cancel
Showing results for 
Search instead for 
Did you mean: 

SIM Swap Fraud

Catherine_T
Retraité / Retired
Retraité / Retired

*July 14, 2021 Update*

 

We are pleased to announce that as of July 14, 2021, SIM card changes have been re-enabled in My Account

 

We temporarily disabled all online SIM swaps in March, to protect our customers from SIM swap fraud.

 

We have now implemented an additional step in the form of a 2 factor-authentication code to secure this process.This code can be sent via SMS or email, and must be verified to complete the SIM swap.

 

For more details, please see below.

 

Jade_S_1-1626272487403.png

 

All the information below can be found in this Help Article. 

 

---------------------------------

 

*March 8, 2021 Update*

To protect our customers from SIM swap fraud, we have temporarily disabled all online SIM swaps through Self-serve. To change your SIM card, please submit a ticket here

 

Customer safety and security is our priority, and we are working on permanently securing the online SIM swap process. In the meantime, we recommend that you continue following the steps outlined below to protect against fraudulent activities.

 

-------------------------------

 

Hey Community,

 

We’ve noticed some cases of SIM swap fraud, and wanted to help our customers better understand what SIM swap fraud is, what to do if you’ve been targeted, and how to prevent it in the future. 

 

All the information below can be found in this Help Article. 

 

What is SIM swap fraud?

 

Efforts by fraudsters to gain unauthorized access to customer accounts with the goal of accessing banking information is on the rise. As part of our commitment to protect our customers’ personal information, we have robust security protocols in place that are designed to protect the privacy and security of our customers.

SIM swap fraud, or SIM jacking, is a type of fraud that occurs when fraudsters gain access to your Self Serve account, to replace your SIM card information with their own. After replacing your SIM card, all communications will be redirected to the fraudster’s device. They will then be able to intercept recovery SMS/calls, and gain access to your personal banking, ecommerce, email and social media accounts. 

 

How does SIM swap fraud happen? 

 

Fraudsters can obtain customer Self Serve account credentials through malware, phishing attempts or data breaches on websites where login credentials are the same as your Self Serve account. 

 

What do I do if I’ve been targeted by SIM swap fraud?

 

If you have been targeted by SIM swap fraud, we recommend you take the following actions to secure your account:

  • Change your Self-Serve account password and security question immediately to lock the fraudster out of your account

 

  • Put your phone into Lost/Stolen mode to suspend the fraudster’s service, to do this follow the below steps: 
    • Log in to you Self-Serve account
    • Go to Plans and Add-Ons, then select “lost/stolen phone”
    • Select “suspend service”

 

Catherine_T_1-1612535117310.png

 

 

  • Then, submit a ticket here - our Moderator team will be able to restore your original SIM card. 
  • We also recommend contacting your financial institutions to ensure your banking and credit card accounts have not been accessed, and checking your social media accounts for any suspicious activity. Make sure you change your passwords to these accounts immediately. 
  • You may also want to report the fraud to your local police and the Canadian Anti-Fraud Centre at 1-888-495-8501, as well as contact the two national credit bureaus to request a copy of your credit reports and place a fraud warning on your file (Equifax Canada Toll free:1-800-465-7166 and TransUnion Canada Toll free: 1-877-525-3823).

 

How to protect against SIM swap fraud? 

 

Given the increase the telecommunications industry has seen in fraudulent activity like SIM swaps and unauthorized porting, we recommend that Canadians take the following steps to protect themselves:

  1. Protect your information: limit the amount of personal information about you online; fraudsters can use this information to verify your identity when attempting to swap your SIM. Be careful to not click on phishing emails (and texts) that ask you to provide and/or validate private information. 
  2. Guard your phone number: don’t add your phone number to any online accounts where it is not necessary. The fewer accounts you have associated with your number, the lesser your risk.
  3. Use strong and unique passwords for each of your accounts: using the same password across multiple accounts is a hacker’s jackpot. When you use the same password across different accounts, remember that once they successfully hack one account, they’ve hacked them all.  We also recommend that you change your passwords, including your Self-Serve password regularly.
  4. Set up authentication methods that aren’t text based: often, online accounts will require you to set up two-factor-authentication (2FA) for added protection; with 2FA, you need to authenticate yourself with something in addition to your username and password, such as a code that is sent to your device by text. With SIM swap fraud on the rise, you may want to use something other than your phone number for 2FA like an authenticator app or security key.

