SIM card theft: Discount provider, discount protection? | The Star
SIM card theft: Discount provider, discount protection?
credit logo
By TRISTAN PÉLOQUIN, La PresseLaPresse Torstar
Mon., June 28, 2021timer7 min. read
MONTREAL - Telus customers who were victims of SIM card scams are sounding the alarm on apparent flaws in the company’s security systems. An employee of its discount subsidiary Public Mobile even told a customer that the service she uses is “more at risk than others” because she pays less.
“If you pay for a discount service, we’re not going to invest as much in the system. You’re not going to invest millions when you have customers paying $5, $10 or $15 a month and it’s not profitable. At the end of the day, it’s a private company.“ This is a transcript of what a Telus representative in charge of customer data protection told Public Mobile customer Annie Montplaisir last March, a few days after Montplaisir’s phone was hacked.
The individual used a hacking technique called a SIM swap scam to gain control of Montplaisir’s phone. They then ordered $2,700 worth of clothing with the victim’s credit card, delivered to an address in Laval.
To prevent this type of fraud, many mobile network operators require customers to protect their SIM card with a four-digit password, which is required when a person wants to change their card. Other providers take it a step further: they text the customer’s phone before making any changes to the account to make sure the customer agrees.
But what Montplaisir, a lawyer by profession, was amazed to find, was that she had no such protection on her SIM card. When she realized her phone was unreachable, she wanted to call Public Mobile to speak with a representative but struggled because the service did not have an emergency hotline.
“When you get defrauded, every minute counts. There should have at least been a number where I could talk to someone,” Montplaisir said.
When she finally reached an employee of Telus’ privacy department a few days later, they explained that the Public Mobile system was “older” than those of Telus and Koodo, and that the latter were therefore “safer.”
“Every time we talk to (customers of) Public Mobile, we tell them this information, to (encourage them to) move to a more reliable, secure system,” the employee said.
YOU MIGHT BE INTERESTED IN...
BUSINESS
He paid $50,000 for a new home for his family. Here’s how they got left with nothing
1 day ago
CANADA
Western Canada’s heat dome may be Ontario bound. A climate expert explains what’s next
3 hrs ago
Telus told La Presse the company had conducted an internal investigation following the statements.
“Public Mobile is a very important brand for us. To say that we are not investing in it is absolutely false,” said Jim Senko, president of the company’s Mobility Solutions team.
“This is our fastest growing subsidiary, and we have spent a lot of money to improve its security,” he said, adding that more advanced verification measures had been implemented since the scam that affected Montplaisir. For example, it is no longer possible for hackers to make SIM card changes entirely online on the Public Mobile site, as in Montplaisir’s case.
“These measures have significantly improved the situation,” Senko said. Other, more extensive security upgrades will be added “within a couple of weeks,” he said.
“An obligation, period”
The conversation with the Telus employee, whose audio recordings Montplaisir obtained following a request for access to her personal information, shocked three data privacy experts consulted by La Presse.
“The obligation to protect personal information cannot be conditional on the price paid for the service. It does not work like that,” said Pierre Trudel, law professor and member of the Research Centre in Public Law at the Université de Montréal.
“The security obligation is an obligation, period. Suppliers cannot say that it would cost too much to justify offering a less secure service,” added Vincent Gautrais, L.R. Wilson Chair in Information Technology and E-Commerce Law at the Université de Montréal.
“The conversation suggest rather blatant neglect if they are aware that their systems are less secure. Data should be protected based on its sensitivity, not on the price the customer pays,” said Danielle Olofsson, a lawyer specializing in data protection and privacy.
Security measures for other discount subsidiaries of large mobile network companies have increased in recent months. However, a customer service employee at Chatr, a Rogers subsidiary, told La Presse that she was “not aware” that it was possible to protect a SIM card with a password. After checking with her colleagues, she said she “would not recommend doing this.”
“If you forget your code, there is nothing we can do (if you have a problem),” she said. Rogers said it has other authentication steps, including passwords, security questions and customer voice recognition, to prevent fraud.
Like Public Mobile, Fizz, the discount subsidiary of Videotron, uses an online system for transactions with customers. The company said it requires two photos of proof of identity and a chat session with an agent before authorizing a SIM transfer. When in doubt, customers are directed to in-person branches of the company.
YOU MIGHT BE INTERESTED IN...
WORLD
Former Burlington building owner helped develop Florida condo that collapsed
19 hrs ago
GTA
Her employer owes her $28,000. She’s waited for a year and a half — while being forced into the shelter system to survive
18 hrs ago
Other victims
SIM card fraud has been called a “gigantic and scandalous problem” by the Public Interest Advocacy Centre (PIAC), a non-profit organization trying to force the Canadian Radio-television and Telecommunications Commission (CRTC) and mobile network companies to appear before a parliamentary committee.
