Community

Catherine_T · ‎02-05-2021

*July 14, 2021 Update*

We are pleased to announce that as of July 14, 2021, SIM card changes have been re-enabled in My Account.

We temporarily disabled all online SIM swaps in March, to protect our customers from SIM swap fraud.

We have now implemented an additional step in the form of a 2 factor-authentication code to secure this process.This code can be sent via SMS or email, and must be verified to complete the SIM swap.

For more details, please see below.

All the information below can be found in this Help Article.

---------------------------------

*March 8, 2021 Update*

To protect our customers from SIM swap fraud, we have temporarily disabled all online SIM swaps through Self-serve. To change your SIM card, please submit a ticket here

Customer safety and security is our priority, and we are working on permanently securing the online SIM swap process. In the meantime, we recommend that you continue following the steps outlined below to protect against fraudulent activities.

-------------------------------

Hey Community,

We’ve noticed some cases of SIM swap fraud, and wanted to help our customers better understand what SIM swap fraud is, what to do if you’ve been targeted, and how to prevent it in the future.

All the information below can be found in this Help Article.

What is SIM swap fraud?

Efforts by fraudsters to gain unauthorized access to customer accounts with the goal of accessing banking information is on the rise. As part of our commitment to protect our customers’ personal information, we have robust security protocols in place that are designed to protect the privacy and security of our customers.

SIM swap fraud, or SIM jacking, is a type of fraud that occurs when fraudsters gain access to your Self Serve account, to replace your SIM card information with their own. After replacing your SIM card, all communications will be redirected to the fraudster’s device. They will then be able to intercept recovery SMS/calls, and gain access to your personal banking, ecommerce, email and social media accounts.

How does SIM swap fraud happen?

Fraudsters can obtain customer Self Serve account credentials through malware, phishing attempts or data breaches on websites where login credentials are the same as your Self Serve account.

What do I do if I’ve been targeted by SIM swap fraud?

If you have been targeted by SIM swap fraud, we recommend you take the following actions to secure your account:

Change your Self-Serve account password and security question immediately to lock the fraudster out of your account

Put your phone into Lost/Stolen mode to suspend the fraudster’s service, to do this follow the below steps:

Log in to you Self-Serve account
Go to Plans and Add-Ons, then select “lost/stolen phone”
Select “suspend service”

Then, submit a ticket here - our Moderator team will be able to restore your original SIM card.
We also recommend contacting your financial institutions to ensure your banking and credit card accounts have not been accessed, and checking your social media accounts for any suspicious activity. Make sure you change your passwords to these accounts immediately.
You may also want to report the fraud to your local police and the Canadian Anti-Fraud Centre at 1-888-495-8501, as well as contact the two national credit bureaus to request a copy of your credit reports and place a fraud warning on your file (Equifax Canada Toll free:1-800-465-7166 and TransUnion Canada Toll free: 1-877-525-3823).

How to protect against SIM swap fraud?

Given the increase the telecommunications industry has seen in fraudulent activity like SIM swaps and unauthorized porting, we recommend that Canadians take the following steps to protect themselves:

Protect your information: limit the amount of personal information about you online; fraudsters can use this information to verify your identity when attempting to swap your SIM. Be careful to not click on phishing emails (and texts) that ask you to provide and/or validate private information.
Guard your phone number: don’t add your phone number to any online accounts where it is not necessary. The fewer accounts you have associated with your number, the lesser your risk.
Use strong and unique passwords for each of your accounts: using the same password across multiple accounts is a hacker’s jackpot. When you use the same password across different accounts, remember that once they successfully hack one account, they’ve hacked them all. We also recommend that you change your passwords, including your Self-Serve password regularly.
Set up authentication methods that aren’t text based: often, online accounts will require you to set up two-factor-authentication (2FA) for added protection; with 2FA, you need to authenticate yourself with something in addition to your username and password, such as a code that is sent to your device by text. With SIM swap fraud on the rise, you may want to use something other than your phone number for 2FA like an authenticator app or security key.

While Public Mobile is actively working on ways to help keep our customers safe, please make sure to stay vigilant, and be aware of any suspicious activity.

- The Public Mobile Team

Lieux · ‎02-12-2021

@SteTem Nice to ear that! Thanks for sharing!

