cancel
Showing results for 
Search instead for 
Did you mean: 

Does this Koodo issue affect PM customers too?

LurganIeUk
Mayor / Maire

Dear,
We recently detected a security incident impacting your account information.
What happened:
On February 13, 2020, an unauthorized third party using compromised credentials accessed our systems and copied August/September 2017 data that included your mobility account number and telephone number. It is possible that the information exposed has changed since 2017, in which case your current information is not compromised.
What we are doing:
We acted quickly to prevent further unauthorized access. Some customers could have been at risk of unauthorized number porting, where a fraudster could use the compromised information to gain control of a customer’s phone number by moving it to another carrier. This would mean that the fraudster would receive your calls and texts. To prevent this, we have applied port protection on your account. Port protection is a feature that prevents the porting of your number to another carrier unless you call us first. If you’d like to have this feature removed, please contact us.
We have found evidence that the unauthorized third party is offering the information for sale online. With port protection in place, we do not believe that your information could be used for any fraudulent purposes. Nevertheless, we have reported this incident to Law Enforcement and the Office of the Privacy Commissioner of Canada and we are working closely with them on this matter.
What you can do:
As always, be diligent in monitoring your online accounts and email for any suspicious activity. Ensure that you do not reuse the same login credentials across different accounts, and use passwords that are difficult to guess. We also recommend that you not register your mobile telephone number on online accounts. If you have done so, you may want to remove it and use an alternative method to receive One Time Passcodes or 2 Factor Authentication codes.
If you have any questions, please contact us at 1 866 995 6636, Monday - Sunday, 9:00 a.m. - 10:00 p.m. ET.
At Koodo, we believe customer privacy is of the utmost importance. We are taking this matter very seriously. We remain committed to protecting your privacy. We sincerely regret any inconvenience or concern this may cause and look forward to continuing to serve you in the future.

Sincerely,

Jim Senko
President, Mobility Solutions

15 REPLIES 15


@darlicious wrote:

      As I understand it suspending your account As @kselmak mentioned would be the way to go as far as an immediate response as to the best of my knowledge a suspended account cannot be ported but if your account has been hacked that would make little difference. I think having the option of port protection as described by koodo would be the best option at the moment as its completely voluntary so you would have control over how much porting security you want on your account.

Correct, absolutely 

 

     Making a subtle or not so subtle change to your name on your account as suggested by @will13am also adds another layer of security but a strong password is ultimately the greatest security you personally can implement on your account.

But if you change your name or enter a different name if your account was hacked would that not be found and is the name on your account not supposed to match the name on credit or debit card?

 

       I believe the current text message method being used by most mobile providers is probably the only method they can use under the current WCC regulations due to the fact that they require easy and unfettered access to number porting for Canadian customers. The intention of the code was good at the time but as fraudsters have been able to exploit this addition to the code and the WCC has recognized this and in the next round of talks there will be a consensus among mobile providers and feedback from the general public that will change the ease of access in the code to ensure porting protection while allowing consumers the freedom to port their numbers.

Since PM is kind of unique with self service and immediate and fast contact is not available they should have a better developed process vs the norm. 

 

Also I signed up to PM and based on what I read here beforehand I left my other prepaid plan in a funded condition, took a PM number, and ported a week later. Did I get a text from my previous provider, did I know to expect any thing from the previous provider, and did I insert my previous providers sim into my phone? NO!

Another flaw in the porting process. A lot of assumptions of responding to texts or a call to more than likely being answered on a mobile phone vs a land line just doesn’t happen. 


 


@kselmak wrote:

@will13am wrote:

@Dunkman wrote:

 

Here is public mobile response for porting scams. Hopefully it will improve security in the future. 

https://www.publicmobile.ca/en/bc/get-help/articles/port-fraud-protection

 


Since moderator team response times are much longer than it takes to complete a port, there is little consolation if we need moderator team assistance to intervene.  It would be nice if we can somehow go into the account and put a block on the transfer, maybe using the lost phone feature or something to suspend the account from active status.  At the end of the day convenience is the biggest exploit for those out to do nefarious activities.  As customers, we asked for convenience in number porting.  



As I understand suspend is way too go. This is the first thing I would do if I ever revived the sms that there was a port request, and then contact the moderators via chat and not remove the suspention until I have positive confirmation that port is cancelled.

Unfortunately you can't use your phone during that process. So port lock would be great

So if you want convenience keep it off at your own risk and if you don't mind waiting longer for the port keep it on.

Alternative number with a VoIP provider is a great option in either case as during the port though u can't be reached your data should be working so impact would really be minimal.


