cancel
Showing results for 
Search instead for 
Did you mean: 

SIM Swap Fraud

Catherine_T
Retraité / Retired
Retraité / Retired

*July 14, 2021 Update*

 

We are pleased to announce that as of July 14, 2021, SIM card changes have been re-enabled in My Account

 

We temporarily disabled all online SIM swaps in March, to protect our customers from SIM swap fraud.

 

We have now implemented an additional step in the form of a 2 factor-authentication code to secure this process.This code can be sent via SMS or email, and must be verified to complete the SIM swap.

 

For more details, please see below.

 

Jade_S_1-1626272487403.png

 

All the information below can be found in this Help Article. 

 

---------------------------------

 

*March 8, 2021 Update*

To protect our customers from SIM swap fraud, we have temporarily disabled all online SIM swaps through Self-serve. To change your SIM card, please submit a ticket here

 

Customer safety and security is our priority, and we are working on permanently securing the online SIM swap process. In the meantime, we recommend that you continue following the steps outlined below to protect against fraudulent activities.

 

-------------------------------

 

Hey Community,

 

We’ve noticed some cases of SIM swap fraud, and wanted to help our customers better understand what SIM swap fraud is, what to do if you’ve been targeted, and how to prevent it in the future. 

 

All the information below can be found in this Help Article. 

 

What is SIM swap fraud?

 

Efforts by fraudsters to gain unauthorized access to customer accounts with the goal of accessing banking information is on the rise. As part of our commitment to protect our customers’ personal information, we have robust security protocols in place that are designed to protect the privacy and security of our customers.

SIM swap fraud, or SIM jacking, is a type of fraud that occurs when fraudsters gain access to your Self Serve account, to replace your SIM card information with their own. After replacing your SIM card, all communications will be redirected to the fraudster’s device. They will then be able to intercept recovery SMS/calls, and gain access to your personal banking, ecommerce, email and social media accounts. 

 

How does SIM swap fraud happen? 

 

Fraudsters can obtain customer Self Serve account credentials through malware, phishing attempts or data breaches on websites where login credentials are the same as your Self Serve account. 

 

What do I do if I’ve been targeted by SIM swap fraud?

 

If you have been targeted by SIM swap fraud, we recommend you take the following actions to secure your account:

  • Change your Self-Serve account password and security question immediately to lock the fraudster out of your account

 

  • Put your phone into Lost/Stolen mode to suspend the fraudster’s service, to do this follow the below steps: 
    • Log in to you Self-Serve account
    • Go to Plans and Add-Ons, then select “lost/stolen phone”
    • Select “suspend service”

 

Catherine_T_1-1612535117310.png

 

 

  • Then, submit a ticket here - our Moderator team will be able to restore your original SIM card. 
  • We also recommend contacting your financial institutions to ensure your banking and credit card accounts have not been accessed, and checking your social media accounts for any suspicious activity. Make sure you change your passwords to these accounts immediately. 
  • You may also want to report the fraud to your local police and the Canadian Anti-Fraud Centre at 1-888-495-8501, as well as contact the two national credit bureaus to request a copy of your credit reports and place a fraud warning on your file (Equifax Canada Toll free:1-800-465-7166 and TransUnion Canada Toll free: 1-877-525-3823).

 

How to protect against SIM swap fraud? 

 

Given the increase the telecommunications industry has seen in fraudulent activity like SIM swaps and unauthorized porting, we recommend that Canadians take the following steps to protect themselves:

  1. Protect your information: limit the amount of personal information about you online; fraudsters can use this information to verify your identity when attempting to swap your SIM. Be careful to not click on phishing emails (and texts) that ask you to provide and/or validate private information. 
  2. Guard your phone number: don’t add your phone number to any online accounts where it is not necessary. The fewer accounts you have associated with your number, the lesser your risk.
  3. Use strong and unique passwords for each of your accounts: using the same password across multiple accounts is a hacker’s jackpot. When you use the same password across different accounts, remember that once they successfully hack one account, they’ve hacked them all.  We also recommend that you change your passwords, including your Self-Serve password regularly.
  4. Set up authentication methods that aren’t text based: often, online accounts will require you to set up two-factor-authentication (2FA) for added protection; with 2FA, you need to authenticate yourself with something in addition to your username and password, such as a code that is sent to your device by text. With SIM swap fraud on the rise, you may want to use something other than your phone number for 2FA like an authenticator app or security key.

