09-23-2020 03:09 PM - edited 01-05-2022 05:02 PM
Yesterday at 2am I was scammed via SIM swap and woke up without cell service and money from my PayPal missing. I don't know how to they did it because my PM password wasn't changed so they would have had to guess it outright?
What I'm mostly requesting is - can PM start to think of ways to have extra security when someone wishes to swap SIM cards? I think these scams are getting more and more popular and more security (like a PIN?) would be nice.
It would be nice to get an email when someone has requested a SIM change, so there's a paper trail. Or even a log of log-in activity so you know if someone does it again.
I've changed my password but I want to know if there's more I can do to prevent this from happening again.
Solved! Go to Solution.
09-29-2020 12:41 PM
I bought my original SIM card from Amazon!
09-29-2020 12:38 PM
Thank for for that info! Unfortunately port protections wouldn't even help me because my number wasn't ported out to another provider! I can even see how many texts they received between 2am-9am on my PM account.
09-29-2020 12:36 PM
They did access my email but they are different passwords for sure. They used my phone number as the 2FA to change my email and paypal password but that happend AFTER hacking the phone.
But yes thank you! I got their IP address (and also their mailing address from the Best Buy purchase) and have reported it to the authorities.
09-27-2020 05:27 PM - edited 09-27-2020 05:28 PM
@Korth @gillianchreptyk Also consider the possibility that they got in through your email. Once in there they see the email from PM. Same password maybe? Bingo they're in. If you have Gmail, on the bottom right you see Account Activity.
Click details and you will see a window open that shows recent activity on your account and from which IP address (mine of course obscured).
Do you recognize all of the entries?
09-27-2020 04:47 PM
@gillianchreptyk wrote:So yes I've filed a fraud report and a police report with all this info! I've taken my phone# off all 2FA log-ins but I just don't like how easy it was for them to get my SIM!
Consider where you bought the SIM. If it came from Public Mobile then it hasn't been handled by anyone else. Nobody else could've seen (and copied) the SIM printed ID number. Nobody else could've duplicated (or tampered with) with the SIM's digital ID contents.
Buying the SIM from other vendors is more risky. Buying the SIM from online vendors moreso, because they know you can't show up banging their door angrily waving a receipt in their face. Buying the SIM from anonymous auctions (ebay, etc) is just begging from trouble.
There's plenty of legit vendors, honest folks doing straight business. If there weren't then the crooks wouldn't have protective camoflage. But why risk it at all on a $10 item?
Once somebody's got that info they can either use your name and phone number to request a number port or they can copy your "unique" SIM onto a blank SIM to steal service. Calamity if they can also steal away your entire cloud.
And they don't have any obligation to attack immediately. They might wait months or years. A compromised SIM card is vulnerable as long it stays active.
09-27-2020 03:33 PM
PM hasn't told me anything re: IP address, but I have their shipping info and IP address from Best Buy where they bought a TV 🙂
So yes I've filed a fraud report and a police report with all this info! I've taken my phone# off all 2FA log-ins but I just don't like how easy it was for them to get my SIM!
09-23-2020 06:38 PM - edited 09-23-2020 11:47 PM
@gillianchreptyk there was a security breach at Koodo in February 2020. if you had an account in the Telus family tree before this time your information was most likely compromised.
the port protection they are working on, is the text message and you have to reply 'yes' to have the number ported. this method maybe a good solution for sim jacking, but not for sim swaps. read through this thread
https://productioncommunity.publicmobile.ca/t5/Using-Your-Service/Port-Protection/td-p/591210/page/3
I also mentioned adding a pin to the change sim option. it is very unlikely anyone will know this pin, since pm only displays it in a text message once. yes the sim swapper may have the potential to change it because of knowing your info, but they won't know it right away and all we need is a notification saying there was an attempt of a sim change and hopefully it delays the process long enough for the customer to react. this is much better than nothing at all.
if you would like some security I suggest following these instructions
09-23-2020 05:45 PM
No. It is not. 🙂 It's my pathetically unoriginal uncreative username inventing prowess. After the lovely Z10 I got an even lovelier Z30. Then I got an S7. Now I have an A31.
Meh.
09-23-2020 05:31 PM
Wait ... it suddenly dawned on me ... are you saying that @Anonymous isn't your real name?
I guess it's time to scratch "Korth" off my birth certificate ...
09-23-2020 05:30 PM
@hairbag1 Rapscallions! Now there is a word we don't use near enough!
09-23-2020 05:24 PM
@Anonymous wrote:
@esjliv wrote:I THINK I WILL - who is with me?
GET THE PITCHFORKS!! 🙂
To the OP: hopefully you're still reading this. Another protection is to Not. Use. Real. Information. Online. Anywhere. Your username here looks like a real name. Don't.
Excellent suggestion and I agree. We've all seen people put tres sensitive info into the Community Forum pages. I've seen full name, address, phone number, account numbers, voucher numbers c/w pins.
We need to all have a look to see if we've provided vulnerabilities to the rapscallions and ne'er do wells who would take advantage.
09-23-2020 04:47 PM
@Korth What I meant with comparing your physical sim numbers with the ones in your account was as a way to tell whether or not someone has got into your account and swapped sims. It has happened a number of times here at PM just recently.