 

While Public Mobile is actively working on ways to help keep our customers safe, please make sure to stay vigilant, and be aware of any suspicious activity. 

 

- The Public Mobile Team

 

197 REPLIES 197

Send me a text message and e-mail if my sim card is trying to be changed.

 

"Hi Public mobile here, there is a request for a sim change, if this was not you please respond back to this message with "No" to cancel the sim change, otherwise the sim change will go through in X hours"

 

Then in each self serve account allow us to select how many hours (X) the sim change timer would take in hours and do not allow this to ever be lowered, only increased even with account information verification and moderator intervention. Default is 0. I would set mine to 48 hours.

 

 

akanksha_1
Great Neighbour / Super Voisin

Hey there!

Thanks for the information.

Camera4617
Town Hero / Héro de la Ville

@gpixel wrote:

@Camera4617 the fact of the matter is, other providers also have the 'change sim' function.

and if you're on post paid you will need to have your correct information. prepaid you do not. so prepaid is still the safer choice


@gpixel 

Probably, but correct or incorrect information means nothing for SiM change function. Once you/they are in, it doesn't matter. It might mean something to port your number, but I'm not sure that I want to put 'John Doe' name and then use that when porting. How do I prove I'm 'John Doe' if that's required.. That never made any sense to me. Also, even if it is ported/SiM Hijacked, it is easier to prove your identity with 'real info', rather than made up.

 

dabr
Mayor / Maire

@Lieux wrote:

@kb_mv @darlicious  The help page about transfer or change number have disappeared in the English forum...but you still can find it in the French forum 😉 

https://productioncommunity.publicmobile.ca/t5/Annonces/Transf%C3%A9rer-ou-changer-un-num%C3%A9ro-de...


Thanks @Lieux  I'd also been looking for that announcement link and had been wondering what happened to it.  I guess we just have to use Google translate instead now... 😊

@Camera4617 the fact of the matter is, other providers also have the 'change sim' function.

and if you're on post paid you will need to have your correct information. prepaid you do not. so prepaid is still the safer choice


@darlicious wrote:

@Camera4617 

 My search the other night turned up pretty much nothing as far as other mobile providers help forums went.....maybe you can find something?

 

@Pawprints1986 

Ironically when I signed into my CRA account yesterday I had been randomly selected to add 2FA with no option to refuse its implementation. Choosing to recieve a phone call ensures it can be sent to just about any phone ( ie landline) but it means that you can at least ensure that you have your voicemail pin required to access your messages from any device .


See what I mean about forced 2FA?  Resistance is futile.  

Camera4617
Town Hero / Héro de la Ville

@darlicious  Yes, we agree on that. But also some other simple changes like when creating password. They suggest using combination of letters, numbers and symbols but then they just enforce "It must contain a minimum of 6 characters, including at least one digit". Well guess what, if you let users with 6 characters and one digit, they'll use it. Then PM says, create better password. It would take an hour for a developer to enforce it to be at least 12 characters and have a number, upper case, lower case and symbol. If I follow their 'enforcement', my password can be hacked in 1/2 seconds by using 'random' letters and one number. If you simple enforce what I mentioned (that is standard on many sites), it makes much stronger password that now it takes 400 years to crack (based on howsecuremypassword is site). Also, why limit me to 20 characters? Why not more and if I want to use super-strong password (that makes me more secure) ,why not? BTW, they don't tell you that limit is 20 characters and it took me few min to figure that out. Just some 'general' message that password is not in acceptable format, not why (that is over 20 characters)

So, help your customers with these small enforcements. Not everyone is tech wizard and uses PasswordManagers (as we all should), but don't leave it as suggestion, enforce it. 

@Camera4617 

PM needs to make the rules as very few other providers allow the kind of access we have in our accounts and i want it to remain that way. I dont mind any of the options I summarized in my post. Optional additional security measures but I want it easily accessible....and free!

Camera4617
Town Hero / Héro de la Ville

@darlicious wrote:

@Camera4617 

 My search the other night turned up pretty much nothing as far as other mobile providers help forums went.....maybe you can find something?

