05-01-2020 07:47 AM - edited 01-05-2022 10:36 AM
I just called the self serve Public Mobile number from another phone. It asked to enter my phone number and I did. And it went straight to my account. And i was able to make a payment. It never asked for a PIN. Why is that? Is there a setting to make the PIN required while dialing from another device. Im pretty sure when I first dialed *611 I set it so it dosent require a PIN only on MY device. Anybody can just call that number and enter my phone # and they can do whatever they want.
I it realized requires a PIN for some account actions like buying a addon. But not for the CC on file. This should be looked into as this is a sequrity risk.
01-20-2022 02:24 AM
@computergeek541 wrote:Similar to this, the entire option to check access the voicemail account entering some type of password (even from the the same phone) is a security risk. the way that the system always believes call display information to be true for making that determination isn't accepable.
Interestingly recently playing with a cell phone from Bell, their voicemail access number 647-383-2355 appears to be ONLY reachable from the Bell Mobility network. If you try to call it from another carrier, it declares the number is not in service. This would be a pretty good defense against caller id spoofing as well as "no ring" voicemail injection...
01-20-2022 02:19 AM - edited 01-20-2022 02:25 AM
@BearFBI wrote:This loophole has still not been fixed to this date. Seriously ?
Public Mobile has at least changed 611 (or 855-4PUBLIC) so that you need to enter a PIN to make a payment from a pre-registered credit card. You can still enter anyone elses phone number to hear their current account balance and their next newal date though.
Also, by default Public Mobile voicemail doesn't require a PIN when "dialing from your own phone" -- in reality, this merely means their voicemail system only checks that caller ID bears your own number. If the caller ID is forged using various methods including VoIP providers or Google Voice / Hangouts dialer a hacker can access someone elses voicemail if you send their phone number as caller ID. This is the default, but you can configure it. The 611 gratuitous announcement of account balance and renewal date is not configurable by the user...
01-19-2022 11:56 PM - edited 01-20-2022 02:28 AM
@BearFBI wrote:This loophole has still not been fixed to this date. Seriously ?
@J_PM Could PM look at this again and actually fix it ? The original post explains the problem.
Similar to this, the entire option to access the voicemail account without entering some type of password (even from the the same phone) is a security risk. the way that the system always believes call display information to be true for making that determination isn't accepable.
Any fix for 611 shouldn't rely on call display either.
01-19-2022 11:50 PM
This loophole has still not been fixed to this date. Seriously ?
@J_PM Could PM look at this again and actually fix it ? The original post explains the problem.
11-19-2020 04:14 AM
I missed @Nezgar post and he does bring up a good point that i hadnt thought of that would solve the issue that we all do agree on.....the ability to gain (while limited) unauthorized access to pm customers accounts. Since we all have the ability to choose whether we want to enter a voicemail pin# when we call from our own devices. There no reason pm cannot do the same for basic access to our accounts thru 611 or the 1 855 number. Then the customer can choose whether or not they want or need the extra step based on their own habits and preferences.
11-18-2020 08:20 PM
@darlicious wrote:The issue with access to the financial card on file had been fixed as answered by Catherine earlier today. The question is whether any account access should be allowed without the pin#. While i dont like the idea of anyone accessing my amount due or payment date given the amount of customers who dont know their pin# some basic account access needs to be available for the customers who only use phone service for account management.
I'm aware of this, and while I would say I would consider hearing the balance of another person to be minor, I also agree that this shouldn't be happening and does need to be corrected.
My response to @Nezgar was about how the vociemail system at Public Mobile isn't secure.
11-18-2020 06:17 PM
The issue with access to the financial card on file had been fixed as answered by Catherine earlier today. The question is whether any account access should be allowed without the pin#. While i dont like the idea of anyone accessing my amount due or payment date given the amount of customers who dont know their pin# some basic account access needs to be available for the customers who only use phone service for account management.
11-18-2020 05:53 PM
@Nezgar wrote:
@Jb456 wrote:Please make the system ask for the PIN when calling from other numbers. I did mention this to Tiana/ Alan months ago and someone deleted the thread.
How about ask for a PIN when calling from ANY number? It's trivial nowadays to spoof your caller ID on outgoing calls with various business phone systems, and hosted VoIP/PBX providers...
Also ensure your own personal voicemail is set to require a PIN when calling "from your own number" to protect against caller ID spoofing allowing someone to sail right into your mailbox.
By default, Public Mobile's defaults do not require a PIN number to be entered if the system thinks that you are calling from the same phone number. Unfortunately, this means that anyone has full access, whether authorized or not. To my knowledge, this has still not been fixed.
11-18-2020 04:43 PM - edited 11-18-2020 04:47 PM
Hi @darlicious & @Anonymous
I do acknowledge that the scope of this is certainly not as urgent as some on here might be presenting it to be.
