Community

@clarahong all these institutions are making it easier and easier to be imprsonated. the person that hacked on Rogers wireless was cause the theif was using a chat bot to speak to representatives and slowly acquiring all the personal information of the lady. she lost 30k from 2 bank accounts. it's really scary in these times. I lost my wallet a couple years ago and I quickly called Equifax and froze the ability to make any new accounts for anything. you should ask PM to send you chat logs to see how they were able to gain access. it's one of your rights. also don't use a username to log in to your bank accounts.

when responding to someone Clara click the quotation so we can understand which question you are referring to. 

What do you mean?

I had activated my number at Walmart about three years ago.

I have done already. Thank you though. 

@clarahong To prevent fraudelent porting replace your name in your self service account. PM only requires payment.  Ie Johnny LesToilettes 

I wanted to remove my cell number after the incident at the bank but the teller said that the dual security is mandatory with cell phone. I don't have a option. And also, I never downloaded app and use the mobile banking on the phone. That's why I didn't understand how it could happen. The thief logged in my bank account and played right after my phone number ported out. Everything was happened in 30minues! Can you imagine? 

I'm with you there I never trust those links in text or email, I'll go login separately and normally everything's fine. But I don't think you can log in with phone number for any banking? At least none of mine, they need either card number or nickname, I don't even think any use email either... They'll update you through email like recent covid messages. But I thought you meant literally erase all personal info from your banking. But they need a way to contact you if they should notice something insecure before you do or even to offer you a promo

@Pawprints1986 I was talking about logging in to your bank account with your phone number... I don't have that option to login to my account like that. and e-transfer confirmations are all done by my email I never get texts because I don't trust those. scammers are using text messages nowadays. always call your bank account to confirm anything and never click on a text message link. if I ever get a text message from CRA or bank etc. ill delete the message right away and log in manually to check if this is true or call. I will never log in through a link

@gpixel that wouldn't be practical at all though. Any account changes, they contact you via text now to verify. So if you don't have a number at all there's no adding etransfer recipient, adding or removing bill payee etc. You can't do all that without text verification. Even if you want calls only, they need a number to call...

@clarahong one thing you could do is delete your phone number from your bank account so it isn't so easy to log in. I'm guessing you are using an app for online banking? 

I'm curious if you activated your account at the Walmart? maybe there was a breach there with all your account info...

@Pawprints1986  That would be a challenge for an online bank. I no longer have any contact via telephone or email thru my account. My bank can call me in their internal records but they know I have requested not to use those methods for contact so if anyone tries to....its not me.

So, we are getting true port protection come the end of April?

In sorry for all the other hassle you've been going through... What a stressful time...

Also I don't think banks let you remove emails and phone numbers? Especially online only banks. They need ways to contact you... I get the rest of it but that seems like it would cause more issues than it would resolve... 

@clarahong  It's good to hear that you're in the process of recovering your losses (albeit slowly). From my own experience of having my identity stolen (but not my phone number) I had my own distrust of all things online saved me from any real financial loss. But I learned a few things along the way.....including that my bank wasnt as secure as they assured me they were and they did not communicate all the security measures I could have taken following the identity theft. The fraudsters were also able to thwart some of the security despite the banks best measures that were already in place and were unable to explain how the fraudsters were able to do so.

• Never stay signed into your accounts.
• Don't use the remember me option.
• I never save my passwords on my devices.
• Use all secondary verification questions.
• Remove phone numbers and email from your accounts so they are only accessible to internal bank employees. Don't use your ph# or email for secondary verification.
• Don't use your bank card number for log in. Have an esoteric username.

Despite having most of the above measures in place the fraudsters were still able to steal all my credit card reward points and book a hotel and car rental thru the rewards program. They were also able to set up preauthorized payments from my new replacement credit card that i had not received or activated. Even bank employees did not have access to the new card # yet the fraudsters had access to it. Even six months later they accessed interac to have any etransfers sent in my name redirected to someone else in a different province at a different bank. Be vigilant! Did i mention the 25+ credit card applications and 2 new device+plan applications? Set up fraud alerts! Stay safe.

The serious problem was that the stealer logged in my bank account with my phone number (I have dual security) and took my huge money with E-transfers. I spent all three days to go to the bank, RCMP, and contact PM to solve the issuein this difficult pandemic period. I even couldn't work and sleep at that time. PM should have moral accountability for the issue and strong protection policy because if we are stolen our phone rnumbers by unauthorized porting out, that means we can lost everything such as bank account, email, social media, and so on!

You asked me that my issue was solved, right? 

Yes, the port team found my number (I don't know how...) and I got my number back. My phone is working now as usual. Then, PM said that they will implement port protection same as Telus and Koodo in the end of April, 2020. My reply has been deleted by PM and they bloked me for a while. So I could not write reply to message here. But now it works. 

You do make a good point, but I never leave my phone laying around at work. Or anywhere besides home. Can I trust them? Probably. Do I know for sure? No. It's in my pocket always when out

Casually observing some of my friends and coworkers.

It looks like nobody really bothers to hide their screenlock code/PIN. A few don't bother to use it at all. Many keep their phones plugged into chargers on powerbars and scattered outlets, unattended, accessible to any of us, sometimes accessible to strangers. Environments where everybody basically knows everybody and trust each other, at least enough to know nobody's going to steal your phone, lol.

And it looks like these phones are automatically, constantly logged into youtube, google/gmail, facebook, twitter, instagram, apple, etc.