SteTem · ‎02-12-2021

Hate to admit i was a victim of SIM CARD SWAP

I want to give a special Thank You to the tutorial posted and the Mods that helped me

Very quickly i was back using my phone

The Mods helped me with very secure instructions and after it was rectified i was contacted from the Fraud Dept ,, they explained very well how and why it could have happened and what i should do to protect my PM account

i will have to keep an eye on things moving forward but all seems to be back to normal

Thx Again

SteTem

Pawprints1986 · ‎02-10-2021

People are overall saying they're okay with "if no action is taken within x amount of time, thing will be changed" but I disagree. The change should not go through *unless* you do a certain thing. If they give it 8 hours but you're an er nurse and can't check your personal phone or email for 10 hours, you're screwed

An absolute fool proof way, which I get would also be a pain, would be having to go in person to a kiosk and show photo ID to change your number or sim or anything on the critical side. I get why this isn't the case, but there's gotta be a way between that and what's in place now

fujiyama · ‎02-10-2021

Nice to see an announcement about this but I agree with the majority here, would rather see countermeasures implemented and not just a post acknowledging the problem. There are some great ideas posted here, hope they will seriously considered by PM.

stevenanto · ‎02-10-2021

@LoreckAvery People will always find new ways to steal from others. Just wish there is a way to knowing who jacked your sim....

LoreckAvery · ‎02-09-2021

At least there is some acknowledgment that this is becoming a large threat to people’s personal information!

Pawprints1986 · ‎02-09-2021

@Camera4617 the few things I've had to use 2fa on don't allow for the "this is me don't ask me again" option. Property taxes comes to mind but there are others too

darlicious · ‎02-09-2021

@dabr

Technically that option already exists but I think it plays havoc with the community rewards. I believe pm also disabled the option last year sometime because it was confusing customers. If it doesn't affect the community rewards or they can adjust it they should consider re-enabling that feature.

If you remember from previous posts an OP inquiring about how to change their email of their self serve account and they were directed to the change your email option in your account to only discover their self serve and community accounts were no longer properly linked. The change email function changes the username but the email remains the same in the main account.

This would be a fairly easy to implement from pm's standpoint.

Camera4617 · ‎02-09-2021

@computergeek541 OK. Then I misunderstood how that works. Thanks.

computergeek541 · ‎02-09-2021

@Camera4617 wrote:
@computergeek541 I thought that you if you have any issues and 'cannot login' into your account, you have to use 'community account' that has the same email address. Am I wrong here?

This is incorrect. It does not matter which Community account is used to open a ticket or the e-mail address that is associated with it.

Camera4617 · ‎02-09-2021

@computergeek541 I thought that you if you have any issues and 'cannot login' into your account, you have to use 'community account' that has the same email address. Am I wrong here?

computergeek541 · ‎02-09-2021

@Camera4617 wrote:
@dabr Yeah, I agree. Another thing is that I think most of users (even I did originally), take these 'community' accounts as 'less important' and create easy passwords. Then guess what, if somebody can get into, they can reach out to Moderators as yourself and get into your account.

That isn't how it works. There is no link between your Community account and your self serve account, other than for the purposes of distrubuting Community rewards. The fact that there's no other link between the the two is the very reason that the SIMon forces customers to authenticate the self serve account and link it to the Community account each time a ticket is opened. This is only so that the modeartors know how to contact you. Someone else having your Community account password means nothing unless you have a open ticket with the moderators and moderators are sending private messages to this account.

Camera4617 · ‎02-09-2021

@dabr Yeah, I agree. Another thing is that I think most of users (even I did originally), take these 'community' accounts as 'less important' and create easy passwords. Then guess what, if somebody can get into, they can reach out to Moderators as yourself and get into your account.

dabr · ‎02-09-2021

If PM does ever get around to making changes and, hopefully, requiring, at the minimum, a PIN before being allowed to change the SIM in the account, I'd also like to see them permitting users to have the option of using an unique username (obviously totally different from Community username) instead of the email for logging into the self serve account. I've never thought emails should be used to login into accounts with sensitive personal information, although they are definitely more convenient to remember.

Camera4617 · ‎02-09-2021

@Pawprints1986 wrote:
2fa always bothered me especially email address based ones. Always figured if someone knew enough to get into my account, they probably already know my email too

I'd much prefer to be able to choose a preference of 2fa *or* thumbprint. Even if someone stole and was holding my phone, good luck getting my severed thumb to last very long lol.

2fa just very time consuming when it is you. Especially for sites that don't allow special characters in your password! Its like, let us properly strengthen the first one and we won't need the second one!

That would be the case only if you use same password for everything (I hope you don't) and they know your email address. You can protect your emails with 2FA too. Also, let's not mix having 'SiM Hijacked' and device lost, those are 2 different things and device you can protect yourself by different steps. I don't see 2fa time consuming as generally, you can 'trust this browser' when you do it first time and you are not asked again, which is perfectly fine if you own device. I'm ok with spending few seconds to authenticate myself first time using 2FA. Also, on the phone you can use 'thumb' or 'face identification' to avoid typing anything for quicker access.