“The repercussions for consumers, who increasingly use their cell phones to confirm their identity by text message to a variety of services, are extremely profound,” said John Lawford, the organization’s chief executive. “Phone companies are hiding the magnitude of the problem because it is extremely troublesome for them.”
Jean-François Comeau, a Telus customer who contacted La Presse to share his story, said his cryptocurrency account containing $40,000 in foreign currency was stolen following a SIM card scam. It was only after the scam that “special instructions” were added to his account requiring additional verification steps before authorizing SIM changes.
FOLLOW YOUR FAVOURITE STAR COLUMNISTS
Never miss the latest from the voices that matter most to you with the Star’s new columnist email alerts. Pick the columnists you’d like to follow, and you’ll get an email every time they have a new story online.
“Telus even trivialized the event, saying ‘it happens in all telecom companies,’ ‘fraudsters will always find a way to hijack our data protection methods,’ ‘the police won’t be able to do anything for you,’ etc.,” said Comeau, who filed a complaint with the Office of the Privacy Commissioner of Canada.
The federal agency declined to comment but acknowledged that SIM card fraud is “clearly a significant problem with far-reaching implications for the privacy of Canadians.”
Marc, another victim, who requested anonymity in fear of being the target of further scams, said $600 in chips from an online poker account were stolen from him after someone scammed his Telus number. According to him, the password that protected his SIM card against unauthorized transfers was “1-2-3-4,” the default sequence installed by the provider when the account was created.
“Telus has been negligent. I feel violated. I no longer feel safe,” he told La Presse.
Telus did not comment on these two cases.
The CRTC is “lethargic,” according to an expert
Given the scale of the situation, in July 2020 the CRTC asked that all mobile network providers submit a monthly report indicating the number of subscribers that were victims of this type of fraud. The providers, however, refused to make this information public, claiming that its dissemination would allow hackers to exploit the smallest details and increase the attacks.
The CRTC announced on Wednesday that it would release some information illustrating the “data trend” related to the phenomenon on July 8, but no specific details about each vendor will be made public. The agency declined to answer La Presse’s questions for this report.
“It shows how much the CRTC needs a serious boost,” Trudel said. “The organization has dragged its feet for 20 years, when it is its mandate to take these issues seriously. There is a lethargy that causes it to no longer play its role.”
A House of Commons report from November 2020 notes that “very little, if any, compensation is generally given to victims of illegal SIM card transfers.” Montplaisir was offered a $40 rebate on her Public Mobile bill for the month of April as compensation.
“When you consider that I had to spend, at least, twenty hours or so on the phone to resolve the problem, I consider that to be the least they could do,” she said.
How do SIM swap scams work?
Every cell phone is equipped with a removable subscriber identity module (SIM) card, which has a microchip containing information about the customer of a mobile telephone network. This is the key to accessing the network.
In a SIM card swap scam, the hacker contacts the victim’s mobile network provider pretending to be the victim, claims that they have lost their phone, that their SIM card no longer works or that they wish to change providers, and requests that the number be transferred to another SIM card.
If the scam succeeds, the hacker only needs to insert this second SIM card into a phone to gain complete control of the victim’s account. In most cases, the victim does not immediately realize that their service no longer works.
From then on, the hacker receives the victim’s text messages. If the victim has protected their email, bank or social media accounts with two-step verification that sends a temporary password by text message, the hacker receives that password. The individual can then reset access codes and take control of the victim’s accounts, as well as collect personal data. In most cases, the victim, who does not know the new access codes, is no longer able to log into their own accounts.
credit logo
By TRISTAN PÉLOQUIN, La PresseLaPresse Torstar
Mon., June 28, 2021timer7 min. read
MONTREAL - Telus customers who were victims of SIM card scams are sounding the alarm on apparent flaws in the company’s security systems. An employee of its discount subsidiary Public Mobile even told a customer that the service she uses is “more at risk than others” because she pays less.
“If you pay for a discount service, we’re not going to invest as much in the system. You’re not going to invest millions when you have customers paying $5, $10 or $15 a month and it’s not profitable. At the end of the day, it’s a private company.“ This is a transcript of what a Telus representative in charge of customer data protection told Public Mobile customer Annie Montplaisir last March, a few days after Montplaisir’s phone was hacked.
The individual used a hacking technique called a SIM swap scam to gain control of Montplaisir’s phone. They then ordered $2,700 worth of clothing with the victim’s credit card, delivered to an address in Laval.
To prevent this type of fraud, many mobile network operators require customers to protect their SIM card with a four-digit password, which is required when a person wants to change their card. Other providers take it a step further: they text the customer’s phone before making any changes to the account to make sure the customer agrees.
