Community

@gpixel 

Thank for for that info! Unfortunately port protections wouldn't even help me because my number wasn't ported out to another provider! I can even see how many texts they received between 2am-9am on my PM account. 

They did access my email but they are different passwords for sure. They used my phone number as the 2FA to change my email and paypal password but that happend AFTER hacking the phone.

But yes thank you! I got their IP address (and also their mailing address from the Best Buy purchase) and have reported it to the authorities. 

@Korth @gillianchreptyk Also consider the possibility that they got in through your email. Once in there they see the email from PM. Same password maybe? Bingo they're in. If you have Gmail, on the bottom right you see Account Activity.

Click details and you will see a window open that shows recent activity on your account and from which IP address (mine of course obscured).

 Do you recognize all of the entries?

---

@gillianchreptyk wrote: 

So yes I've filed a fraud report and a police report with all this info! I've taken my phone# off all 2FA log-ins but I just don't like how easy it was for them to get my SIM! 

---

Consider where you bought the SIM. If it came from Public Mobile then it hasn't been handled by anyone else. Nobody else could've seen (and copied) the SIM printed ID number. Nobody else could've duplicated (or tampered with) with the SIM's digital ID contents.

Buying the SIM from other vendors is more risky. Buying the SIM from online vendors moreso, because they know you can't show up banging their door angrily waving a receipt in their face. Buying the SIM from anonymous auctions (ebay, etc) is just begging from trouble.

There's plenty of legit vendors, honest folks doing straight business. If there weren't then the crooks wouldn't have protective camoflage. But why risk it at all on a $10 item?

Once somebody's got that info they can either use your name and phone number to request a number port or they can copy your "unique" SIM onto a blank SIM to steal service. Calamity if they can also steal away your entire cloud.

And they don't have any obligation to attack immediately. They might wait months or years. A compromised SIM card is vulnerable as long it stays active.

PM hasn't told me anything re: IP address, but I have their shipping info and IP address from Best Buy where they bought a TV 🙂 

So yes I've filed a fraud report and a police report with all this info! I've taken my phone# off all 2FA log-ins but I just don't like how easy it was for them to get my SIM! 

Wait ... it suddenly dawned on me ... are you saying that @Anonymous isn't your real name?

I guess it's time to scratch "Korth" off my birth certificate ...

@hairbag1 Rapscallions! Now there is a word we don't use near enough!

---

@Anonymous wrote:

---

@esjliv wrote:

I THINK I WILL - who is with me?

---

GET THE PITCHFORKS!! 🙂

 

To the OP: hopefully you're still reading this. Another protection is to Not. Use. Real. Information. Online. Anywhere. Your username here looks like a real name. Don't.

---

Excellent suggestion and I agree. We've all seen people put tres sensitive info into the Community Forum pages. I've seen full name, address, phone number, account numbers, voucher numbers c/w pins.

We need to all have a look to see if we've provided vulnerabilities to the rapscallions and ne'er do wells who would take advantage.

@Korth What I meant with comparing your physical sim numbers with the ones in your account was as a way to tell whether or not someone has got into your account and swapped sims. It has happened a number of times here at PM just recently.

@kb_mv 

You may be right. Although I doubt the SIM ID number is enough to prove you are you and to disprove someone else is you, regardless how much of your other information you still have vs how much of it someone else has taken.

At worst I think you'd be out ten bucks when you have to buy another SIM card. The same ten bucks you've already lost when your original SIM card was effectively stolen from you. The reality is that if you've somehow recovered the account after a SIM fraud then your SIM card is already compromised (it could all happen all over again) unless you replace it, and the only SIM ID number you need to know in that instance is the new one you're activating.

---

@Korth wrote:

Scrub the number off your SIM card, you'll never need it again once the SIM has been activated.

---

@Korth Except when you have a problem, come here for help and someone tells you to go into your account and compare the sim number there with the one in your phone.

I agree wholeheartedly with what you wrote though. People don't seem to realize how much of their life is tied up in / to the cell phone. I make a conscious decision that that won't be me. I use a Password manager on my phone and desktop that has a unique, used nowhere else, not similar to anything password to get in and access all the others. You may get into my phone, but zero apps and zero websites have save info. That's what my password manager is for. Plus I do NOT sign into chrome or opera or firefox to access my history or bookmarks across devices. This allows bad guys another avenue into your life.

I have a spreadsheet for backup printed out here at home of ALL my known website accounts, usernames and passwords. There are 71 of them lol and I don't think I am on the high end of usage (to be fair these include my wife's important sites as well). I guard my online data closely. A lot of people (just look here on the forums) are not so fastidious.

The other vulnerability is the phone itself. It often stores all the owner's accounts, logins, passwords. Anyone who can get past the screenlock code has full access to everything the owner lets it access, plus a history of everything it's been used for and all the contacts, messages, calendars, notes the owner lets it remember.

I don't know if this is specifically what happened in this instance. But it's a serious risk which most people never even consider.

It's not hard to acquire somebody else's phone for a short time, if you're persistent enough to take the opportunity when they're inattentive. While you've got the phone you've got access to the unique number printed on the SIM card. The owner may have let you use the phone to make a call, leaving it open and unlocked. Or you may have observed the owner entering his PIN/code. Or you may know the person well enough to accurately guess the code.

Scrub the number off your SIM card, you'll never need it again once the SIM has been activated. Change all your passwords and secret questions and stuff. Try to use another phone number for 2FA (and erase any history of that number on the phone itself) so you always have a hidden security option and disaster recovery option. Use the screenlock religiously, and change the key on it every time you think it might have been compromised. Use all the security PIN options the phone offers so you can lock access to settings, "About..." information, and all the rest. Don't let other people use your phone - or at least supervise their activity on your phone closely - unless you're married to them. Run malware scans on all your devices to ensure you're not running somebody else's keylogger.

Even if you're surrounded by people that you trust, be aware that you can't necessarily trust all the people that they trust.

@geopublic @gillianchreptyk @hairbag1 I wonder how difficult it would be for Telus/Koodo/PM to implement MFA (NOT using phone number lol)?