Community

that's one of the main reasons I don't use 2fa or any type of authenticator app. it's one of the worst "security" features that was ever made. hackers love exploiting these. switching companies is fine, but you guys need to keep  a close eye on the other family members and their financials. try and investigate how he was able to be compromised. it's important to know how it was done for one to be able to take the necessary steps to protect ones identity. unfortunately, from now on, your son needs to be a ghost on the web. I'm not sure on how persistent this fraudster will be. I would definitely limit the amount of personal info that is on those accounts. there's a good chance this person is going to try and go for friends and family next. delete your phone numbers, birthdays and use a fake or nickname on social media etc. keep a close eye on text messages and dont click on any links from unknown numbers, even if it's from a supposed reputable company. 

this is for PM but if you register with another prepaid company you can follow these rules

create an email strictly for public mobile
change your name and address on your self serve account
don't use your personal email password for the pm website
don't use a password manager(chrome, safari, etc. browsers
don't use your cellphone number as a 2fa for banks, PayPal etc

if one has a hard time remembering passwords and accounts then write it on a piece of paper and keep it filed or somewhere safe. do not save it on your device or computer. one needs to limit personal info on technology as much as possible 

---

@darlicious wrote:

@mskrisc 

I'm sorry to hear that this has happened to your son's account. I hope you have also put your credit card on hold since it's registered on the account and while the entire credit card number is not revealed it would still be a good measure to ensure your card does not get compromised as well.

 

As far as how the fraudster has managed to perform a Sim swap within your son's account I would be contacting PayPal as that is the likely source that the fraudster began with by hacking the PayPal account to gain info and email access.

 

Before Sim swap security measures were put in place at public mobile many Sim swap frauds began with PayPal accounts being compromised. If your son used the same password across his accounts or just the same password with his email and his Paypal account then the fraudster hit the jackpot.

 

Through his Paypal account the fraudster was probably able to access both the phone number and the email. Then with a little bit of detective work they figured out it was a public mobile phone number. While I suspect it wasn't needed social media accounts often reveal way too much personal information to the world wide web.

 

Now unfortunately with the recent update to the new self-serve accounts public mobile actually reduced their security by introducing 2FA verification. Your son's account is the first Sim swap reported since the original security measures were put in place to prevent Sim swap fraud that were very effective.

 

When public mobile introduced 2FA verification in July they removed the previous security of password resets requiring a security question and answer. Without the ability to answer this question correctly or even know what security question consisted of prevented access to the account through a password reset.

 

Now all that is required is access to the phone number or email. Fraudsters will now be able to exploit this weakness with public mobile and access accounts to achieve the goal of a SIM swap. Public Mobile needs to reinstitute the security question and answer for password resets in addition to having 2FA verification.

 

Of course Public Mobile customers need to practice good online security which includes having different passwords for each of their online accounts and for additional security having a separate email address used solely for their Public Mobile account ensures that if any of their other online accounts are compromised it is unlikely to affect their public mobile self-serve account because the username/email would not be known.

 

I certainly hope you have contacted your sons financial institutions fraud department to disable online access to his bank account. You would also want to disable his telephone banking. You will also want to phone transunion and Equifax and put a fraud alerts on his accounts so that no fraudulent credit accounts are created that can range from postpaid phone accounts with expensive device subsidy contracts to credit cards to loans etc..... A 7-year fraud alerts on these credit reporting agencies will require any attempt to acquire credit will result in a phone call to the victim of fraud before credit will be issued. This service is offered for free by these agencies.

 

Lots of security lapses all around but pm only has a small portion of it.

 

@J_PM 

When the new self-serve accounts were rolled out I mentioned that removing the security question and answer from password resets was exposing our self serve accounts to a security risk. I strongly encourage public mobile to bring back the security question and answer for password resets. Additionally for further security giving customers the ability to change the email for login to a username but bolster our account's security if the customer wishes to do so.....? If it's good enough for my bank account's security why isn't it good enough for my self-serve account?

---

SIM swap requires access to the associated email address and the login credentials for the Public Mobile account. This seems pretty secure to me.  Some sites do not send 2FA to email addresses, but it is understandable why Public Mobile has allow it because accounts can go inactive and needs to be reactivated.  I do agree that customers should be able to change email addresses without having to use support which is not always timely.  

Thank you! You’ve given us a direction to start. Definitely leaning to your suggestion of PayPal. His phone never left his possession. He’ll be at the bank when they open in 1/2 hr. 
I will definitely do my research when I make the switch, perhaps set up some things differently with no phone account email the same as bank. In times like this, self serve is so frustrating. He is a victim of fraud and we can’t even speak to someone. 
Time to move on to a place I can talk to an agent and protect my security immediately… not a day later 

Thank you again, you’ve been beyond helpful! Much appreciated 

Does it matter if email

or phone was first? The point is… I was up until 3am jumping hoops to get his SIM back, yet the thief had it switched very easily with 2F and no security questions! Once they hijacked his SIM they were able to get into his bank account! He’s 2nd yr University student and all his school savings are gone . Had PM been more diligent with security, this never would have happened! 
You get what you pay for ! 

Thank you for this detailed response, it’s very helpful. Sadly now we find out his bank account has been drained. This was his University savings. His a second year student. We’re both heartbroken. Idk what the bank will do, this is a first for us both. 
I also suggested to the PM agent helping me that PM needed more than 2F identification and they believe it’s sufficient. 
We couldn’t even retrieve his email (Microsoft) without security questions . How can PM be so lax? They have completely destroyed him. I will be moving all 3 of our accounts from PM today! 

Says call cannot be completed as dialed 

I appreciate your help! This self serve phone service is not ideal in these situations. Now we go to bed while someone has fun draining his accounts. 
So unbelievably frustrating 

---

@mskrisc wrote:

I don’t think PM does enough to protect, and now that he was Hacked I can’t get a hold of anyone to help! All to save $5 a month? NOT Worth it! 
Try telling a chat bot you got hacked! It’s not an option 

---

The chatbot does not have that level of vocabulary.  I like to use the phrase speak to a human to get the ticketing link up and running.  I am still not sure what Public Mobile can do to protect account access.  2FA is a pretty standard security measure used on many sites including banks.

I just tried the chatbot process now.  When I typed speak to a human, I got a contact us link.  I used that link and then selected other which brought up options including security.  Anyway, if you cannot navigate the chatbot ticketing system, please use this link to send a private message to the CSA team.  This bypasses the ticketing system which is not the preferred approach.

https://productioncommunity.publicmobile.ca/t5/notes/composepage/note-to-user-id/22437

I don’t think PM does enough to protect, and now that he was Hacked I can’t get a hold of anyone to help! All to save $5 a month? NOT Worth it! 
Try telling a chat bot you got hacked! It’s not an option