cancel
Showing results for 
Search instead for 
Did you mean: 

Sim Hacking/Sim Swap and PM's Response

Kaitrin
Great Neighbour / Super Voisin

Hi all,

 

I have been a customer of Public Mobil for about a year now. Up until now I was really enjoying the coverage and lower cost plans.

 

However, 2 days ago my SIM card was hacked - I don't know the full details of this but from my understanding it involves getting someone's number and attaching it to a new SIM, wherein you are able to get into all of their two-factor authentication accounts (gmail, etc). Within minutes I had no service, my gmail account had been compromised, and had charges on my credit cards for thousands of dollars.

 

I contacted public mobile, and the moderator (not until the next morning) called this an "emergency" (and rightfully so) and provided two PM fraud phone numbers to call in order to try and expedite my request for help. I called both of these lines for the past 2 days, and both of them replied with a response akin to "We're sorry, but our fraud line is unavailable right now, please leave a message and we will try to get back to you within 2 business days." I apologize for the honesty - but this really does not seem like an adequate response to an emergency situation from PM. I don't think it's the moderators fault, but seems like more of a systems issue. I would be fully willing to take responsibility if I was personally responsible for any data breach from my own fault (I cannot identify anything), but I really find the response from PM to be insufficient.

From what I have read, it seems that given how PM operates, it is more prone to SIM swapping/hacking than other carriers, and at this point I am questioning if it is worth it to stay with PM if there is a higher likelihood of this happening.

I'm wondering if anyone else has had a similar experience with PM's response to such situations.

I'm also wondering if anyone has more understanding on PM's susceptibility to SIM hacking compared to other carriers given how they are set up.

 

Grateful for anyone's thoughts/experience with this kind of thing.

35 REPLIES 35

mm80
Town Hero / Héro de la Ville

@softech wrote:

@Kaitrin wrote:

I have similar thoughts to yours. The numbers were:

1-844-474-4141 

647-837-7030.


 

just try calling this.. yes.. Public Mobile Fraud Management Hotline.  .they both go straight to voice mail and say it clearly 2 business days..   😞    What would you feel if you call 911 and got to a voicemail and tell you they will get back to you in couple hours?  Interesting hotline..


Not having cell phone service isn't like 911. It's an inconvenience. Important calls can be missed but for true medical emergencies, 911 would still work if your sim was swapped out. 

Did it, @esjliv ?

 

You may want to confirm whether the identified service is secure and/or change the login credentials associated with that service.

 

ALSO, if the service identified has a password that is the repeated on OTHER services you hold, I'd recommend changing the password associated with the other services with the same password.

 

 


@Luddite wrote:

@Kaitrin  FYI: Check this website to see if your email address has been reported compromised in a data breach: https://haveibeenpwned.com/


@Luddite ,

So what IF your email shows up here. What then?

@Kaitrin 

Out of curiosity I just went to the community forums (that exist) of the other major players. All were quite useless commonly asking if I meant "smacking" with virgin bringing up results on sim swapping (when changing of providers.) The only other community to mention anything close was telus with two posts concerned about porting fraud and a practical suggestion to require authorization on ones account. All discussion was quickly shut down by a moderator and the thread closed.

 

This leads me to believe its just as common elsewhere just hidden from public view with heavily controlled community forums that stymies free discussion among users. We are lucky with the community we have built here that stays informed and ready to help at a moments notice.

@darlicious , it would be a rather awkward discussion if I tell the bank to remove 2FA from my login.  They say it as a safety and security feature upgrade.  I have neither the time nor the fact based arguments to turn things around.  It's not like I can run from this as more banks adopt 2FA.  I already got the memo from the orange brand that it's coming soon.  As for costs, I pay nothing for my banking.  I have not paid a fee for many decades.  I am not sure how that matters here.  Now the one thing that upsets me is that the 2FA does not play nice with my Google voice number.  

@will13am 

What else does your bank force on you? You're the customer its up to them to listen to you....do you pay them to have an account too?

Anonymous
Not applicable

@softech wrote:

What would you feel if you call 911 and got to a voicemail and tell you they will get back to you in couple hours?

You can't compare fraudulent phone activity to 911. Every year, the 911 services put out their list of stupidest 911 calls. Like my food delivery hasn't arrived. Seriously.


@Kaitrin wrote:

I have similar thoughts to yours. The numbers were:

1-844-474-4141 

647-837-7030.