 

While Public Mobile is actively working on ways to help keep our customers safe, please make sure to stay vigilant, and be aware of any suspicious activity. 

 

- The Public Mobile Team

 

197 REPLIES 197

Camera4617
Town Hero / Héro de la Ville

@darlicious wrote:

@Camera4617 

The reasoning behind changing passwords on your accounts is mainly that many people use the same email and the same password for multiple accounts so once access is gained to one it is to many. Also once a fraudster has access to your phone they can quickly gain access to multiple accounts thru 2FA. If you change your email password and thwart that access by locking down your self serve account at the same time then by methodically changing your passwords across all accounts you have safely resecured yourself as long as you don't use only one password. Its a better safe than sorry scenario.


@darlicious 

Sure but even though using the same password for all would really not be smart thing to do, when they say 'change passwords' they don't say 'use unique passwords' for your logins. Also, where is 'the first password' that they get? PM? If they know that one, what is the point of SiM Swap? If it is not, generally you cannot 'recover' (to find out what it is) your existing password in other accounts, you could mostly 'reset' it by using SMS and in that case they still don't know what your password was to use for other accounts. And if they can gain by 'resetting', then password change doesn't make any difference..

Anyway, I think it is a phrase that somebody thought of and everyone is repeating. I'm really careful about online security as I'm in IT filed. 

 

Few things that you should do to protect yourself:

- Never use the same password for 2 logins

- Use long and mixed password (lower case, upper case, number, symbol)

- Use 'Password Manager' to remember and store all your passwords. There are many 'free' options and they are way more secure and easier to use. I could talk for hours about Password Managers. 

- Change your most important passwords once/twice a year (this is where Password Manager comes handy)

- Create and use 'secure email' (email that nobody knows about, that you use ONLY for most important logins to you) as username or recovery option

- Never click on anything suspicious in emails (that's most used way to get somebody's password)

@Camera4617 

The reasoning behind changing passwords on your accounts is mainly that many people use the same email and the same password for multiple accounts so once access is gained to one it is to many. Also once a fraudster has access to your phone they can quickly gain access to multiple accounts thru 2FA. If you change your email password and thwart that access by locking down your self serve account at the same time then by methodically changing your passwords across all accounts you have safely resecured yourself as long as you don't use only one password. Its a better safe than sorry scenario.

@RonC 

Simon confounds me too.....type in "change sim card" in the subject line and send a private message following these instructions....and leave a detailed message explaining your issue and the info to verify your account by including the following information:

 

  1. Full name and address on account.
  2. Email, phone # and pin #.

 

 If you cannot remember your pin # include at least three of the following:

  1. Date of birth
  2. Last payment, date, amount, type and last 4 digits.
  3. Alternate phone number if any.
  4. Security question and answer.
  5. Plan amount, any add ons or promos on account.
  6. Last 4 digits of sim card.
  7. Any rewards in your account.
  8. Autopay y/n?

 The average wait time is 2 to 4 hours but be prepared to wait up to 48 hours for non urgent issues. Wait times seem to have improved as I waited 10 whole minutes the other day but under an hour is a reasonable expectation.

 

Keep an eye on your private message box (the envelope icon) next to your avatar at the top right corner of your screen for a little bubble to pop up indicating a message from the moderators. Responding promptly will speed up service times.

 

To send a private message to the moderators click below:

https://productioncommunity.publicmobile.ca/t5/notes/composepage/note-to-user-id/22437

RonC
Great Neighbour / Super Voisin

ticket sent 28 hours ago. Tried to send one the day before but autofill put my email rather than username and i couldn't / didn't understand why ticket would not go through.

RosieR
Mayor / Maire

@RonC wrote:

How long does it take to restore or change my SIM card. I’ve had no service for 3 days. Ticket has been submitted 


Hi @RonC only the moderators can change your sim card.  

 

Two ways to contact the moderators:

  • Slower way – Send a private message to the Moderators_Team here.  You have to be logged in to your Community account for the link to work. 

 

It may take up to 48 hrs (hopefully less) to receive a reply from the moderators.  Keep checking the envelope icon on top right for a number to pop up. That would be the moderator’s reply. 

