cancel
Showing results for 
Search instead for 
Did you mean: 

My sons SIM has just been Hijacked!

mskrisc
Good Citizen / Bon Citoyen

I have an account as well as both of my kids. I pay for their accounts with my CC on file with Public. My son is a victim of SIM swapping due to PM’s lousy authentication! 
he can’t even get into his email or Public account to fix this ! I’m so mad! I’m pulling all 3 of our accounts from Public. 
How do I get hold of someone ASAP? This is an emergency as the thief is having a hay day in my teens Pay Pal , bank and email. 

16 REPLIES 16

somecana
Great Neighbour / Super Voisin

I have also experienced simjacking very similar to your situation. Usually they don't care about the sim or the number, they are really after bank accounts.

 

If the phone device never left your son's possession, my guess is that they were able to acquire his email credentials and self-serve credentials through malware or malicious website cookies.

 

If the hacker has already locked you out of your self-serve account, the first thing to do in this situation is to open a ticket and explain that your sim card has been changed without your consent and you are a victim of fraud. Be prepared to provide information such as, last payment date, amount, account number, etc. to verify your identity. After that, wait for their response, and they will lock your self-serve account. They can also restore your original sim card and your phone service will be back. Public Mobile's support team is helpful, but there is no immediate help, and this type of situation doesn't seem to be treated as an emergency. They also have a privacy department, but their service is also not urgent. You call them, and they will call back in a day or two. And they will also investigate your case.

 

Next (Or perhaps before contacting public mobile), you will need to call all your banks/credit card companies and ask them to freeze/lock all the accounts so that no one can move money. If the hackers have already done a few transactions, ask the bank to open disputes for those transactions and investigate. If this is the first time, banks are likely to refund your lost amounts.

 

Then you'd have to call the credit unions and report fraud. If they have also stolen your social insurance number, you'd need to call Service Canada.

 

As a preventive measure, everyone should use an email address for their public mobile account exclusively. Do not use that email for any other purposes.

 

Hope you got your money back! Stay safe!

 

that's one of the main reasons I don't use 2fa or any type of authenticator app. it's one of the worst "security" features that was ever made. hackers love exploiting these. switching companies is fine, but you guys need to keep  a close eye on the other family members and their financials. try and investigate how he was able to be compromised. it's important to know how it was done for one to be able to take the necessary steps to protect ones identity. unfortunately, from now on, your son needs to be a ghost on the web. I'm not sure on how persistent this fraudster will be. I would definitely limit the amount of personal info that is on those accounts. there's a good chance this person is going to try and go for friends and family next. delete your phone numbers, birthdays and use a fake or nickname on social media etc. keep a close eye on text messages and dont click on any links from unknown numbers, even if it's from a supposed reputable company. 

 

this is for PM but if you register with another prepaid company you can follow these rules

 

create an email strictly for public mobile
change your name and address on your self serve account
don't use your personal email password for the pm website
don't use a password manager(chrome, safari, etc. browsers
don't use your cellphone number as a 2fa for banks, PayPal etc

 

if one has a hard time remembering passwords and accounts then write it on a piece of paper and keep it filed or somewhere safe. do not save it on your device or computer. one needs to limit personal info on technology as much as possible 


@darlicious wrote:

@mskrisc 

I'm sorry to hear that this has happened to your son's account. I hope you have also put your credit card on hold since it's registered on the account and while the entire credit card number is not revealed it would still be a good measure to ensure your card does not get compromised as well.

 

As far as how the fraudster has managed to perform a Sim swap within your son's account I would be contacting PayPal as that is the likely source that the fraudster began with by hacking the PayPal account to gain info and email access.

 

Before Sim swap security measures were put in place at public mobile many Sim swap frauds began with PayPal accounts being compromised. If your son used the same password across his accounts or just the same password with his email and his Paypal account then the fraudster hit the jackpot.

 

Through his Paypal account the fraudster was probably able to access both the phone number and the email. Then with a little bit of detective work they figured out it was a public mobile phone number. While I suspect it wasn't needed social media accounts often reveal way too much personal information to the world wide web.

 

Now unfortunately with the recent update to the new self-serve accounts public mobile actually reduced their security by introducing 2FA verification. Your son's account is the first Sim swap reported since the original security measures were put in place to prevent Sim swap fraud that were very effective.

 

When public mobile introduced 2FA verification in July they removed the previous security of password resets requiring a security question and answer. Without the ability to answer this question correctly or even know what security question consisted of prevented access to the account through a password reset.

 

Now all that is required is access to the phone number or email. Fraudsters will now be able to exploit this weakness with public mobile and access accounts to achieve the goal of a SIM swap. Public Mobile needs to reinstitute the security question and answer for password resets in addition to having 2FA verification.