 

@Pawprints1986 

Ironically when I signed into my CRA account yesterday I had been randomly selected to add 2FA with no option to refuse its implementation. Choosing to recieve a phone call ensures it can be sent to just about any phone ( ie landline) but it means that you can at least ensure that you have your voicemail pin required to access your messages from any device .


@darlicious 

It will be hard to find any info as most of big providers do have contact phones and they deal with that directly. So, I'm not saying that there is not cases on other providers , but the fact that we cannot find it, doesn't mean it does or does not exits. 
And yes, CRA does force you to use your phone but what if I don't have landline? And what if I need access to site when I'm not home but I have cellphone. I hope that CRTC will force some rules on this 'sim change' as they did on porting that now you get SMS as part of approval. 

@Camera4617 

 My search the other night turned up pretty much nothing as far as other mobile providers help forums went.....maybe you can find something?

 

@Pawprints1986 

Ironically when I signed into my CRA account yesterday I had been randomly selected to add 2FA with no option to refuse its implementation. Choosing to recieve a phone call ensures it can be sent to just about any phone ( ie landline) but it means that you can at least ensure that you have your voicemail pin required to access your messages from any device .


@kb_mv wrote:

@darlicious wrote:

Now if someone could tell me what happened to the thread on porting telus/ koodo to pm requiring moderators that would be great?!!


@darlicious OMG! I thought is was just me lol. I looked everywhere for that thread yesterday and almost convinced myself that it never existed!


@darlicious and @kb_mv   I had spent so much time looking for that thread myself.  oh my goodness!  thank you both for confirming that I was not going senile..... yet.  😂

 

Camera4617
Town Hero / Héro de la Ville

@Pawprints1986  Good thinking but I'm not sure that I'd like lock access to important sites by 'free voip' app. I'm not sure how they are regulated and what kind of rules they have to follow. And again, this is just you as a customer trying to find solution to problem that PM should do.

 

I'm really annoyed by OP post where we are told what do and what not to do (don't get me wrong, all these make sense and I do practice them especially about strong unique password), but where is portion on 'what PM is doing' to secure their customers. Some things would be really simple to do like reaching out to customers that had been SiM hijacked and finding more info from them, like about password, how strong it is, is it  'unique' or used on multiple sites. Then if it turns out that huge majority had 'weak' password, I would be OK with just these instructions for this phase. But what if they had 'strong unique' password? How did they get SiM hijacked? Maybe some backdoor open? Some data leak? Some data breach? Some employee ? Who knows. Just saying 'sorry it happen to you' and restoring SiM where possible doesn't mean anything. 

If PM doesn't do anything in near future about this, I'm pretty sure that I'll be leaving (even though I LOVE PM) and finding some other provider. But before I change, I'll first check how do they prevent 'SiM hijacking'.. 


@kb_mv wrote:

@darlicious wrote:

Now if someone could tell me what happened to the thread on porting telus/ koodo to pm requiring moderators that would be great?!!


@darlicious OMG! I thought is was just me lol. I looked everywhere for that thread yesterday and almost convinced myself that it never existed!


yes.. i bookmarked it and no longer work.. i thought it was me too..

 

So, what's the reason to pull that thread away?  process changed quietly again?


@kb_mv wrote:


What I find even more interesting is they don't send an email saying "your password was recently changed". Along with providing direction if I did not change it. Virtually every if not all sites I deal with do this...


did PM ever sent email at all?  My friend activated last Nov, he didn't even get an activation/welcome email...

 

i think they do need email like password change, SIM change, credit card change.. probably amount added (by credit card or phone or so...)   After all, it's almost no cost to Telus for setting these up... 


@mimmo wrote:

 

 

Hopefully one-day PM will listen to its customers on their help needs and make getting help easier... Mind you some people like SIMon from what I've been told.(must have been the chatbot develooers) lol. 

 

 

 haha. maybe in 20 years..all the young one like talking to the Bots instead of real persons.. PM just ahead our time 20 years.. LoL

Pawprints1986
Deputy Mayor / Adjoint au Maire

First off, have to say I agree with all here saying that port fraud needs to be better than "go onto your account and change your name to bob Barker etc cuz it won't port if info doesn't match." Sim fraud I know a bit less about. 

