FR
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Register now!

Account Security of Public Mobile

Yazzie
Good Citizen / Bon Citoyen

‎08-28-2017 10:17 AM - edited ‎01-05-2022 02:46 AM

There have been a number of high-profile cyberheists involving the compromise of mobile account security in order to seize control of accounts that manage Bitcoin transactions. See Brian Krebs' article here for a good recap: https://krebsonsecurity.com/2017/08/is-your-mobile-carrier-your-weakest-link/

 

My question is what kind of procedures are in place with PM in order to prevent this and other attacks from succeeding? Does PM offer temporary call/SMS forwarding? Who can enable this? What procedures are in place to authenticate the user before this is activated?

 

These are some additional areas of concern for me:

 

Account Changes PIN:

  • There could be additional security added by requiring an additional PIN for major account changes in addition to the pasword for login.

Password Policy:

  • Currently, account passwords are limited to 17 characters. This is not long enough.

Password Reset:

  • Only one security question is asked in order to reset passwords. This should hopefully be more.

Change SIM Number:

  • The page offers the ability to change your SIM number from your account page. I didn't actually test this because I don't want to screw things up, but if that's all that is required, I would think it's a bit light on security.

Two-Factor for Account Sign-In

  • There's no option currently for two-factor authentication on the account sign in. It'd be nice if I could enable this given the value of a phone number has today in securing additional accounts/services.

 

 

Labels:
11 REPLIES 11

CCJacks
Great Neighbour / Super Voisin
In response to TheOldVR

‎11-10-2019 06:24 PM

Hi.  I think the recent concerns that if you can change your SIM card via the public mobile sign in that by hacking your account a hacker could change the SIM card to their card and then they have access to your mobile number.  At that point they begin to contact banks and other organizations that use your phone number (which the hacker now controls) as verifying your identity.

0 Bravos

Wonder_why
Town Hero / Héro de la Ville
In response to koimr1

‎08-29-2017 06:00 AM

Nothing to worried about is not the bank account

0 Bravos

koimr1
Deputy Mayor / Adjoint au Maire
In response to TheOldVR

‎08-28-2017 04:38 PM

@TheOldVR wrote:
@will13am wrote:

I would imagine that hackers would have little interest in taking over someone's cell plan.  This would be about the same as robbing a bank for their pens.  The one bit of security that's built into the self serve portal is that email address change requies moderator help.  This is useful for password reset.  

 

Agreed @will13am... not sure how much someone could get out of accessing my PM account.

 

Just address info and a phone number as Payment info is masked?

Agree with both of you!

 

HOWEVER I would strongly suggest that one always use a different password for each site they login to. If someone were smart enough to hack into your PM account it would not be to take over your cell plan but to then use that login and password and try it at various banking sites, etc.

0 Bravos

Michael77
Deputy Mayor / Adjoint au Maire
In response to tzliu

‎08-28-2017 03:06 PM

@Yazzie,

Definitely something to think about.
0 Bravos

tzliu
Model Citizen / Citoyen Modèle
In response to will13am

‎08-28-2017 12:32 PM

Agreed, most of us do not have crypto-currency that hackers would be interested in, but do be extra careful about your other accounts.  

 

If you have password recovery by phone set up for your various accounts (maybe not bank accounts), then someone who ports out of your number could easily get into your other accounts.  It is kind of scary. 

TheOldVR
Deputy Mayor / Adjoint au Maire
In response to will13am

‎08-28-2017 12:28 PM

@will13am wrote:

I would imagine that hackers would have little interest in taking over someone's cell plan.  This would be about the same as robbing a bank for their pens.  The one bit of security that's built into the self serve portal is that email address change requies moderator help.  This is useful for password reset.  

 

Agreed @will13am... not sure how much someone could get out of accessing my PM account.

 

Just address info and a phone number as Payment info is masked?

Luddite
Oracle
Oracle
In response to Yazzie

‎08-28-2017 12:05 PM

@Yazzie For consideration by PM's tech team, post your idea here: https://productioncommunity.publicmobile.ca/t5/Public-Lab/idb-p/Public_Lab/tab/most-recent. They do not peruse the discussion page for ideas.


>>> ALERT: I am not a CSA. Je ne suis pas un Agent du soutien à la clientèle.

will13am
Oracle
Oracle

‎08-28-2017 12:01 PM

I would imagine that hackers would have little interest in taking over someone's cell plan.  This would be about the same as robbing a bank for their pens.  The one bit of security that's built into the self serve portal is that email address change requies moderator help.  This is useful for password reset.  

Yazzie
Good Citizen / Bon Citoyen
In response to xCameron94x

‎08-28-2017 10:55 AM

Kaspersky, a Russian-domiciled company, is allegedly cooperating with the FSB (Russian intelligence) and the FBI has reportedly been advising companies against use of their products. They are basically the last people that I would want running code on my phone.

 

Regardless, my concerns are not with device security nor the security of their network, but with Public Mobile's account security. Basically, how can I prevent someone from seizing control of my phone number which I use for two-factor authentication with countless online accounts?  I've identified a number of ways in which Public Mobile could reduce the chance of such an occurrence.

0 Bravos

xCameron94x
Mayor / Maire

‎08-28-2017 10:40 AM

 

My question is what kind of procedures are in place with PM in order to prevent this and other attacks from succeeding? Does PM offer temporary call/SMS forwarding? Who can enable this? What procedures are in place to authenticate the user before this is activated?

 Yes you should be able to activate that. Should be somehwere in your phone settings

These are some additional areas of concern for me:

 

Account Changes PIN:

  • There could be additional security added by requiring an additional PIN for major account changes in addition to the pasword for login.

Password Policy:

  • Currently, account passwords are limited to 17 characters. This is not long enough.

Is 17 too short? Personally the longest password I have is about 12 characters. 

Password Reset:

  • Only one security question is asked in order to reset passwords. This should hopefully be more.

Change SIM Number:

  • The page offers the ability to change your SIM number from your account page. I didn't actually test this because I don't want to screw things up, but if that's all that is required, I would think it's a bit light on security.

Dont really see a big issue here

 

Two-Factor for Account Sign-In

  • There's no option currently for two-factor authentication on the account sign in. It'd be nice if I could enable this given the value of a phone number has today in securing additional accounts/services.

 Some two factor methods can easilly be beaten as well

 

And i dont think there has been any issue with mobile secruity in Canada for a while now. Someone else can correct me if I'm wrong. Yes some security measures could be added. Keep in mind Kaspersky (one of the best virus detection software) is available on android as well as PC/Mac. If you are that concerned you should buy a licesne from them. 

Copyright © 2025 Khoros, LLC
Need Help? Let's chat.