 

Of course Public Mobile customers need to practice good online security which includes having different passwords for each of their online accounts and for additional security having a separate email address used solely for their Public Mobile account ensures that if any of their other online accounts are compromised it is unlikely to affect their public mobile self-serve account because the username/email would not be known.

 

I certainly hope you have contacted your sons financial institutions fraud department to disable online access to his bank account. You would also want to disable his telephone banking. You will also want to phone transunion and Equifax and put a fraud alerts on his accounts so that no fraudulent credit accounts are created that can range from postpaid phone accounts with expensive device subsidy contracts to credit cards to loans etc..... A 7-year fraud alerts on these credit reporting agencies will require any attempt to acquire credit will result in a phone call to the victim of fraud before credit will be issued. This service is offered for free by these agencies.

 

Lots of security lapses all around but pm only has a small portion of it.

 

@J_PM 

When the new self-serve accounts were rolled out I mentioned that removing the security question and answer from password resets was exposing our self serve accounts to a security risk. I strongly encourage public mobile to bring back the security question and answer for password resets. Additionally for further security giving customers the ability to change the email for login to a username but bolster our account's security if the customer wishes to do so.....? If it's good enough for my bank account's security why isn't it good enough for my self-serve account?


SIM swap requires access to the associated email address and the login credentials for the Public Mobile account. This seems pretty secure to me.  Some sites do not send 2FA to email addresses, but it is understandable why Public Mobile has allow it because accounts can go inactive and needs to be reactivated.  I do agree that customers should be able to change email addresses without having to use support which is not always timely.  

mskrisc
Good Citizen / Bon Citoyen

Thank you! You’ve given us a direction to start. Definitely leaning to your suggestion of PayPal. His phone never left his possession. He’ll be at the bank when they open in 1/2 hr. 
I will definitely do my research when I make the switch, perhaps set up some things differently with no phone account email the same as bank. In times like this, self serve is so frustrating. He is a victim of fraud and we can’t even speak to someone. 
Time to move on to a place I can talk to an agent and protect my security immediately… not a day later 

Thank you again, you’ve been beyond helpful! Much appreciated 

darlicious
Mayor / Maire

@mskrisc 

Identifying where the original security breach occurred is important. If your son's phone has been in his possession then access to the Public Mobile account occurred through his email. So how did the fraudster gain access to his email?

 

You may also find that all other providers have similar to 2FA verification so switching providers does not guarantee that it couldn't happen again or that your accounts would be more secure. It's only that public mobile had more secure accounts before July 13th 2022. If you do decide to switch providers do your research to ensure the new provider has additional security features over and above 2FA verification.

 

Keep in mind the same security features at your son's financial institution failed him as well. I have verification questions on my bank account and have no ability to receive 2FA verification to my phone number nor do I have an email listed on my account. My phone number is not accessible on my online account and cannot be used to reset my password. I also have a username instead of my bank card number to log into you my online banking.

 

Again how did the fraudster gain access to the email to reset the password for your son's Public Mobile self-serve account? And how did they gain access to his bank account to be able to reset its password? How did they get his login username or bank card info? Having access to the phone number is only one part of the puzzle?

 

At least your son's misfortune proves my point with public mobile and hopefully they will bring back the security question and answer for password resets so that this is the first and last time a Sim swap occurs under these conditions.

 

Review your son's financial institutions online banking security guarantee to see if they are liable for the security breach on their part.

mskrisc
Good Citizen / Bon Citoyen

Does it matter if email

or phone was first? The point is… I was up until 3am jumping hoops to get his SIM back, yet the thief had it switched very easily with 2F and no security questions! Once they hijacked his SIM they were able to get into his bank account! He’s 2nd yr University student and all his school savings are gone . Had PM been more diligent with security, this never would have happened! 
You get what you pay for ! 

mskrisc
Good Citizen / Bon Citoyen

Thank you for this detailed response, it’s very helpful. Sadly now we find out his bank account has been drained. This was his University savings. His a second year student. We’re both heartbroken. Idk what the bank will do, this is a first for us both. 
I also suggested to the PM agent helping me that PM needed more than 2F identification and they believe it’s sufficient. 
We couldn’t even retrieve his email (Microsoft) without security questions . How can PM be so lax? They have completely destroyed him. I will be moving all 3 of our accounts from PM today! 

softech
Oracle
Oracle

@mskrisc   how do you know the issue was from the PM side?

 

Any chance your son's email account was first compromised and going downhill from there?  Or someone got physical access to his phone first and hence able to receive the 2FA code?

 

darlicious
Mayor / Maire

@mskrisc 

I'm sorry to hear that this has happened to your son's account. I hope you have also put your credit card on hold since it's registered on the account and while the entire credit card number is not revealed it would still be a good measure to ensure your card does not get compromised as well.

