02-17-2020 10:13 AM - edited 01-05-2022 09:32 AM
I'm an online word where lot of websites are offering a "Two-Step Verification (2SV)" method for increased security on the user personal account, I'm surprised to see that PM Self Serve login is still just a simple password to access your account and your personal information.
How hard is to offer the users a "Two-Step Verification (2SV)" option as a second layer of defense? This is an optional feature that any user can enabled it or not, as they wish.
Or at least PM Self Serve can offer the option to enable asking the user a "Personal Verification Question" as a sign in protection after the account password is entered. Again, this feature is optional, enabled or not, your choice: "Ask a PVQ each time I sign in to my account".
Will any of these two features be implemented in a near future for the PM Self Serve login?
PS: Just to give you an example why is needed - I have a habit to change the passwords on the accounts every other month, and for the PM Self Serve account, I'm NOT even getting an email notification saying that the password on the account has been changed - another big security flaw here. An user account can be easily compromised and locked out, the number ported and the user will not even know until the phone will say "No Service".
Solved! Go to Solution.
11-19-2020 03:20 PM
@Anonymous wrote:The idea being floated around about security is similar to the port-out problem. Send a text and wait for confirmation. They do that now for port-outs. Not yet for SIM change. Either on-screen entering of ones PIN or sending a text looking for confirmation.
There's one important difference.
The (old) phone number still works fine when a number port is requested. Legit number port request, criminal number port request, doesn't matter.
It can still receive SMS.
The (old) SIM card may or may not work. It may be lost, stolen, broken. It may be considered "unsecure" or "untrustworthy". A legit request for a new ($10) SIM card usually happens because something is wrong with the old SIM card, it somehow won't work or can't be used.
So it can't receive SMS.
11-19-2020 01:34 PM - edited 11-19-2020 03:25 PM
@KenWieske : Good story. And then we have another customer waiting days for his credit card problem.
The idea being floated around about security is similar to the port-out problem. Send a text and wait for confirmation. They do that now for port-outs. Not yet for SIM change. Either So an on-screen entering of ones PIN or sending a text looking for to confirmation would be useful.
Edit: thank @Korth
11-19-2020 01:28 PM
This morning a hacker somehow accessed my PM self-service account and ported my SIM. Then he hacked into my Paypal and made fraudulent charges. I wasn't able to use 2FA to get into my accounts because the hacker had control of my SIM.
Thankfully I had an AMAZING and prompt response from a moderator in the community, and he gave me back my SIM in just a few minutes. But if the hacker had changed the password/login for PM, I would have been up the creek with no solution.
PM needs better security.
02-18-2020 10:48 AM
I am a big fan of password managers. I started with LastPass and currently using Bitwarden. Recently I have been reading up on 2FA and have landed on Authy. It uses the Google Authenticator codes but allows you to view them on multiple devices or computers. This way I don't have to give out my cell number for SMS 2FA especially with the growing concern of SIM stealing.
So yes, I agree that PM should implement a 2FA process, given how many other sites use cell phone numbers for security purposed.
02-18-2020 10:25 AM
@Korth, I never heard or I'm not aware of any websites or providers that are making mandatory the 2 Factor Authentication for the regular users. When they implement this or when you create an account with them, the 2FA is turned off by default.You don't even know that is there until you go on the Security or Password tab and you notice it as an option as the second layer of security. As a regular user, is your choice if you enable it or not (when you create your account or after the account creation)...is not something that they force you to do it unless your account is a Super User, Administrator or Moderator and if it's gets compromised, the damage will be significantly (even that, I saw lots of situations when didn't enforced the 2FA for these types of high privilege users, it's all depending on the company policies).
The question is indeed, more for the Public Mobile management: "Are they going to offer this optional feature for the PM regular users in the near future?". Will probably see about that...
02-18-2020 02:38 AM
I suspect PM appeals to some customers precisely because it lacks "too much" identity authentication. Some people are very sensitive about "privacy" and prefer to subscribe to things as anonymously as possible. The only information you really need to provide at sign up with PM is your email address and your area code, anything else is basically voluntary (although certain information is necessary for AutoPay discount) and in strictest legal terms you're not even violating Terms of Service if the information you submit is not false or fraudulent (even if it's uninformative or incomplete).
We automatically think of things like blackmarket burner phones used by criminals, but there are plenty of people with other (legal, legit, perhaps strangely paranoid) reasons to prefer anonymous subscription mechanisms.
I believe extended securty features (like 2FA) should be optional. It's okay to inform customers of the benefits extra security features will provide them, it's okay to recommend or urge customers to use the extra security features you provide them, it's not okay to deny them their right to opt out.
02-17-2020 11:52 PM
If the community cannot answer this, how can PM customers get answers to questions like OP's?
I'd like to have the option of 2-factor, and port protection/validation. The Port-out/SIM Swap scam may only have happened to a few people so far, but only once would enough to be disastrous.
I would appreciate if someone can point out the way to share feedback in the direction of decision makers. Thanks
02-17-2020 08:09 PM
I totally agree with you @Korth , hopefully some decision maker people from PM will take a look ocasionally on this comunity board for sugestion on improving the service.
Shorly before you replied to this post, another case of porting scam made the CTV News, on Rogers:
https://winnipeg.ctvnews.ca/new-scam-uses-your-phone-number-to-steal-your-online-identity-1.4815791
02-17-2020 05:25 PM
More question-answer challenge protocols serve little purpose. In practice they are basically just a second password the legit user must enter - which effectively doubles the chance of users forgetting a password - and which effectively adds no security since thieves aren't going to carefully steal only one ring off your entire keychain before they have a go at your locked stuff. You could simply choose one password which is twice as long to gain higher overall security.
Two-Factor Authentication is best used for initial identity setup and as a fallback mechanism, not as a common entry vector.
Email seems like the obvious choice - and it's already incorporated into account signup and activation.
Phone calls or SMS also seem obvious because every PM customer has one - but they wouldn't be workable because, I think, the majority of PM customers deal with all authentications once (and set up AutoPay) then never bother to login Self-Serve again unless there's a problem with their payment/service (ie: they'll only need to login Self-Serve while their phone/SMS doesn't work).
So how could PM implement 2FA differently? And how would these differences make it work better?
02-17-2020 10:37 AM - edited 02-17-2020 10:37 AM
Exceptional point @FZ6R_fan . There should be such an option to do it. I'm with the pc optimum rewards system and their 2 tier question is to email a code to the email on file. Which I then have to enter in order to access the site. I can only say that maybe they assume that you login using your phone, making a 2 step process redundent and an impediment depending upon where the 2nd verification step is directed. For example, you are on your phone, with no data and the 2nd step goes to your email address on file.🤔.
02-17-2020 10:20 AM
Community cannot know this. Only decision makers. We are just users like you
02-17-2020 10:19 AM
I think the default response is this is a tier 3 service provider, no frills etc. However in this case I don't even recall that being an option when I was on TELUS. Would think they would implement that on TELUS first then trickled down to flanker brands. Agree with you though, would be nice to have option for additional security