Because people don't want to miss realtime notifications. Because nobody is going to bother typing in a hard-to-guess password (containing uppercase, lowercase, numbers, letters, special characters, etc) every time they click that icon, especially not on touchscreen keyboard.

So the phoned are accessible (and, as often as not, could be used or moved unseen), some are completely open and unlocked, most of the others could be opened or unlocked after watching the owner use them once or twice, almost all of them are already logged into email and social media. Maybe even logged in (or have stored the passwords for) online banking, paypal, etc. Likely also have browser history leading to login sites, likely have autofilled fields with full name, address, credit card, etc.

So it looks like stealing someone's phone, online identity, and money wouldn't be so hard. All the information you could ever need about the person, and more. The most sinister part is that you could simply take notes, put the phone back, and make your moves (change passwords, steal accounts, steal money, etc) hours or days later, choose your timing and distance, create more confusion and obfuscation.

Tatgets are wide open, unless they stubbornly lock things with passwords, consciously avoid helpful auto conveniences, or only use their mobile device to manage disposable "junk" accounts and trivial funds (use a different computer to isolate all important/sensitive/financial logins).

Hoping I won't ever need to know this, but it is good to keep in mind !

@Pawprints1986   Correct.

Good to note 🙂 and I'm guessing, that once you've contacted staff and they know not to proceed with a port, that your sim and plan and number will resume as normal, once it's safe to mark it as found?

@Pawprints1986  I can't confirm because Ive never done it myself but yes that is supposed to work. That is the original intent of the lost/stolen feature. It disconnects the sim card (that the number is attached to) from the system therefore making it impossible to port. But you would have to do as soon as you recieve the text or of course if you lose or have your phone stolen.

So, if you catch it in time and mark your device  as lost, the port cannot continue to be done? Am I reading that right? 

@hyT  Did you read this thread thoughly? I wouldnt say public mobiles port protection is inadequate  per industry standard. Other mobile providers are only now employing secondary porting protections. With no phone support it makes it more difficult to fraudently port a number from public mobile but it can still happen. When it does happen its almost always because the victim has not kept personal info confidential and secure and an enterprising criminal has taken advantage of that lapse in personal .security.

    We are asking for a change to pms current porting protection plan to and another layer of security to make it even more difficult to port out a phone number fraudently or legitimately. If your number had been fraudently ported from freedom would those emails have prevented it? I doubt it. As is the issue with the SMS text from public mobile. But you have options here to beef up security on your account on your own without needing moderator help. If you would like to increase the unlikelihood of a fraudent port employ all or some of the following:

1. Choose a strong password that you keep secret from everyone.
2. Use an email that is not associated with any personal financial accounts.
3. Make subtle or complete name changes on your profile in your account.
4. If you suspect or get a SMS text from public mobile indicating an unauthorized port request immediately log into your account and report your phone as lost/stolen.
5. Follow up step 4 by opening a service request via Simon with fraudulent number port in the problem/issue subject line and remove the SIM card from your phone.
6. If you do have your account email or phone number associated with any financial accounts contact those accounts and place holds on them and/or change the verification contacts and change those username and password log ins.

Steps 1 thru 3 employ extra security safeguards to prevent successful fraudulent ports. Steps 4 thru 6 give you additional techniques to thwart an unauthorized port from being successful. This gives you control over the security of your account. The majority of other providers cannot give you these options.

I am relatively new to PM. I have read this thread and would like something clarified for me.

I have a Self-serve account registered with my real name in my Profile. I have registered for Auto-Pay with the same real name on my credit card. My sign-in name for the Community is NOT related to my Self-serve account at all.

Is it true that I can afford myself some degree of protection from SIM-jacking or having my phone number stolen if I alter my profile name in the Self-Serve account? Will it not affect the name in my credit card info stored in PM for Auto-Pay?  Doesn't asking PM to port out my number require my PM PIN also?

I have recently ported my number in from Freedom Mobile to PM. I had to give my Freedom PIN to a moderator to do the porting. It went very smoothly and quickly. All I got from Freedom was 2 emails which I read a day later. They were sent to me 2 minutes apart, the first one informing me of the port request, the second one was 2 minutes later about the success of the port. I was told by both emails to call a phone number if I did not initiate the port request. Hardly secure at all if it was not a legitimate port!  So PM is not the only provider whose port security is inadequate.

2FA through email and SMS seems the most practical way for PM to implement a "secure" number port/change request.

As in you (or someone) logs in Self-Serve to make the port request, as usual. Then an email is sent, you must then login (to click a link) within 24 hours to "authorize" the port request. And an SMS is sent to your existing number, you must respond (with your PIN or some other random session passcode) to "authorize" the port request. Then, after both "authorizations" PM's system begins the number port.

It's not bulletproof. But it forces someone to know your Self-Serve login, your associated email login, and have access to your phone. If you didn't make the request then you'll see something fishy you probably wouldn't otherwise notice in time, or you won't notice it but it'll fizzle without "authorization". If you don't have your phone (and you kept your passwords all over it) then there's nothing PM can do but at least there's a chance you can narrow down the list of suspects who would have had access to it during that time. If you did indeed request a number port from Self-Serve then you can click the email link and reply the SMS code quick enough, the port will only be delayed by minutes. So it's more security, not much less convenience (an important consideration for new PM customers getting set up at legit PM retailers), and it works with information/systems PM already has on file.