 

dlambro
Model Citizen / Citoyen Modèle

@RonC Hi, when did you submit the ticket?  3 days ago when your service ceased, or today? Want to get some perspective as to how long you have been waiting to get the SIM card changed. Let us know.

RonC
Great Neighbour / Super Voisin

How long does it take to restore or change my SIM card. I’ve had no service for 3 days. Ticket has been submitted 

Camera4617
Town Hero / Héro de la Ville

I've seen this so many times posted when 'SIM Swap' is suspected or happen but I'm not understanding why would you need to do this:

 

"Update ALL of your passwords used for online access to banking, bell.ca, social media sites, etc."

 

Why would you need to change passwords in this case? Anyone has some logical explanation?

Teslas
Good Citizen / Bon Citoyen

Great news, thank you Public for taking steps towards strengthening sim swap security!

@chreds 

I'm so glad you did.....you should check out CCS and the next time they drop the pm sim price to $2.99 or sometimes as low as $1.99 buy a couple. They ship in about a week via canada post.

 

https://canadiancellsupplies.com/

chreds
Good Citizen / Bon Citoyen

@darlicious thanks. Yes, I tried a new session in an alternate browser (Firefox) and had the same issue.

 

My plan was to go to London Drugs and buy another SIM if the mods were not quick to respond. But then I saw that my PayPal password had been changed so it was damage control as first priority.

 

Still feeling the effects of adrenaline for 2 hours straight yesterday trying to get everything sorted out as quickly as possible.

@chreds 

Thanks for your post....generally if you get error messages in your account ( and if you intend to make any kind of change in your account pay, update credit card etc...) clear your browser, use secret/incognito mode in firefox, chrome or safari......

 

Only moderators can return the original sim card number to your account but if you keep an extra unused sim card on hand you can return your service to your phone in a minute or two.....

 

Half of all threads reporting sim swapping mention it started with pay pal.....there is a huge vulnerability with their account security and how easily your accounts, emails, passwords and phone numbers get linked thru that one site alone.

Camera4617
Town Hero / Héro de la Ville

So finally Public Mobile is doing something about 'Sim Swap Fraud'.. Nice to see it, but also concerned how often that had happen that this had to be addressed. 

Interesting to see what solution will be, or this is it (remove option). 

chreds
Good Citizen / Bon Citoyen

I just went through this yesterday. A few thoughts:

 

1. If SIM card swap is allowed via self-serve, maybe verify with email confirmation first before it goes through?

2. It took me ~40 minutes to get verified with the mods because a call I had made hadn't gone through but was showing up in my call history on my phone but not on their side, so verification questions were delayed. The hijacker would have had access to most of the verification questions just with access to the online account, maybe there's a better way to do this so that the hijacker would be cut off right away from causing more harm?

3. The new stickied post about SIM card swap was VERY helpful. Helped me get a ticket created quicker than otherwise I would have.

4. The Plan & Addons page kept giving me an "Uh oh" so I couldn't actually go and lock down my SIM card on my own.

5. If you are impacted by this, make sure you check your text usage history online and see which short codes you received messages from. I was able to tell that they gained access to my PayPal by searching for the short codes "from" numbers online.

6. Why not let a user swap back to old SIM card easily if the change has been made in the past day or so?

 

Anyways. Well handled by Public support team. Was glad they were available on the weekend to help. Glad to see online access for SIM swaps has been removed for now too.

rhbcc
Great Citizen / Super Citoyen

Thanks for shedding light to this.Hopefully this will make people realize that they still need to routinely change or toughen up their online passwords especially during the pandemic where theres a LOT of online fraud.


@felix1 wrote:

Fell victim to this last night. Fortunately I got it all figured out. Thank you Moderators!

Admittedly my Public login password was weak. I did not think hackers would gain anything from using this account but now I know they could do a lot of damage.


@felix1 Thanks for coming here and letting everyone know your experience. I think it's important to note that your account or mine may not provide hackers what they are looking for once they are in but it is a massive headache and I would think a physiological hit to go through this. Once they realize there is nothing to be gained they may well move on, leaving the affected parties to pick up the pieces.

felix1
Great Neighbour / Super Voisin

Fell victim to this last night. Fortunately I got it all figured out. Thank you Moderators!