Just to be the devils advocate @kselmak and @will1a3m the comment is based on being on top of your texts which has been mentioned here that a number of clients would not be and keep in mind your account may have been hacked. 

 

The unauthorized port needs some more thought by:

PM. There needs to me more of a confirmation than an unanswered text. 

If an account has been hacked and password changed does PM email AND text the customer of the change. 

If a port has been requested an update to authorize it with in your account is not a good idea. 

Some type of a confirmation  needs to be put into place. 

Some credit unions have some great ideas along with VoIP.ms. With VoIP.ms they email me a code before I can complete my sign in etc etc

 

We the users. Need to make very long and unpublished passwords for our accounts and somewhat non relating to our account number or phone number for our PIN numbers. 

Any thing else?

      As I understand it suspending your account As @kselmak mentioned would be the way to go as far as an immediate response as to the best of my knowledge a suspended account cannot be ported but if your account has been hacked that would make little difference. I think having the option of port protection as described by koodo would be the best option at the moment as its completely voluntary so you would have control over how much porting security you want on your account.

     Making a subtle or not so subtle change to your name on your account as suggested by @will13am also adds another layer of security but a strong password is ultimately the greatest security you personally can implement on your account.

       I believe the current text message method being used by most mobile providers is probably the only method they can use under the current WCC regulations due to the fact that they require easy and unfettered access to number porting for Canadian customers. The intention of the code was good at the time but as fraudsters have been able to exploit this addition to the code and the WCC has recognized this and in the next round of talks there will be a consensus among mobile providers and feedback from the general public that will change the ease of access in the code to ensure porting protection while allowing consumers the freedom to port their numbers.

mpcdesign
Mayor / Maire

@LurganIeUk, am always leery on clicking on weblinks confirming or calling a company such as an issue that you posted. If my phone number was indeed compromised and ported over, the first thing am doing is messaging the moderators first.

 

How do you know that text or email is not a spoof email or a scam email? Anyone can sign off as the President of Mobility Solutions. For example, I received an email from Apple that my account got hacked and I need to get in touch asap. I looked at the email, and everything was in order. Even the email address looked good. Except, the logo was squished. Gotcha. Trash.

 

Or a text message received last week, stating my Google Pay was compromised and that I needed to click on this weblink. Funny thing is, I don't have Google Pay!

 

Or worse yet, I received a text yesterday from Google stating that unauthorized computer access my account by text, and for me to confirm this. I did click on the link, but it asks for my Google account username and password. And since I was already log-in, I could not remember it to enter it. So, I go into my MacBook and went the back-door way to see the activity, and there was no activity as mentioned. I am so glad that I didn't enter my username or password. 

 

Although the post that you posted does sound legitimate, I probably would ignore it, and send a message asking the moderator about first versus calling the number, clicking on a web link or whatever!


@kselmak wrote:

@LurganIeUk 

I agree with you

I've seen people with 30+ unread messages. It really should be the other way around: if you are porting please confirm so we can proceed. Those who are porting are really ready to click one more button.Those who are in bed and have their phone in airplane mode are probably not


I believe it is like a "negative resonse" kind of. You sign up to get 1 free record from Columbia Records and if you don't take action to stop....they could continue to ship. Or years ago we had private garbage pick up. In one of their statements it said they would drop off a new garbage can (that they could pick up and dump in to truck remotely) and if you did not call them to say you did not want, you got it delivered and a $5 a month rental fee.  Like, honestly who reads there garbage bill??? So the majority of people on our block left them on the road and called.....the company went broke shortly after. 

 

So it is kind of like that...the way PM has set it up. One feeble unanswered text and you could be victim. There has to be a better way to actually adminster a good program that would protect us from unauthorized porting. They do  have my home number and my email address. And as I type this if some one stole my phone number I have all land line calls forwarded to my mobile phone.....that would be fun as my CDR would list every number that called. And yes, of course I would have to de program that option. But as mentioned you should have a very strong password to your account and also keep your account number very close to your chest. But how loose is another carrier to intiate a port? 

 

I never use my phone number for 2 factor. 

Yup got to agree with pretty much everybody in this thread - the cell providers all seem to have this whole thing backwards, i.e. we should ALL have to confirm that we want a port BEFORE they let it go ahead, NOT after it may already have happened.

 

I just saw a story about this very thing, tonight on the Global news, in which the person involved got the text from Rogers, to contact them a.s.a.p. if she DIDN'T initiate a port request, so she phoned the number, and was on hold for 50mins., and while on hold, her phone went dead, because the port went through in the middle of her trying to stop it. The dirtbag that ported her number got into her Paypal account, via 2FA, and racked up $4500 worth of debt!!! 🤬 

 

Yeah, @Tiana_V  & @Alan_K  , Public Mobile(and ALL providers) number porting NEEDS to have a confirmation system in place, not one where the owner of the number has to try to get the port stopped in the middle of it happening!!!