We are all different and some people are not even comfortable with using online banking or something. But 2FA is the only way to fully protect yourself.

stevenanto · ‎02-09-2021

@Teslas I agree with you that a fraudster can basically get any info they want off of the phone if they can hijack your SIM, people do keep their automatic credit info on there for faster checkout, some people have personal emails, codes, passwords and so on.

the 2fa might be viable option but we each take our steps to protecting ourselves.

Pawprints1986 · ‎02-09-2021

2fa always bothered me especially email address based ones. Always figured if someone knew enough to get into my account, they probably already know my email too

I'd much prefer to be able to choose a preference of 2fa *or* thumbprint. Even if someone stole and was holding my phone, good luck getting my severed thumb to last very long lol.

2fa just very time consuming when it is you. Especially for sites that don't allow special characters in your password! Its like, let us properly strengthen the first one and we won't need the second one!

Camera4617 · ‎02-08-2021

We need to be clear that not every 2FA that is using SMS will be in danger of giving access to account. Since that is the (usually) Second authentication, it will happen only after 1st authentication which means somebody has your password . So if you remove 2FA as an option, then it doesn't matter as they already know password.. The only risk is actually if in 'forgot my password' they are using only phone number (SMS) for recovering credentials and that's the real danger. So, if you have a service that does it, remove your phone number (if you can). So it doesn't mean that you will lose access to all your accounts, but just a thought of 'losing' number by somebody switching SIM card for me is scary. Btw, I love 2FA and I think it is the most reliable way to secure your accounts, as long as it is set and used properly.

Daiheadjai · ‎02-08-2021

I was looking into removing 2FA in a banking account - was pretty miffed that there's no option to remove it.

It's pretty impressive that thieves/fraudsters managed to take something which was intended to increase our security and protection, and use it against us.

Daiheadjai · ‎02-08-2021

One countermeasure which would be easy to implement, is for Public to simply send out an email alert when a SIM card change is requested/applied to an account.

This way, customers would at least be warned that something is happening.

This is exactly how I found out something was wrong in my SIM fraud experience: A payments service provider sent me an email noting that I'd changed my address to an address in another province, and had attempted to change my e-mail address as well (by luck or by design, it still sent the email to my old/real address, otherwise I'd never known until the charges hit my account).

Pawprints1986 · ‎02-08-2021

"Ironically when I signed into my CRA account yesterday I had been randomly selected to add 2FA with no option to refuse its implementation. Choosing to recieve a phone call ensures it can be sent to just about any phone ( ie landline) but it means that you can at least ensure that you have your voicemail pin required to access your messages from any device ."

@darlicious

That's actually true, I hadn't thought of this. For myself I know my pin so well that it totally escaped my mind that it would be hard for others to guess ! SMS even with thumbprint or pattern enabled on the lock screen, for my own ease of access I have it set up so if I push on the little notification bubble, I can see the SMS.

But that could be a possibly better way to prevent Sim fraud, if it's requested, you get a voicemail, from pm which contains a decently tough unique 1 time code that you then have to text to pm, to prove its you and you still have full control of your device ?

I still say the telus port phone support line should be universally available as the only way to port out though. Since theyre all the same company anyway, it's not like they'd have to hire anyone!

XionBunny · ‎02-08-2021

About time this information was posted honestly, though personally I'm kinda sketched out about the security of this service now, there really does need to be a censor put on sensitive information here when a person posts, such as phone numbers when posted being automatically blanked out, so that a criminals cant use that info to compromise accounts.

sunflowershine · ‎02-06-2021

Thanks for your info!

Teslas · ‎02-06-2021

Thanks for educating everyone about this.

If a fraudster is able to compromise a person's cell phone account it becomes the gateway to taking their other accounts, this makes cell phone accounts the primary target & thus it would make sense that cell phone accounts should have the strongest security against attack available.

As far as I can figure out, Public Mobile's security is currently bare-minimum: password and a security question. Weak. No 2FA as mentioned.

Will Public proactively protect its customers by implementing 2FA at minimum Authenticator type and/or even better: FIDO U2F security key capability that is cheap, widely available, easy to use & super secure? Please protect us!

https://fidoalliance.org/showcase/fido-u2f-security-key/

https://en.wikipedia.org/wiki/Universal_2nd_Factor

https://www.howtogeek.com/232314/u2f-explained-how-google-microsoft-and-others-are-creating-universa...