 

But I did do something the other day. I used an app that wanted me to confirm my phone number 2fa, but I wanted to try the app out without my real phone number, so I gave it a text now number. The text didn't work, at least not on PC, but there was an option for a call, which it also didn't ring but it *did* leave a  voicemail for me with the pin I needed to verify "my device". So that got me to wondering, if there are similar apps but that you don't have to worry about losing the number if you don't use it for a week, or whatever it is. If there is, I may just switch all my banking and such to that secondary number, keeping my real phone number safer and likely also less spam calls too. Just as an idea to put out there. I haven't done any more digging as far as other WiFi calling apps that let you keep your number even if it's not used often (but without having a *real* second number)

mimmo
Retired Oracle / Oracle Retraité

@darlicious It's been asked for many many many times.

 

I asked @Catherine_T  why announcement was removed in oracle forum, also mentioned that SIMon needs to be updated.

 

Hopefully one-day PM will listen to its customers on their help needs and make getting help easier... Mind you some people like SIMon from what I've been told.(must have been the chatbot develooers) lol. 

 

 

 

 

@Lieux @mimmo 

Thank you for the links.....I still don't understand why it was removed from the landing page so quickly as the landing page is usually the first place new customers end up. We all know I don't do simon. I even struggle accessing the help articles I may be looking for.....we need a handy index or faq on the landing page or a tab with HELP ARTICLES that you click on.

kb_mv
Mayor / Maire

@mimmo wrote:

@kb_mv , @darlicious , strange that announcement is gone but it's all in the help article and probably simon

https://www.publicmobile.ca/en/on/get-help/articles/choose-your-phone-number

 


@mimmo Thanks! 

 


@mimmo wrote:

(the "first" areas customers are supposed to go to for help)....

 


@mimmo LOL, sorry, couldn't resist.

mimmo
Retired Oracle / Oracle Retraité

@kb_mv , @darlicious , strange that announcement is gone but it's all in the help article and probably simon (the "first" areas customers are supposed to go to for help)....

 

https://www.publicmobile.ca/en/on/get-help/articles/choose-your-phone-number

 

 

@kb_mv @darlicious  The help page about transfer or change number have disappeared in the English forum...but you still can find it in the French forum 😉 

https://productioncommunity.publicmobile.ca/t5/Annonces/Transf%C3%A9rer-ou-changer-un-num%C3%A9ro-de...


@Jb456 wrote:

@Anonymous  I made a post last year (around same time sim swaps first started) that the 1855 # is a breach of confidentiality. I believe I tagged Tiana & Alan to that thread. Next day Public Mobile completely deleted the thread. That tells you something.


@Jb456 , yup, totally with you on this one and supported your past threads about this. @HALIMACS  @Anonymous 

 

I have put in two separate tickets regarding this issue about concerns and plans to have this updated / changed.

At first, the Moderator I was dealing with did not seem to think it was a big deal. Then as I explained more how there are privacy issues here, and there seemed like a pretty simple fix to limit the open shared information.

I even joked about asking for the Moderator's phone number so I could take "tabs" on their balances/expires/statuses etc. just by calling this number. I was joking of course! But you get the idea...if someone knows your number people are creepy and who knows....

 

Anyways, it ended with the Moderator saying they would bring it up to "their" supervisors as Moderators do not change or update these particular systems/processes.

smp99
Deputy Mayor / Adjoint au Maire

As previously mentioned - you could remove the option for SIM change. 

 

You would need to go through the MODs which could take some time

 

-OR- You could set up Telus/Koodo stores to do a SIM change for a fee ($10? plus SIM card itself) That way ID could be verified in store. If Telus/Koodo/PM wants to take this seriously, or at least have the perception that they are taking it seriously then this would be a step in that direction.   


@darlicious wrote:

Now if someone could tell me what happened to the thread on porting telus/ koodo to pm requiring moderators that would be great?!!


@darlicious OMG! I thought is was just me lol. I looked everywhere for that thread yesterday and almost convinced myself that it never existed!


@gpixel wrote:

@mimmo lol you're right I just changed my password recently. not sure why I thought there was an email verification process

 

in that case, it's very interesting that they don't. 🤔


@gpixel @mimmo What I find even more interesting is they don't send an email saying "your password was recently changed". Along with providing direction if I did not change it. Virtually every if not all sites I deal with do this...

