cancel
Showing results for 
Search instead for 
Did you mean: 

*611 number not asking for PIN from Another phone

BearFBI
Deputy Mayor / Adjoint au Maire

I just called the self serve Public Mobile number from another phone. It asked to enter my phone number and I did. And it went straight to my account. And i was able to make a payment. It never asked for a PIN. Why is that? Is there a setting to make the PIN required while dialing from another device. Im pretty sure when I first dialed *611 I set it so it dosent require a PIN only on MY device. Anybody can just call that number and enter my phone # and they can do whatever they want.

 

I it realized requires a PIN for some account actions like buying a addon. But not for the CC on file. This should be looked into as this is a sequrity risk.

72 REPLIES 72


@computergeek541 wrote:


Similar to this, the entire option to check access the voicemail account entering some type of password (even from the the same phone) is a security risk.  the way that the system always believes call display information to be true for making that determination isn't accepable.  


Interestingly recently playing with a cell phone from Bell, their voicemail access number 647-383-2355 appears to be ONLY reachable from the Bell Mobility network. If you try to call it from another carrier, it declares the number is not in service. This would be a pretty good defense against caller id spoofing as well as "no ring" voicemail injection...


@BearFBI wrote:

This loophole has still not been fixed to this date. Seriously ? 


Public Mobile has at least changed 611 (or 855-4PUBLIC) so that you need to enter a PIN to make a payment from a pre-registered credit card. You can still enter anyone elses phone number to hear their current account balance and their next newal date though.

 

Also, by default Public Mobile voicemail doesn't require a PIN when "dialing from your own phone" -- in reality, this merely means their voicemail system only checks that caller ID bears your own number. If the caller ID is forged using various methods including VoIP providers or Google Voice / Hangouts dialer a hacker can access someone elses voicemail if you send their phone number as caller ID. This is the default, but you can configure it.  The 611 gratuitous announcement of account balance and renewal date is not configurable by the user...


@BearFBI wrote:

This loophole has still not been fixed to this date. Seriously ? 

 

@J_PM Could PM look at this again and actually fix it ? The original post explains the problem. 

 

 


Similar to this, the entire option to access the voicemail account without entering some type of password (even from the the same phone) is a security risk.  the way that the system always believes call display information to be true for making that determination isn't accepable.  

 

Any fix for 611 shouldn't rely on call display either.

BearFBI
Deputy Mayor / Adjoint au Maire

This loophole has still not been fixed to this date. Seriously ? 

 

@J_PM Could PM look at this again and actually fix it ? The original post explains the problem. 

 

 

@computergeek541 

I missed @Nezgar post and he does bring up a good point that i hadnt thought of that would solve the issue that we all do agree on.....the ability to gain (while limited) unauthorized access to pm customers accounts. Since we all have the ability to choose whether we want to enter a voicemail pin# when we call from our own devices. There no reason pm cannot do the same for basic access to our accounts thru 611 or the 1 855 number. Then the customer can choose whether or not they want or need the extra step based on their own habits and preferences.


@darlicious wrote:

@computergeek541 

The issue with access to the financial card on file had been fixed as answered by Catherine earlier today. The question is whether any account access should be allowed without the pin#. While i dont like the idea of anyone accessing my amount due or payment date given the amount of customers who dont know their pin# some basic account access needs to be available for the customers who only use phone service for account management.


I'm aware of this, and while I would say I would consider hearing the balance of another person to be minor, I also agree that this shouldn't be happening and does need to be corrected.

 

My response to @Nezgar was about how the vociemail system at Public Mobile isn't secure.

@computergeek541 

The issue with access to the financial card on file had been fixed as answered by Catherine earlier today. The question is whether any account access should be allowed without the pin#. While i dont like the idea of anyone accessing my amount due or payment date given the amount of customers who dont know their pin# some basic account access needs to be available for the customers who only use phone service for account management.


@Nezgar wrote:

@Jb456 wrote:

Please make the system ask for the PIN when calling from other numbers. I did mention this to Tiana/ Alan months ago and someone deleted the thread.


How about ask for a PIN when calling from ANY number? It's trivial nowadays to spoof your caller ID on outgoing calls with various business phone systems, and hosted VoIP/PBX providers...

 

Also ensure your own personal voicemail is set to require a PIN when calling "from your own number" to protect against caller ID spoofing allowing someone to sail right into your mailbox.


By default, Public Mobile's defaults do not require a PIN number to be entered if the system thinks that you are calling from the same phone number. Unfortunately, this means that anyone has full access, whether authorized or not. To my knowledge, this has still not been fixed.