 

As far as how the fraudster has managed to perform a Sim swap within your son's account I would be contacting PayPal as that is the likely source that the fraudster began with by hacking the PayPal account to gain info and email access.

 

Before Sim swap security measures were put in place at public mobile many Sim swap frauds began with PayPal accounts being compromised. If your son used the same password across his accounts or just the same password with his email and his Paypal account then the fraudster hit the jackpot.

 

Through his Paypal account the fraudster was probably able to access both the phone number and the email. Then with a little bit of detective work they figured out it was a public mobile phone number. While I suspect it wasn't needed social media accounts often reveal way too much personal information to the world wide web.

 

Now unfortunately with the recent update to the new self-serve accounts public mobile actually reduced their security by introducing 2FA verification. Your son's account is the first Sim swap reported since the original security measures were put in place to prevent Sim swap fraud that were very effective.

 

When public mobile introduced 2FA verification in July they removed the previous security of password resets requiring a security question and answer. Without the ability to answer this question correctly or even know what security question consisted of prevented access to the account through a password reset.

 

Now all that is required is access to the phone number or email. Fraudsters will now be able to exploit this weakness with public mobile and access accounts to achieve the goal of a SIM swap. Public Mobile needs to reinstitute the security question and answer for password resets in addition to having 2FA verification.

 

Of course Public Mobile customers need to practice good online security which includes having different passwords for each of their online accounts and for additional security having a separate email address used solely for their Public Mobile account ensures that if any of their other online accounts are compromised it is unlikely to affect their public mobile self-serve account because the username/email would not be known.

 

I certainly hope you have contacted your sons financial institutions fraud department to disable online access to his bank account. You would also want to disable his telephone banking. You will also want to phone transunion and Equifax and put a fraud alerts on his accounts so that no fraudulent credit accounts are created that can range from postpaid phone accounts with expensive device subsidy contracts to credit cards to loans etc..... A 7-year fraud alerts on these credit reporting agencies will require any attempt to acquire credit will result in a phone call to the victim of fraud before credit will be issued. This service is offered for free by these agencies.

 

Lots of security lapses all around but pm only has a small portion of it.

 

@J_PM 

When the new self-serve accounts were rolled out I mentioned that removing the security question and answer from password resets was exposing our self serve accounts to a security risk. I strongly encourage public mobile to bring back the security question and answer for password resets. Additionally for further security giving customers the ability to change the email for login to a username but bolster our account's security if the customer wishes to do so.....? If it's good enough for my bank account's security why isn't it good enough for my self-serve account?

mskrisc
Good Citizen / Bon Citoyen

Says call cannot be completed as dialed 

mskrisc
Good Citizen / Bon Citoyen

I appreciate your help! This self serve phone service is not ideal in these situations. Now we go to bed while someone has fun draining his accounts. 
So unbelievably frustrating 

@mskrisc 

Sorry to hear about your troubles:

Here is a direct link to the chat bot for SIM swap issues:

https://widget.telus.tiia.ai/chatbot.html?botId=ZJkWuVb7Hp6EEcTIZKMZbvLwuDV&duid=1o201QpgTE4mvfCSIjQ...

 

Here is some more information:

https://www.publicmobile.ca/en/on/get-help/articles/sim-swap-fraud

 

With it being so late in the evening, many customer service agents are not working. You may not get a response until tomorrow morning unfortunately.  

 

 

dust2dust
Mayor / Maire

What recording does the one phone get when it dials 611? Or if you dial 1-855-4pu-blic and enter his number what recording do you get?


@mskrisc wrote:

I don’t think PM does enough to protect, and now that he was Hacked I can’t get a hold of anyone to help! All to save $5 a month? NOT Worth it! 
Try telling a chat bot you got hacked! It’s not an option 


The chatbot does not have that level of vocabulary.  I like to use the phrase speak to a human to get the ticketing link up and running.  I am still not sure what Public Mobile can do to protect account access.  2FA is a pretty standard security measure used on many sites including banks.

 

I just tried the chatbot process now.  When I typed speak to a human, I got a contact us link.  I used that link and then selected other which brought up options including security.  Anyway, if you cannot navigate the chatbot ticketing system, please use this link to send a private message to the CSA team.  This bypasses the ticketing system which is not the preferred approach.

 

https://productioncommunity.publicmobile.ca/t5/notes/composepage/note-to-user-id/22437

mskrisc
Good Citizen / Bon Citoyen

I don’t think PM does enough to protect, and now that he was Hacked I can’t get a hold of anyone to help! All to save $5 a month? NOT Worth it! 
Try telling a chat bot you got hacked! It’s not an option 

will13am
Oracle
Oracle

@mskrisc , to get a hold of a CSA, use the chatbot link at the bottom of the webpage to initiate a support ticket.  Please share why do you think the 2FA system is bad?  It seems to work like any other site that uses 2FA.

Need Help? Let's chat.