@Catherine_T 

Thank you for finally addressing this very serious issue that (the regulars at least ) we began to notice creep up as a problem on the community about a year ago. At that time it was once a month but as each month passed the frequency increased....every two weeks, once a week and now its daily if not more......

 

We were concerned when it was once a month. At 365 or more per year this is reaching a pandemic stage and public mobile needs to address it from the top on down. Its time to plug the holes of privacy breaches, information leaks and step up moderator training and skills developement to include updates to this kind of fraudulent activity. Adding a fraud button similar to reporting inappropriate behavior would help immensely as this illicits a moderator response almost immediately.

 

At least public mobile is willing to admit there is a problem, explain it to the uninformed and how to counteract both the fraud in progress and how to help prevent it from happening to the user. ( I would be interested to see if it ever happens to a regular community member?!!) Allowing the free discussion of the simjacking issue among community members allows more users to become informed, brainstorm ideas on how to further protect our accounts and makes the pm community the main source for information on the subject in Canada.

 

I don't believe this type of simjacking is isolated to public mobile but unlike other providers who have buried any mention of the issue in their own help forums pm has (finally) acknowledged one of the industry's dirty little secrets. While social engineering plays a role in the access to our accounts how exactly access is made remains a bit of a mystery as there are only two ways in.....logging in with the username and password or thru the backend by pm employees. ( Which as many have mentioned why the password isnt changed by the hacker themselves?)

 

Implementing additional security measures that don't require an overhaul of system is paramount to having any additional measure occur sooner rather than later. Removing the sim card change from our accounts or requiring in person verification creates a hassle for those needing a simple sim card change ( like the bf whose sim card was changed/replaced 3 times last year) and can exacerbate an already desperate situation.

 

Putting optional extra security measures (like the sim card change being pin# protected) into the account to protect the safety measures already in place such as changes to the pin #, security question and answer and password ( by having verification questions) and utilizing the option of changing the username for login (to an actual username instead of your email) could easily make the account itself and the important features within become better protected.

 

Additionally a further verification/ authorization method could be set up that permission for certain changes would be required thru only the linked community account of the user so that a hacker would also have to be able to access the community account to make self serve account changes. This would help prevent any back end access making changes without the members knowledge.

 

@Catherine_T  Please keep this pinned to the landing page so its always front and centre for those experiencing a simjacking can locate it easily and quickly. Now if someone could tell me what happened to the thread on porting telus/ koodo to pm requiring moderators that would be great?!!

Funny thing - i'm only 1/2 paying attention to this thread.

 

I'm thinking a solution to the varying level of security/authentication that different users expect, should be user-based.

 

Give individual users the option to utilize differing levels of verification before certain transactions/changes can be made on self-serve or *611.   So if a user wants PIN's or text confirmation or e-mail confirmation or maybe a call to an alternate phone number for some mundane change vs something much more sensitive, then let the user decide how each account change/update is secured.

 

 

 

 

Anonymous
Not applicable

 @Jb456 : I'm with you now. HALIMACS made it make sense. I didn't twig to the confidentiality point of yours. I didn't put two and two together. Right. More information for social engineering. Got it. Bad.

@Anonymous  I made a post last year (around same time sim swaps first started) that the 1855 # is a breach of confidentiality. I believe I tagged Tiana & Alan to that thread. Next day Public Mobile completely deleted the thread. That tells you something.

Anonymous
Not applicable

 @HALIMACS : I'm not sure I recall Jb456 defending his point in that same way. Y'see how it's funny how even just wording things differently but saying the same thing can twig people to get it. But I don't know if Jb456 said things of that nature before.

 

 @computergeek541 : The PIN is only sent once by SMS at activation. If requested to change, again to SMS. We don't know if the hackers have PIN's or just login credentials or both.

 

And RE: inconvenience: it's that problem with some people that gets them into trouble to begin with. I say tough toodles. If they can't tolerate the once in a blue moon needing a little extra security step to do something critical to their account then they're not worthy of a hands-on self-serve provider. Go to an upper tier and get hand-holded for the price.

Need Help? Let's chat.