 

just try calling this.. yes.. Public Mobile Fraud Management Hotline.  .they both go straight to voice mail and say it clearly 2 business days..   😞    What would you feel if you call 911 and got to a voicemail and tell you they will get back to you in couple hours?  Interesting hotline..


@golfball wrote:

So this is why 2FA apps such as Authy are preferred today. 


@golfball Unfortunately not all sites support 2FA via authenticator app. All the sites that I use that support it have been set up. I use Google Authenticator but they are all good.

 

@TheGx An authenticator app as mentioned above is my preference. A new 6 digit code is generated every 30 seconds. When a site asks for the code, you need the correct app and time sensitive code.

TheGx
Deputy Mayor / Adjoint au Maire

@Kaitrin :I agree with @kb_mv  and @darlicious about 2 factor authentication being the problem that causes thieves to want to steal your phone and phone number via stealing SIMS - because it's convenient to be able to reset your password simply by pressing the forgot password button and then the 2 factor authentication let's whoever has your phone to create new passwords, strong passwords are useless when 2 factor authentication bypasses it.

 

I never use 2 factor authentication or other privacy invasive ignorances that use convenience to lure people to expose and connect all their personal information together into a single database, in fact everyone should be resisting it by only using trusted privacy apps instead of apps that collect all your personal information - 2 factor authentication collects 2 important pieces of your personal information and links them into a single database in order to provide you convenience and in order to monitor more of your habits, phone information connected to other accounts.

 

So, best thing to do is what @kb_mv  and @darlicious said, refuse and resist connecting all your personal information together just because google and facebook ask you for it - don't link all your accounts to your phone etc.

 

An important free privacy app that helps create and remember all your passwords etc is RememberBear - it can create super strong passwords and can use fingerprints or your face to remember everything and enter everything into your online accounts for you conveniently.

 

Because of 2 factor authentication being able to bypass passwords to get into all your accounts, simply don't use it - and that will be one less way for others to get into your accounts.

 

If you can't remember strong passwords or want convenience, use privacy apps like RememberBear to help you remember.

golfball
Deputy Mayor / Adjoint au Maire

So this is why 2FA apps such as Authy are preferred today. 


@Kaitrin wrote:

@darlicious 

Perhaps this would be a reason why PM accounts could be more suceptible - to my knowledge other carriers have the option for a PIN.


This would need to a PIN that is required when Change SIM is requested. Not sure it's offered by any Canadian carrier. https://authy.com/ would be better.


>>> ALERT: I am not a CSA. Je ne suis pas un Agent du soutien à la clientèle.


@Kaitrin wrote:

@darlicious 

Perhaps this would be a reason why PM accounts could be more suceptible - to my knowledge other carriers have the option for a PIN.


@Kaitrin@darliciousI might be wrong but I'm guessing that in virtually every case of sim jacking we see here, it is a case of the same user name and/or password being used among multiple online accounts.

Kaitrin
Great Neighbour / Super Voisin

@darlicious 

Perhaps this would be a reason why PM accounts could be more suceptible - to my knowledge other carriers have the option for a PIN.


@Luddite wrote:

@Kaitrin  FYI: Check this website to see if your email address has been reported compromised in a data breach: https://haveibeenpwned.com/


@Kaitrin @Luddite Keep in mind that though this is a useful site (my email from a few years ago shows up), not all breaches become public. Just because your address isn't there doesn't mean it is hasn't been involved in a breach. It's a great start though.

Luddite
Oracle
Oracle

@Kaitrin  FYI: Check this website to see if your email address has been reported compromised in a data breach: https://haveibeenpwned.com/


>>> ALERT: I am not a CSA. Je ne suis pas un Agent du soutien à la clientèle.

Anonymous
Not applicable

@Kaitrin wrote:

 

Do you know if I am able to attach a PIN number to my account in order to make it more secure? Something that would increase the security and prevent a SIM swap/Port in the future?


This has only been a suggestion by the regulars around here. I first heard of it from username gpixel4. It doesn't exist.

This place also moves at a glacial pace and barely does what's required of it from government regulation.


@Kaitrin wrote:

Thanks for the reply darlicious,

 

I did end up buying another SIM card and was able to successfully switch the service back, now however I have been locked out of my account and still waiting for a reply from PM. 