It is indeed personal information, though. It is information that is relatable to an identifiable individual. It's information which is not the same for everyone, and it's information which is particular to an individual.
The "data" does not have to be a specific identifier to an individual (i.e. name, DOB, SIN# etc) for it to be considered 'personal' to someone.
Balance and next payment/due date information is not typically information which is used to verify an individual. BUT, they could be. I'm sure we've all had calls to companies where, as part of their verification processes, they may ask what the "current balance is" or "normal due date". It's just another manner in which a company may verify you to enable access to make account updates or changes.
And because of that, it's more information they should be offering to anyone calling, without a simple layer of security, like the PIN#.
11-18-2020 02:40 PM
@darlicious wrote:
*Geez what are the chances i agree with @Anonymous twice in one day?!! lol!
Well...once...it's the same topic 🙂
11-18-2020 02:13 PM - edited 11-18-2020 02:14 PM
Again i agree with @Anonymous but by definition of the law it is not a privacy breach as it is not personal data.
4 (1). Personal data are any information which are related to an identified or identifiable natural person. ... For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.
*Geez what are the chances i agree with @Anonymous twice in one day?!! lol!
11-18-2020 01:47 PM
@Jb456 : Like I said earlier...I'm with you on principle...not on urgency.
11-18-2020 01:34 PM - edited 11-18-2020 01:37 PM
@darlicious first people should remember there pin simple as that. If they don't do like everyone else and open a ticket for moderators.
It really does not matter what info the VR system says it's still a breach of security.
If you look at it in another way (as all those scammers that do simjacks / unauthorized ports) think about the below for a bit. You have been on these forums long enough to know what I say below to be true.
First and no offence to the moderators some make mistakes, some contact wrong people with info but we are all human and make mistakes.
Then you have people on these forums that provide way to much personal information. You also have people posting screenshots that are viewable to the public with personal information. I know that part as a fact as I had to message a few Oracle's and say hey your personal info is showing you may want to remove it.
Then those same people that post personal info like a number, their full name, email & number or a screenshot with something personal. You know for a fact that they likely do that same thing on other sites or that even their social media is not locked down tight.
Scammers then start accumulating all this information. With that info. Now they know the person's full name, address, email addy and lots of other information about the person.
Now they just need to gain access to the PM account, they need the password reset for example. So they can log in and complete the simjack.
At this point what else can they use to convince a moderator that it is really them? Well let's call 18554pubilic and hear when the next payment due date is and how much is in the balance. That's how. It's fine if the mod wants to ask for the security question because I probably can figure out the answer for that as well since I have pretty much all the person's information now on social media, etc. Typically people use an answer that is easily found.
So you probably can convince a moderator to get what you need.
As I said. Yes agree with you guys that ok it's not much information given out. However it is still a breach of security and if used correctly that little bit of info given without a pin can be the last piece of protection from getting sim jacked.
Just saying!
11-18-2020 01:03 PM
I have to agree with @Anonymous ....your stuck overseas because of the pandemic and you only have phone access to renew your account and you dont remember your pin #? what do you do with no access to your account to find out the date and amount you need to renew? I wouldnt be surprised if theres a mandate to maintain basic phone access to your account especially if theres no call centre to access.
11-18-2020 01:01 PM
@Anonymous and again it's not the point. It's a breach of security simple as that. Regardless of what minimal info you can get.
11-18-2020 12:54 PM
@Jb456 wrote:Ya what @Anonymous said. I just called 1-855-4PUBLIC from my USA number and was able to get into my PM account.
@Catherine_T @Please make the system ask for the PIN when calling from other numbers. I did mention this to Tiana/ Alan months ago and someone deleted the thread.
Again @Jb456 : all you get is the balance and due date. You can redeem vouchers too. You need a PIN to do anything else. I don't get the urgency.
11-18-2020 12:50 PM - edited 11-18-2020 12:51 PM
@Jb456 wrote:Please make the system ask for the PIN when calling from other numbers. I did mention this to Tiana/ Alan months ago and someone deleted the thread.
How about ask for a PIN when calling from ANY number? It's trivial nowadays to spoof your caller ID on outgoing calls with various business phone systems, and hosted VoIP/PBX providers...
Also ensure your own personal voicemail is set to require a PIN when calling "from your own number" to protect against caller ID spoofing allowing someone to sail right into your mailbox.
11-18-2020 12:47 PM - edited 11-18-2020 12:47 PM
Ya what @Anonymous said. I just called 1-855-4PUBLIC from my USA number and was able to get into my PM account.
@Catherine_T @Please make the system ask for the PIN when calling from other numbers. I did mention this to Tiana/ Alan months ago and someone deleted the thread.