I would VERY MUCH APPRECIATE this.

Who else wants better security against growing SIM swap fraud??

Camera4617 · ‎02-06-2021

@RobertQc wrote:
@Camera4617 wrote:
@RobertQc Problem with SMS is that probably your SIM is not working and you cannot receive, but email would work. Or 'alternate phone number' that we can all list.
@Camera4617 Yes but thats why if your phone is not working, no reply would allow the sim to go through like normal.The sim change will automatically go through unless you stop it. But yes, send it to as many e-mails / phone numbers you wish.

@RobertQc wrote:
"No" to cancel the sim change, otherwise the sim change will go through in X hours"

@Camera4617 wrote:
@RobertQc Also, being able to set hours in Self Serve is a potential risk as those who got in, can change it to 0 hours and change SiM.
@Camera4617 No, like I said, this number can NEVER be lowered.

@RobertQc wrote:
and do not allow this to ever be lowered, only increased even with account information verification and moderator intervention.

This timer doesn't have to stop any other future advancements in sim swap prevention methods public mobile comes up with and it can be only used by people that want to use it. It is only able to assist against sim swap fraud by those that wish to utilize this feature if it was available.

@RobertQc Sure, we are giving some suggestions but neither of us can make that call. The thing is that we are solutioning without even knowing what the problem is. If it is 'too simple' password ,PM can easily solve that. If not, then do some extra steps (I'll take any suggestions any of us mentioned).. I hope somebody from PM is reading this and understanding potential impact to the company. This is not simple issue like competitor is giving better plan. This could have some serious consequences on some people and I'm not taking this lightly.

gpixel · ‎02-06-2021

@Camera4617

Probably, but correct or incorrect information

means nothing for SiM change function. Once you/they are in, it doesn't matter. It might mean something to port your number, but I'm not sure that I want to put 'John Doe' name and then use that when porting. How do I prove I'm 'John Doe' if that's required.. That never made any sense to me. Also, even if it is ported/SiM Hijacked, it is easier to prove your identity with 'real info', rather than made up.

yes, there needs to be a compromise. but, I would rather lose my number than to lose my identity. it isn't easy to reclaim your identity after its stolen.

RobertQc · ‎02-06-2021

@kb_mv wrote:
@Camera4617 @RobertQc I like the idea of an email but it would need to be something that required action to allow the sim change (similar to the porting process) as opposed to "if you do nothing it will happen in XX hours".

In the past when on vacation my attention to email is spotty at best and if this is when the ner do wells decide to do this, my non action would suffice to stop it.

@kb_mv Perfect, so it can either be do it unless in X hours. Or don't do it unless the required action went through. Allow the customer to choose the way they want it.

kb_mv · ‎02-06-2021

@Camera4617 @RobertQc I like the idea of an email but it would need to be something that required action to allow the sim change (similar to the porting process) as opposed to "if you do nothing it will happen in XX hours".

In the past when on vacation my attention to email is spotty at best and if this is when the ner do wells decide to do this, my non action would suffice to stop it.

RobertQc · ‎02-06-2021

@Camera4617 wrote:
@RobertQc Problem with SMS is that probably your SIM is not working and you cannot receive, but email would work. Or 'alternate phone number' that we can all list.

@Camera4617 Yes but thats why if your phone is not working, no reply would allow the sim to go through like normal.The sim change will automatically go through unless you stop it. But yes, send it to as many e-mails / phone numbers you wish.

@RobertQc wrote:
"No" to cancel the sim change, otherwise the sim change will go through in X hours"

@Camera4617 wrote:
@RobertQc Also, being able to set hours in Self Serve is a potential risk as those who got in, can change it to 0 hours and change SiM.

@Camera4617 No, like I said, this number can NEVER be lowered.

@RobertQc wrote:
and do not allow this to ever be lowered, only increased even with account information verification and moderator intervention.

This timer doesn't have to stop any other future advancements in sim swap prevention methods public mobile comes up with and it can be only used by people that want to use it. It is only able to assist against sim swap fraud by those that wish to utilize this feature if it was available.

Camera4617 · ‎02-06-2021

@RobertQc Yeah, that's one of the possible options but do anything to help this issue. Problem with SMS is that probably your SIM is not working and you cannot receive, but email would work. Or 'alternate phone number' that we can all list. Also, being able to set hours in Self Serve is a potential risk as those who got in, can change it to 0 hours and change SiM. No solution will be 'perfect' and we can find to each some 'unwanted scenarios' but anything is better than just simple change sim..

Community

SIM Swap Fraud