@LurganIeUk 

I agree with you

I've seen people with 30+ unread messages. It really should be the other way around: if you are porting please confirm so we can proceed. Those who are porting are really ready to click one more button.Those who are in bed and have their phone in airplane mode are probably not

Lar
Model Citizen / Citoyen Modèle

@LurganIeUk   Absolutely agree with you after the PM text warning about a porting that "further action" should be necessary and NOT if we don't hear from you it's going ahead with the port.  I mentioned this in a discussion last week.

 

Come on PM, lets get ahead of the problem and not wait until people's llves are messed up by your lack of interest.  Lets close the barn door before the horse gets out, not after.

 

will13am
Oracle
Oracle

The best protection agains this kind of stuff is to secure the self serve account by using a strong password.  If someone gets into an account, there is nothing to stop any activity with that account.  Another thing is to secure the account number.  I see a lot of members post their account number in the public forum.  That is a big no no.  One additional security measure that is easy to implement and I suggest members consider doing is to purposely enter a different name in the account than your actual name.  Mispell it or something.  Identify thieves can get official name and phone number from various sources like a recycle bin if papers are not shredded.  If the name in the self serve account is assigned an alias, number porting will be frustrated.  Again all bets are off if the self serve account is hacked.  


@Dunkman wrote:

 

Here is public mobile response for porting scams. Hopefully it will improve security in the future. 

https://www.publicmobile.ca/en/bc/get-help/articles/port-fraud-protection

 


Neither my wife or I have phones in a ready to attend upon a call or text. My wife has no idea to check for a text on a frequent or infrequent basis and I would fall into that category somewhat as well. This is no good for us or anybody when you think about it as the unauthorized port WOULD happen. And what if your account was suspended? It should say......If you requested the transfer, FURTHER action IS required, please confirm your port request  by tapping this URL. And repeated texts or emails should happen every 24 hours. 


@will13am wrote:

@Dunkman wrote:

 

Here is public mobile response for porting scams. Hopefully it will improve security in the future. 

https://www.publicmobile.ca/en/bc/get-help/articles/port-fraud-protection

 


Since moderator team response times are much longer than it takes to complete a port, there is little consolation if we need moderator team assistance to intervene.  It would be nice if we can somehow go into the account and put a block on the transfer, maybe using the lost phone feature or something to suspend the account from active status.  At the end of the day convenience is the biggest exploit for those out to do nefarious activities.  As customers, we asked for convenience in number porting.  



As I understand suspend is way too go. This is the first thing I would do if I ever revived the sms that there was a port request, and then contact the moderators via chat and not remove the suspention until I have positive confirmation that port is cancelled.

Unfortunately you can't use your phone during that process. So port lock would be great

So if you want convenience keep it off at your own risk and if you don't mind waiting longer for the port keep it on.

Alternative number with a VoIP provider is a great option in either case as during the port though u can't be reached your data should be working so impact would really be minimal.


@Dunkman wrote:

 

Here is public mobile response for porting scams. Hopefully it will improve security in the future. 

https://www.publicmobile.ca/en/bc/get-help/articles/port-fraud-protection

 


Since moderator team response times are much longer than it takes to complete a port, there is little consolation if we need moderator team assistance to intervene.  It would be nice if we can somehow go into the account and put a block on the transfer, maybe using the lost phone feature or something to suspend the account from active status.  At the end of the day convenience is the biggest exploit for those out to do nefarious activities.  As customers, we asked for convenience in number porting.  

 

Here is public mobile response for porting scams. Hopefully it will improve security in the future. 

https://www.publicmobile.ca/en/bc/get-help/articles/port-fraud-protection

 


@geopublic wrote:

Wow, thanks for posting. I wish all providers offered a Port Lock feature for this exact reason.

 

It has been mentioned that Koodo and PM share some backend systems but I think account management is separate. When I moved from Koodo to PM I was able to use the same email without any issues.

 

 


I believe Koodo prepaid and pm share it I believe. Postpaid costumers probably have a bit different setup as the rules are different

geopublic
Mayor / Maire

Wow, thanks for posting. I wish all providers offered a Port Lock feature for this exact reason.

 

It has been mentioned that Koodo and PM share some backend systems but I think account management is separate. When I moved from Koodo to PM I was able to use the same email without any issues.

 

 

Need Help? Let's chat.