN option, if the hacker sent a Mod request to change the PIN before doing anything, how does that get processed & get communicated back to the rightful customer?  Is it via text to the registered phone number or by private message to the user's attached Community account?

 

 


I have never had to change an account PIN before so I am not sure what verifications the moderators would ask for before doing it.  I would presume that they would ask for the birth date of the account holder.  Just like the account PIN, it is something not seen in the self serve and provides a measure of security against fraud.  


@Anonymous wrote:

 

Indeed, why the perp doesn't change the account and all while doing their misdeed does make me wonder about any of the thoughts in the post by NDesai in the lounge. Are these perps doing this some other way.

@Anonymous Only PM can tell us what method is used to get in to the affected accounts. Unfortunately one recent victim of this was told nothing about how it occurred. I asked them what they were told by PM and it was essentially sorry this happened.

 

The sale of online account info on the dark web is rampant. I read a blog by Brian Krebs, lots of interesting stuff there. I appropriated this pic to show how one compromised email can cause a lot of trouble.

 

HE-1.jpg

Anonymous
Not applicable

@kb_mv wrote:

@will13am @Anonymous We already have the PIN associated with our account, so they wouldn't be starting from scratch on implementing this.


It's all easy if they would do things. This place moves at glacial speed though. Or they'll only do something if told to. It was the same with the porting SMS. So now that problem seems to have stopped only because now the SIM-jack is being done. One more step up the chain.

Indeed, why the perp doesn't change the account and all while doing their misdeed does make me wonder about any of the thoughts in the post by NDesai in the lounge. Are these perps doing this some other way.

@will13am @Anonymous We already have the PIN associated with our account, so they wouldn't be starting from scratch on implementing this.

Anonymous
Not applicable

 @will13am : The porting out SMS is now a moot point driven by the CRTC but since apparently all we see here are the marketing types, then wouldn't it be a marketing coup to say hey look at us we're protecting our customers and those guys over there are not. Come over or stay here because we care about our customers. Marketing.

 

 @HALIMACS : A PIN change result is sent via SMS.


@Anonymous wrote:

 @Catherine_T : How about some actual news. How about a real announcement of how you actually care about your customers and have implemented a PIN at the point of Change SIM?

This whole rambling thing is old news and doesn't do or say anything useful. We all already know this and have been saying all of this time and again as these frauds have mounted in numbers.

If you cared, you would have implemented the porting confirmation on your own rather than waiting for the CRTC to mandate it. If you cared you would implement a PIN required at the point of an account using the Change SIM function on your own rather than waiting for the CRTC to mandate it (if they do).

Just do it. If you care. Otherwise, it's all useless fluff to put up appearances.


You made some excellent points on improving security.  Often the vulnerabilities are borne out of conveniences.  I think implementing a PIN requirement for SIM card change is something that can be implemented with reasonable dispatch.  As for the porting process, I doubt that any one carrier can take unilateral action in a transaction that involves a second carrier.  A coordinated effort is needed.  

Need Help? Let's chat.