Admittedly my Public login password was weak. I did not think hackers would gain anything from using this account but now I know they could do a lot of damage.

msadams2000
Great Neighbour / Super Voisin

Thank you for posting this information, although I hope I never need to use it.

@a123chris 

Great job not only on the post but figuring out what was going on and leaping into action to protect yourself from further financial damage. Paranoia can be a good thing....it saved me when I had my purse ( and all my id and cards) stolen. Extra verification questions saved me from the initial attempts to break into my accounts and gradual increased account security as they escalated their attempts to steal my identity and finances.

 

I had also initially suspended my online banking but was able to safely restore it after the changing log in from my bank card number to a username. But I have permanently disabled telephone banking after the fraudsters were able to convince CSR to help them gain access to my credit card rewards. I removed 2FA ( the bank had enabled w/o informing me) and require any changes to be made regarding my accounts to be done in person with 2 pieces of id.....it can be a pain occasionally to have to traipse to the bank for a simple matter like changing a banking fee but peace of mind is priceless!!

 

Putting a 7 year fraud alert (free of charge)on my credit file with transunion and equifax immediately after the theft was my other saving grace.....there were 27 attempts to obtain credit in my name, Every major credit card from almost every retailer....Amex to Walmart and new device contracts from Bell and Rogers. The fraud alert is free and requires the creditor to call you on a phone number you supply ( preferably not your cell number....landline, work phone, your spouse's, your mom's etc....) before they move forward on approval.

 

Paranoia had also pre-emptively installed verbal passwords on my non-bank credit cards so access was denied when the fraudsters attempted to access those accounts. Nearly every simjacking reported here has been linked to paypal account access. Closely review your paypal account security. If you haven't already create a pm specific email and have the moderators change the email to the new one in your account.

Teslas
Good Citizen / Bon Citoyen

Public:

Please enable better Multi Factor Authentication protection of our cell phone accounts to prevent sim swaps for any customers who would want increased security. 

1) FIDO U2F security key - BEST

https://fidoalliance.org/showcase/fido-u2f-security-key/

2) TOTP Authenticator like Google Authenticator 

https://www.onelogin.com/learn/otp-totp-hotp

 

These are commonplace and in addition to strong/unique passwords. As @a123chris has posted & experienced, cell carrier security weakness can be customers' achilles heel. With these security functions enabled, you can help weld this door shut against attackers

 

Thank you!

 

P.S. as community Mod and liaison for your friendly & loyal Public community, could you kindly escalate this to Public/Telus' most senior executives in your Risk / Product / Privacy departments & CEO/Board on our behalf as a serious risk to your brand, liability & customers if no action is taken while your company is aware of it? 

 

P.P.S. with these MFA security measures in place, it would put Public/Telus ahead of its competition who I believe are still slow to implement these security measures. This would be a feature and added reason for customers to choose Public/Telus...  

a123chris
Great Neighbour / Super Voisin

Okay thanks for letting me know. I'll remove that bit as it is a bit egocentric.

Anonymous
Not applicable

 @a123chris : This had grown as a problem and posted here on multiple occasions and helped and guided by the fellow customers here well before this post was made by the company. Good for you to figure it out on your own though.

a123chris
Great Neighbour / Super Voisin

I was a victim of this precisely two weeks ago. Managed to figure out what happened all on my own as I noticed that my SIM card on file was no longer mine. To be honest it was very scary, and I live alone so I had no idea how to stop it because I didn't know how to call anyone. This post wasn't up when it happened to me so I had to kinda problem solve on my own. For all I know, my incident could have been the reason for this bulletin. 

 

My advise to everyone. If you are ever the victim of this, follow the instructions given. Change your PM password, email password(s), banking, everything

 

If you have no means to get another phone. Install a platform such as Skype and call all your banking institutions and shut everything down. If you do online banking, see if you recognize some pending transactions you didn't do and call those institutions first. Pretty much all of these credit card or banking numbers are toll free so you can call on Skype for free.

 

Additionally sign up for Equifax/Transunion Credit Alerts (it's free). If you are paranoid like me, maybe consider subscribing to one of these paid services for a little while.

 

Document everything.... like when you found out, what you did, when you did it. Log the entire process. It's easy to forget but doing so could save you in the worst case scenario. It helps support that you are not negligent due to your proactive approach, in case something really really bad happens and perhaps an institution is wanting to dispute it with you.