I have made a PM specific email - although I'm not certain that this would entirely eliminate the threat of a SIM swap.

Do you know if I am able to attach a PIN number to my account in order to make it more secure? Something that would increase the security and prevent a SIM swap/Port in the future?


@Kaitrin The best thing you can do is use a secure password. All of my online accounts use something like this: ArUL46g4dYFKsA


@darlicious wrote:

@Camera4617 

I don't use 2FA on anything important and the odd thing I do have it on goes to a family members phone number. I'm old school.


Sometimes this cannot be helped.  My bank forces it on me.  

Kaitrin
Great Neighbour / Super Voisin

Thanks for the reply darlicious,

 

I did end up buying another SIM card and was able to successfully switch the service back, now however I have been locked out of my account and still waiting for a reply from PM. 

I have made a PM specific email - although I'm not certain that this would entirely eliminate the threat of a SIM swap.

Do you know if I am able to attach a PIN number to my account in order to make it more secure? Something that would increase the security and prevent a SIM swap/Port in the future?

I would have thought that following the alleged data breach last year that the company would have sent notice to ALL account holders that a "potential" breach had occurred and they advised everyone change their password to be on the safe side. I don't think that happened. 

 

As for 2FA and password resets attached to your phone number.... well everyone (at least the regulars) probably knows where I stand on the issue, bad idea for the very reasons we see happening here. I communicated with a recent victim of this and asked them what PM was able to tell them about the breach. I was interested to know whether they could provide an idea of IP address, time/date, if user name & pw was used vs a ticket to try and get in etc. I am honestly surprised that this individual said PM didn't say anything about any of it other than to say sorry this happened.

Kaitrin
Great Neighbour / Super Voisin

I have similar thoughts to yours. The numbers were:

1-844-474-4141 

647-837-7030.



.. someone did suggest  there might a data breach earlier, too..

 

another thing, i wonder if it is more common with PM here (because of the fact that it's complete self-serve online?) or we notice this a lot here because we follow this community closely?  wonder if Simjack happens as often in other providers .. 

 

Anonymous
Not applicable

It has been suggested around here that at the pressing go for Change SIM that it pops up with requiring the account PIN. Failing that then nothing changes.

 

About number theft, it's all very well to require a final text confirmation for port-outs but it's useless when the SIM can be changed easily enough once managing to get into the account. Or hackers are using other methods that we can't even protect against.

 

Fraudulent port-out is number theft leaving the account behind. Sim-swap is account theft continuing to use the number.

kselmak
Mayor / Maire

Getting into your selfserve and suspending u account as well as changing password and security questions is the first thing to do.

Contacting all the financial institutions where you used your number is the next step, then getting your credit score (so that there are no more surprises) speed also be good.

To revert charges back to your sim card you need to contact moderators.

Some people don't want to wait so they get the new sim, in that case you should still contact moderators so they know and you may be reimbursed.

How do they swap sim numbers, I'm not sure.

The fact that so many people still have access to their selfserve makes me think they are not logging into the account to do it, otherwise they would change the passwords right away

But then again they don't want to own your account either, they only want it for couple of minutes to make it into your bank account, so why bother

@Camera4617 

I don't disagree that there is room for improvement in regards to simjacking but the best protection is keeping your personal info private, a pm specific email and a strong password. So unless someone guesses my password which is very unlikely or convinces a mod they are me also very unlikely ( you google my name nothing comes up except other people.) I am only susceptible to a data breach.

HALIMACS
Mayor / Maire

@Kaitrin   Below in this link/URL is a very good article on Sim swapping/ hacking:

 

https://www.cnet.com/google-amp/news/sim-swap-fraud-how-to-prevent-your-phone-number-from-being-stol...

 

 

 

 

Camera4617
Town Hero / Héro de la Ville

@darlicious Sure, that's your choice. And you might be OK with it, but if somebody hacks your password, they are in. So, either way there is a risk but that doesn't change the fact that PM should protect its customers. If not, I'll go where they do. 

@Camera4617 

I don't use 2FA on anything important and the odd thing I do have it on goes to a family members phone number. I'm old school.

Camera4617
Town Hero / Héro de la Ville

@darlicious Yes but also 2FA is the only way to protect yourself from cracking passwords and taking over your accounts. PM should protect customers from SiM hijacking in any way it can as it is in control of it, not customers. 

 

Need Help? Let's chat.