Hi @darlicious  & @Anonymous 

 

I do acknowledge that the scope of this is certainly not as urgent as some on here might be presenting it to be. 

 

It is indeed personal information, though.  It is information that is relatable to an identifiable individual.   It's information which is not the same for everyone, and it's information which is particular to an individual.

 

The "data" does not have to be a specific identifier to an individual (i.e. name, DOB, SIN# etc) for it to be considered 'personal' to someone.

 

Balance and next payment/due date information is not typically information which is used to verify an individual.  BUT, they could be.   I'm sure we've all had calls to companies where, as part of their verification processes, they may ask what the "current balance is" or "normal due date".   It's just another manner in which a company may verify you to enable access to make account updates or changes.

 

And because of that, it's more information they should be offering to anyone calling, without a simple layer of security, like the PIN#.

 

 

Anonymous
Not applicable

@darlicious wrote:

 

*Geez what are the chances i agree with @Anonymous twice in one day?!! lol!


Well...once...it's the same topic 🙂

@Jb456 

Again i agree with @Anonymous  but by definition of the law it is not a privacy breach as it is not personal data.

 

4 (1). Personal data are any information which are related to an identified or identifiable natural person. ... For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.

 

*Geez what are the chances i agree with @Anonymous twice in one day?!! lol!

Anonymous
Not applicable

 @Jb456 : Like I said earlier...I'm with you on principle...not on urgency.

@darlicious  first people should remember there pin simple as that. If they don't do like everyone else and open a ticket for moderators.

 

It really does not matter what info the VR system says it's still a breach of security. 

 

If you look at it in another way (as all those scammers that do simjacks / unauthorized ports) think about the below for a bit. You have been on these forums long enough to know what I say below to be true.

 

First and no offence to the moderators some make mistakes, some contact wrong people with info but we are all human and make mistakes. 

 

Then you have people on these forums that provide way to much personal information. You also have people posting screenshots that are viewable to the public with personal information. I know that part as a fact as I had to message a few Oracle's and say hey your personal info is showing you may want to remove it.

 

Then those same people that post personal info like a number, their full name, email & number or a screenshot with something personal. You know for a fact that they likely do that same thing on other sites or that even their social media is not locked down tight.

 

Scammers then start accumulating all this information. With that info. Now they know the person's full name, address,  email addy and lots of other information about the person.

 

Now they just need to gain access to the PM account, they need the password reset for example. So they can log in and complete the simjack.

 

At this point what else can they use to convince a moderator that it is really them? Well let's call 18554pubilic and hear when the next payment due date is and how much is in the balance. That's how. It's fine if the mod wants to ask for the security question because I probably can figure out the answer for that as well since I have pretty much all the person's information now on social media, etc. Typically people use an answer that is easily found.

 

So you probably can convince a moderator to get what you need.

 

As I said. Yes agree with you guys that ok it's not much information given out. However it is still a breach of security and if used correctly that little bit of info given without a pin can be the last piece of protection from getting sim jacked.

 

Just saying!

 

 

@Jb456 

I have to agree with @Anonymous ....your stuck overseas because of the pandemic and you only have phone access to renew your account and you dont remember your pin #? what do you do with no access to your account to find out the date and amount you need to renew? I wouldnt be surprised if theres a mandate to maintain basic phone access to your account especially if theres no call centre to access.

@Anonymous  and again it's not the point. It's a breach of security simple as that. Regardless of what minimal info you can get.

Anonymous
Not applicable

@Jb456 wrote:

Ya what @Anonymous  said. I just called 1-855-4PUBLIC from my USA number and was able to get into my PM account.         

@Catherine_T @Please make the system ask for the PIN when calling from other numbers. I did mention this to Tiana/ Alan months ago and someone deleted the thread.


Again @Jb456 : all you get is the balance and due date. You can redeem vouchers too. You need a PIN to do anything else. I don't get the urgency.


@Jb456 wrote:

Please make the system ask for the PIN when calling from other numbers. I did mention this to Tiana/ Alan months ago and someone deleted the thread.


How about ask for a PIN when calling from ANY number? It's trivial nowadays to spoof your caller ID on outgoing calls with various business phone systems, and hosted VoIP/PBX providers...

 

Also ensure your own personal voicemail is set to require a PIN when calling "from your own number" to protect against caller ID spoofing allowing someone to sail right into your mailbox.

Ya what @Anonymous  said. I just called 1-855-4PUBLIC from my USA number and was able to get into my PM account.         