09-23-2020 04:45 PM
You may be right. Although I doubt the SIM ID number is enough to prove you are you and to disprove someone else is you, regardless how much of your other information you still have vs how much of it someone else has taken.
At worst I think you'd be out ten bucks when you have to buy another SIM card. The same ten bucks you've already lost when your original SIM card was effectively stolen from you. The reality is that if you've somehow recovered the account after a SIM fraud then your SIM card is already compromised (it could all happen all over again) unless you replace it, and the only SIM ID number you need to know in that instance is the new one you're activating.
09-23-2020 04:19 PM - edited 09-23-2020 04:25 PM
@Korth wrote:Scrub the number off your SIM card, you'll never need it again once the SIM has been activated.
@Korth Except when you have a problem, come here for help and someone tells you to go into your account and compare the sim number there with the one in your phone.
I agree wholeheartedly with what you wrote though. People don't seem to realize how much of their life is tied up in / to the cell phone. I make a conscious decision that that won't be me. I use a Password manager on my phone and desktop that has a unique, used nowhere else, not similar to anything password to get in and access all the others. You may get into my phone, but zero apps and zero websites have save info. That's what my password manager is for. Plus I do NOT sign into chrome or opera or firefox to access my history or bookmarks across devices. This allows bad guys another avenue into your life.
I have a spreadsheet for backup printed out here at home of ALL my known website accounts, usernames and passwords. There are 71 of them lol and I don't think I am on the high end of usage (to be fair these include my wife's important sites as well). I guard my online data closely. A lot of people (just look here on the forums) are not so fastidious.
09-23-2020 04:01 PM
@esjliv wrote:I THINK I WILL - who is with me?
GET THE PITCHFORKS!! 🙂
To the OP: hopefully you're still reading this. Another protection is to Not. Use. Real. Information. Online. Anywhere. Your username here looks like a real name. Don't.
09-23-2020 03:51 PM - edited 09-23-2020 03:56 PM
The other vulnerability is the phone itself. It often stores all the owner's accounts, logins, passwords. Anyone who can get past the screenlock code has full access to everything the owner lets it access, plus a history of everything it's been used for and all the contacts, messages, calendars, notes the owner lets it remember.
I don't know if this is specifically what happened in this instance. But it's a serious risk which most people never even consider.
It's not hard to acquire somebody else's phone for a short time, if you're persistent enough to take the opportunity when they're inattentive. While you've got the phone you've got access to the unique number printed on the SIM card. The owner may have let you use the phone to make a call, leaving it open and unlocked. Or you may have observed the owner entering his PIN/code. Or you may know the person well enough to accurately guess the code.
Scrub the number off your SIM card, you'll never need it again once the SIM has been activated. Change all your passwords and secret questions and stuff. Try to use another phone number for 2FA (and erase any history of that number on the phone itself) so you always have a hidden security option and disaster recovery option. Use the screenlock religiously, and change the key on it every time you think it might have been compromised. Use all the security PIN options the phone offers so you can lock access to settings, "About..." information, and all the rest. Don't let other people use your phone - or at least supervise their activity on your phone closely - unless you're married to them. Run malware scans on all your devices to ensure you're not running somebody else's keylogger.
Even if you're surrounded by people that you trust, be aware that you can't necessarily trust all the people that they trust.
09-23-2020 03:42 PM
Hello @gillianchreptyk ,
I am so sorry this happened to you. And I do notice more of these happening, which makes me CRINGE, angry and a bit paranoid, actually.
Telus does provide this article, but I do not see much in terms of them (Telus/Koodo/PM) preventing this from happening to someone, just the basics of online "protect your info" stuff:
https://www.telus.com/en/wise/resources/content/article/sim-swap-scam-what-you-should-know
What can "we" do as a Community to push this issue further?
Has anyone put in a ticket with moderators, questioning them on this increasing occurrences?
I THINK I WILL - who is with me?
09-23-2020 03:41 PM
There should be some sort of two factor authentication for self serve.
09-23-2020 03:21 PM - edited 09-23-2020 03:21 PM
@geopublic @gillianchreptyk @hairbag1 I wonder how difficult it would be for Telus/Koodo/PM to implement MFA (NOT using phone number lol)?
09-23-2020 03:19 PM
@gillianchreptyk The most important thing that you can do to prevent sim swapping is to not use the same password for more than one site. Most of these incidents are the result of credential stuffing.
If you use a strong password for each online site then I'm afraid something else must be going on 🤔.
I agree with you port and sim swap protection should be an option but sadly it's not.
09-23-2020 03:14 PM - edited 09-23-2020 03:17 PM
@gillianchreptyk That's a great question. It sure seems like there have been an awful lot of these at PM lately. In your case, password remained same so they came across it somewhere somehow. Do you or perhaps a better question is - Did you use the same passwords for more than one account online? Not sure what is technically possible but something would be nice. Is PM telling you when it was done? Can they tell you from what IP address it was done? This is a case of identity theft or at least attempted, have you contacted the authorities at all? Someone accessed your account illegally. I don't know what they could do, maybe hold PM's feet to the fire.Hope everything works out for you.
09-23-2020 03:13 PM - edited 09-23-2020 05:26 PM
@xxxxxx...
excellent topic for discussion. I hope a moderator will be able to contribute some input and offer some suggestions for prevention.