11-18-2020 12:32 PM - edited 11-18-2020 12:33 PM
@Catherine_T wrote:Hi there,
Thank you for flagging this! This issue has been fixed as of August 27, 2020. If any further issues surface, please let us know.
Thanks,
Catherine
@Catherine_T : the current (and ongoing) concern here is that anybody can hear what anybody else's balance and due date is. It's great that you added the payment card PIN though.
11-18-2020 12:11 PM
Hi there,
Thank you for flagging this! This issue has been fixed as of August 27, 2020. If any further issues surface, please let us know.
Thanks,
Catherine
11-17-2020 10:21 PM - edited 11-18-2020 12:47 PM
Once the pin # was added to secure that part of the account the remaining access to the info and adding vouchers is the fine art of balancing the needs of the customer and privacy. For some 611 or the 1-855 number is the only access some customers have....leaving the very basics to allow renewal or more importantly unsuspension before the cancellation of the account for those without 611 or access to their phones is paramount. Many customers have no idea what their pin # is......this allows basic access.
11-17-2020 09:45 PM - edited 11-17-2020 09:47 PM
@Jb456 wrote:@Anonymous can you call hydro and ask for your neighbors balance? Cleary not. Same should apply with PM
I get the principle. I don't get the emergency.
This balance is a little different. It's not an amount reflecting what is owed.
Should I be able to know when the car plates expire? No. Oh but there it is in plain sight. Should deliveries be able to just drop off at the door (multi-family or house) without actually handing over? No. Oh but there's the name and address and possibly where the thing is from possibly indicating what it is. Maybe even a phone number. Should Dominos be able to have their sign on the delivery vehicles? Oh the Griswalds are having Dominoes tonight. etc.
11-17-2020 09:21 PM - edited 11-17-2020 09:23 PM
@Jb456, that is a good comparison. I believe those making actual policy decisions within Public Mobile just are not aware of this. I'm not sure advising the Moderators of concerns such as these necessarily involves notification to senior staff or privacy personnel.
@Anonymous, it is certainly your choice to be comfortable with such information being out there. Indeed, it may be considered minimal to most. BUT, you'd be surprised at how little information it takes for a person with bad intentions to gain further access to other people's accounts.
11-17-2020 09:06 PM
@Anonymous can you call hydro and ask for your neighbors balance? Cleary not. Same should apply with PM
11-17-2020 08:27 PM
I am not one of those that fall into the category of what do I have to hide so who cares. Of course that's reserved for the authorities. ie. everything.
If someone knows my phone number and calls the toll free and hears my balance and date due...I don't care.
But that's just me.
Someone raised a stink a while ago about being able to charge the pre-registered payment card without a PIN. Yeah alright. Who needs their payment card drained by some nutbar ex (of any gender).
But balance and date? I fail to see how that impacts me. You can't do anything with it.
11-17-2020 08:20 PM - edited 11-17-2020 08:21 PM
Hi @esjliv .
This is, indeed, a questionable business practice, and a privacy issue.
The fact that ANYONE can use the toll-free automated service to find out anyone else's balance and next renewal/payment date is concerning.
I'm sure many will find it unsettling, but sadly, many also might not care less. It would seem that many people don't take their privacy of personal information as seriously as they perhaps should.
I will be curious to know if Public Mobile, and their Privacy Department, will address this.
11-17-2020 07:57 PM
Anyone like to offer up their phone number and I can do more testing? I don't think I tried all the options yet.
...Just kidding, of course.
11-17-2020 07:38 PM - edited 11-17-2020 07:40 PM
Point is. You should not be able to access the account without entering your pin when calling from another number. I can't call a company to inquire about my girls account until I answer there questions before getting info about the account regardless how minimal that info is. With PM you can do this.
Months ago I made a post about this and directed it to Tiana & Alan. The thread was completely deleted.
11-17-2020 07:34 PM
@Nezgar wrote:Last I reviewed this, anyone could add money to your balance from your registered credit card without a PIN - up to max of $150. it's still in your account and will eventually get used to pay for your plan renewals, but that's a lot of money to be "held up" .
It would be good if they closed that - anyone willing to test? I did open a ticket with mods earlier this year regarding this but never heard back after they indicated looking into it.
It doesn't cost anything to try. It asks for the PIN as soon as you try to go in to using the payment card.
But the subject line adds some confusion. I haven't tried it yet from the 855 number. But I know it asks for the PIN in 611.
11-17-2020 07:21 PM
Last I reviewed this, anyone could add money to your balance from your registered credit card without a PIN - up to max of $150. it's still in your account and will eventually get used to pay for your plan renewals, but that's a lot of money to be "held up" .
It would be good if they closed that - anyone willing to test? I did open a ticket with mods earlier this year regarding this but never heard back after they indicated looking into it.