@Jb456 : I'm with you now. HALIMACS made it make sense. I didn't twig to the confidentiality point of yours. I didn't put two and two together. Right. More information for social engineering. Got it. Bad.
Funny thing - i'm only 1/2 paying attention to this thread.
I'm thinking a solution to the varying level of security/authentication that different users expect, should be user-based.
Give individual users the option to utilize differing levels of verification before certain transactions/changes can be made on self-serve or *611. So if a user wants PIN's or text confirmation or e-mail confirmation or maybe a call to an alternate phone number for some mundane change vs something much more sensitive, then let the user decide how each account change/update is secured.
Thank you for finally addressing this very serious issue that (the regulars at least ) we began to notice creep up as a problem on the community about a year ago. At that time it was once a month but as each month passed the frequency increased....every two weeks, once a week and now its daily if not more......
We were concerned when it was once a month. At 365 or more per year this is reaching a pandemic stage and public mobile needs to address it from the top on down. Its time to plug the holes of privacy breaches, information leaks and step up moderator training and skills developement to include updates to this kind of fraudulent activity. Adding a fraud button similar to reporting inappropriate behavior would help immensely as this illicits a moderator response almost immediately.
At least public mobile is willing to admit there is a problem, explain it to the uninformed and how to counteract both the fraud in progress and how to help prevent it from happening to the user. ( I would be interested to see if it ever happens to a regular community member?!!) Allowing the free discussion of the simjacking issue among community members allows more users to become informed, brainstorm ideas on how to further protect our accounts and makes the pm community the main source for information on the subject in Canada.
I don't believe this type of simjacking is isolated to public mobile but unlike other providers who have buried any mention of the issue in their own help forums pm has (finally) acknowledged one of the industry's dirty little secrets. While social engineering plays a role in the access to our accounts how exactly access is made remains a bit of a mystery as there are only two ways in.....logging in with the username and password or thru the backend by pm employees. ( Which as many have mentioned why the password isnt changed by the hacker themselves?)
Implementing additional security measures that don't require an overhaul of system is paramount to having any additional measure occur sooner rather than later. Removing the sim card change from our accounts or requiring in person verification creates a hassle for those needing a simple sim card change ( like the bf whose sim card was changed/replaced 3 times last year) and can exacerbate an already desperate situation.
Putting optional extra security measures (like the sim card change being pin# protected) into the account to protect the safety measures already in place such as changes to the pin #, security question and answer and password ( by having verification questions) and utilizing the option of changing the username for login (to an actual username instead of your email) could easily make the account itself and the important features within become better protected.
Additionally a further verification/ authorization method could be set up that permission for certain changes would be required thru only the linked community account of the user so that a hacker would also have to be able to access the community account to make self serve account changes. This would help prevent any back end access making changes without the members knowledge.
@Catherine_T Please keep this pinned to the landing page so its always front and centre for those experiencing a simjacking can locate it easily and quickly. Now if someone could tell me what happened to the thread on porting telus/ koodo to pm requiring moderators that would be great?!!
@mimmo lol you're right I just changed my password recently. not sure why I thought there was an email verification process
in that case, it's very interesting that they don't. 🤔
@gpixel4 @mimmo What I find even more interesting is they don't send an email saying "your password was recently changed". Along with providing direction if I did not change it. Virtually every if not all sites I deal with do this...
As previously mentioned - you could remove the option for SIM change.
You would need to go through the MODs which could take some time
-OR- You could set up Telus/Koodo stores to do a SIM change for a fee ($10? plus SIM card itself) That way ID could be verified in store. If Telus/Koodo/PM wants to take this seriously, or at least have the perception that they are taking it seriously then this would be a step in that direction.
@z10user4 I made a post last year (around same time sim swaps first started) that the 1855 # is a breach of confidentiality. I believe I tagged Tiana & Alan to that thread. Next day Public Mobile completely deleted the thread. That tells you something.
I have put in two separate tickets regarding this issue about concerns and plans to have this updated / changed.
At first, the Moderator I was dealing with did not seem to think it was a big deal. Then as I explained more how there are privacy issues here, and there seemed like a pretty simple fix to limit the open shared information.
I even joked about asking for the Moderator's phone number so I could take "tabs" on their balances/expires/statuses etc. just by calling this number. I was joking of course! But you get the idea...if someone knows your number people are creepy and who knows....
Anyways, it ended with the Moderator saying they would bring it up to "their" supervisors as Moderators do not change or update these particular systems/processes.
(the "first" areas customers are supposed to go to for help)....
@mimmo LOL, sorry, couldn't resist.