 

Report it!

 

Edit: I also wanted to add a bit more to describe what I have done to protect myself in the future. These are suggestions, take them as you wish.

 

If you haven't been a target. Act now because this is very serious, With your cell phone number, someone could do some serious financial destruction. I can't stress this enough, TOTP anything you can or get a Yubikey for example (if i can't name brands here please let me know or remove it on my behalf.. but just don't delete my entire post please.)

 

For example, the person tried to get into my coinbase account. They got in but couldn't do anything because I had TOTP. That would have been unrecoverable loss. On the other hand I had TOTP and telephone verification with Paypal and whoever it was bypassed my TOTP with phone verification and racked up a bunch of purchases. Therefore like in the original post, remove your phone as verification wherever possible.

 

I suggest start using a password manager and start generating really strong and unique passwords for all websites, don't rely on your browser saving the passwords. There are paid ones but that is not for me. I ended up getting KeypassXC because it is free, open source, has good browser integration, and works with Yubikey. Hence why I mentioned that product. However you might not like that it is local, but if you use something l such as Onedrive then it's not a problem. 

 

One more thing. Oana is a moderator here and she saved me. I just wanted to say thank you one more time for all that you have done.

homer
Model Citizen / Citoyen Modèle

Thanks for sharing. This is very valuable 

 

mpcdesign
Mayor / Maire

@Catherine_T , does Public Mobile or will Public Mobile be setting up 2FA for accessing Public Mobile accounts anytime soon? This would be a welcome benefit I would think. A pain for others who uses the community everyday.

  1. Set up authentication methods that aren’t text based: often, online accounts will require you to set up two-factor-authentication (2FA) for added protection; with 2FA, you need to authenticate yourself with something in addition to your username and password, such as a code that is sent to your device by text. With SIM swap fraud on the rise, you may want to use something other than your phone number for 2FA like an authenticator app or security key.

mh1983
Deputy Mayor / Adjoint au Maire

@stevenanto wrote:

@Candie82 Yeah those are good but annoying to have many different passwords on so many accounts that you might own. I believe that if you have a password that is complicated enough it will be hard to get hacked. 

 

Use a long one, over 10 characters 

use numbers in it more than one

use symbols, more than one

use capitals, more than one

spread these out through your password. 

 

The only password that I’ve gotten hacked on is my work password, their firewall and system is horrible. Everyone’s gets hacked and we get those scam emails all the time. This is a company that has over 4K employees. So now every three months we are forced to change our password upon logging into the system. That is the only password that is different from the rest of my other ones. 


That's why a password generator was recommended. It generates pwds that are difficult to guess and you only have to keep track of a master password.

stevenanto
Model Citizen / Citoyen Modèle

@Candie82 Yeah those are good but annoying to have many different passwords on so many accounts that you might own. I believe that if you have a password that is complicated enough it will be hard to get hacked. 

 

Use a long one, over 10 characters 

use numbers in it more than one

use symbols, more than one

use capitals, more than one

spread these out through your password. 

 

The only password that I’ve gotten hacked on is my work password, their firewall and system is horrible. Everyone’s gets hacked and we get those scam emails all the time. This is a company that has over 4K employees. So now every three months we are forced to change our password upon logging into the system. That is the only password that is different from the rest of my other ones. 

Candie82
Great Neighbour / Super Voisin

Customers need to consider regularly changing their passwords 

 

try using password generators and keep records of new and old passwords 

gitdatako
Great Neighbour / Super Voisin

There's a lot of posts... so I didn't read through it all.

 

When will public mobile get two factor authentication to help us protect our accounts?

 

This post has some good information, but it does not help is prevent. Being proactive and setting up good security is much better than being reactive when us users get screwed over.

 

My Self-Serve login password is different from every other password I use. I avoid using the same to lower my risk of being compromised; however, recently, there was a PM outage and it scared the daylights out of me because I thought someone had sim jacked me. Logging into here and waiting for a mod to respond caused me some anxiety. What if the fraudster took over some of my other accounts while I've been waiting??

 

PM needs to take action now. How hard is it to send an email to my account to verify my login OR even setup a PIN before allowing SIM swaps?

 

C'mon PM. I love it here, but sometimes it worries me here.

Need Help? Let's chat.