@Catherine_T @Please make the system ask for the PIN when calling from other numbers. I did mention this to Tiana/ Alan months ago and someone deleted the thread.

Anonymous
Not applicable

@Catherine_T wrote:

Hi there,

 

Thank you for flagging this! This issue has been fixed as of August 27, 2020. If any further issues surface, please let us know.

 

Thanks,

Catherine


 @Catherine_T : the current (and ongoing) concern here is that anybody can hear what anybody else's balance and due date is. It's great that you added the payment card PIN though.

Catherine_T
Retraité / Retired
Retraité / Retired

Hi there,

 

Thank you for flagging this! This issue has been fixed as of August 27, 2020. If any further issues surface, please let us know.

 

Thanks,

Catherine

@HALIMACS 

Once the pin # was added to secure that part of the account the remaining access to the info and adding vouchers is the fine art of balancing the needs of the customer and privacy. For some 611 or the 1-855 number is the only access some customers have....leaving the very basics to allow renewal or more importantly unsuspension before the cancellation of the account for those without 611 or access to their phones is paramount. Many customers have no idea what their pin # is......this allows basic access.

Anonymous
Not applicable

@Jb456 wrote:

@Anonymous  can you call hydro and ask for your neighbors balance? Cleary not. Same should apply with PM


I get the principle. I don't get the emergency.

This balance is a little different. It's not an amount reflecting what is owed.

Should I be able to know when the car plates expire? No. Oh but there it is in plain sight. Should deliveries be able to just drop off at the door (multi-family or house) without actually handing over? No. Oh but there's the name and address and possibly where the thing is from possibly indicating what it is. Maybe even a phone number. Should Dominos be able to have their sign on the delivery vehicles? Oh the Griswalds are having Dominoes tonight. etc.

@Jb456, that is a good comparison.  I believe those making actual policy decisions within Public Mobile just are not aware of this.   I'm not sure advising the Moderators of concerns such as these necessarily involves notification to senior staff or privacy personnel.

 

@Anonymous,  it is certainly your choice to be comfortable with such information being out there.  Indeed, it may be considered minimal to most.   BUT, you'd be surprised at how little information it takes for a person with bad intentions to gain further access to other people's accounts. 

 

 

@Anonymous  can you call hydro and ask for your neighbors balance? Cleary not. Same should apply with PM

Anonymous
Not applicable

I am not one of those that fall into the category of what do I have to hide so who cares. Of course that's reserved for the authorities. ie. everything. 

If someone knows my phone number and calls the toll free and hears my balance and date due...I don't care.

But that's just me.

Someone raised a stink a while ago about being able to charge the pre-registered payment card without a PIN. Yeah alright. Who needs their payment card drained by some nutbar ex (of any gender).

But balance and date? I fail to see how that impacts me. You can't do anything with it.

Hi @esjliv .

 

This is, indeed, a questionable business practice, and a privacy issue.

 

The fact that ANYONE can use the toll-free automated service to find out anyone else's balance and next renewal/payment date is concerning.

 

I'm sure many will find it unsettling, but sadly, many also might not care less.  It would seem that many people don't take their privacy of personal information as seriously as they perhaps should. 

 

I will be curious to know if Public Mobile, and their Privacy Department, will address this.

Anyone like to offer up their phone number and I can do more testing? I don't think I tried all the options yet.

 

...Just kidding, of course.

Point is. You should not be able to access the account without entering your pin when calling from another number. I can't call a company to inquire about my girls account until I answer there questions before getting info about the account regardless how minimal that info is. With PM you can do this.

 

Months ago I made a post about this and directed it to Tiana & Alan. The thread was completely deleted.

Anonymous
Not applicable

@Nezgar wrote:

Last I reviewed this, anyone could add money to your balance from your registered credit card without a PIN - up to max of $150. it's still in your account and will eventually get used to pay for your plan renewals, but that's a lot of money to be "held up" .

 

It would be good if they closed that - anyone willing to test? I did open a ticket with mods earlier this year regarding this but never heard back after they indicated looking into it.


It doesn't cost anything to try. It asks for the PIN as soon as you try to go in to using the payment card.

But the subject line adds some confusion. I haven't tried it yet from the 855 number. But I know it asks for the PIN in 611.

Last I reviewed this, anyone could add money to your balance from your registered credit card without a PIN - up to max of $150. it's still in your account and will eventually get used to pay for your plan renewals, but that's a lot of money to be "held up" .

 

It would be good if they closed that - anyone willing to test? I did open a ticket with mods earlier this year regarding this but never heard back after they indicated looking into it.

Need Help? Let's chat.