But what Montplaisir, a lawyer by profession, was amazed to find, was that she had no such protection on her SIM card. When she realized her phone was unreachable, she wanted to call Public Mobile to speak with a representative but struggled because the service did not have an emergency hotline.
“When you get defrauded, every minute counts. There should have at least been a number where I could talk to someone,” Montplaisir said.
When she finally reached an employee of Telus’ privacy department a few days later, they explained that the Public Mobile system was “older” than those of Telus and Koodo, and that the latter were therefore “safer.”
“Every time we talk to (customers of) Public Mobile, we tell them this information, to (encourage them to) move to a more reliable, secure system,” the employee said.
YOU MIGHT BE INTERESTED IN...
BUSINESS
He paid $50,000 for a new home for his family. Here’s how they got left with nothing
1 day ago
CANADA
Western Canada’s heat dome may be Ontario bound. A climate expert explains what’s next
3 hrs ago
Telus told La Presse the company had conducted an internal investigation following the statements.
“Public Mobile is a very important brand for us. To say that we are not investing in it is absolutely false,” said Jim Senko, president of the company’s Mobility Solutions team.
“This is our fastest growing subsidiary, and we have spent a lot of money to improve its security,” he said, adding that more advanced verification measures had been implemented since the scam that affected Montplaisir. For example, it is no longer possible for hackers to make SIM card changes entirely online on the Public Mobile site, as in Montplaisir’s case.
“These measures have significantly improved the situation,” Senko said. Other, more extensive security upgrades will be added “within a couple of weeks,” he said.
“An obligation, period”
The conversation with the Telus employee, whose audio recordings Montplaisir obtained following a request for access to her personal information, shocked three data privacy experts consulted by La Presse.
“The obligation to protect personal information cannot be conditional on the price paid for the service. It does not work like that,” said Pierre Trudel, law professor and member of the Research Centre in Public Law at the Université de Montréal.
“The security obligation is an obligation, period. Suppliers cannot say that it would cost too much to justify offering a less secure service,” added Vincent Gautrais, L.R. Wilson Chair in Information Technology and E-Commerce Law at the Université de Montréal.
“The conversation suggest rather blatant neglect if they are aware that their systems are less secure. Data should be protected based on its sensitivity, not on the price the customer pays,” said Danielle Olofsson, a lawyer specializing in data protection and privacy.
Security measures for other discount subsidiaries of large mobile network companies have increased in recent months. However, a customer service employee at Chatr, a Rogers subsidiary, told La Presse that she was “not aware” that it was possible to protect a SIM card with a password. After checking with her colleagues, she said she “would not recommend doing this.”
“If you forget your code, there is nothing we can do (if you have a problem),” she said. Rogers said it has other authentication steps, including passwords, security questions and customer voice recognition, to prevent fraud.
Like Public Mobile, Fizz, the discount subsidiary of Videotron, uses an online system for transactions with customers. The company said it requires two photos of proof of identity and a chat session with an agent before authorizing a SIM transfer. When in doubt, customers are directed to in-person branches of the company.
YOU MIGHT BE INTERESTED IN...
WORLD
Former Burlington building owner helped develop Florida condo that collapsed
19 hrs ago
GTA
Her employer owes her $28,000. She’s waited for a year and a half — while being forced into the shelter system to survive
18 hrs ago
Other victims
SIM card fraud has been called a “gigantic and scandalous problem” by the Public Interest Advocacy Centre (PIAC), a non-profit organization trying to force the Canadian Radio-television and Telecommunications Commission (CRTC) and mobile network companies to appear before a parliamentary committee.
“The repercussions for consumers, who increasingly use their cell phones to confirm their identity by text message to a variety of services, are extremely profound,” said John Lawford, the organization’s chief executive. “Phone companies are hiding the magnitude of the problem because it is extremely troublesome for them.”
Jean-François Comeau, a Telus customer who contacted La Presse to share his story, said his cryptocurrency account containing $40,000 in foreign currency was stolen following a SIM card scam. It was only after the scam that “special instructions” were added to his account requiring additional verification steps before authorizing SIM changes.
FOLLOW YOUR FAVOURITE STAR COLUMNISTS
Never miss the latest from the voices that matter most to you with the Star’s new columnist email alerts. Pick the columnists you’d like to follow, and you’ll get an email every time they have a new story online.
“Telus even trivialized the event, saying ‘it happens in all telecom companies,’ ‘fraudsters will always find a way to hijack our data protection methods,’ ‘the police won’t be able to do anything for you,’ etc.,” said Comeau, who filed a complaint with the Office of the Privacy Commissioner of Canada.
The federal agency declined to comment but acknowledged that SIM card fraud is “clearly a significant problem with far-reaching implications for the privacy of Canadians.”
Marc, another victim, who requested anonymity in fear of being the target of further scams, said $600 in chips from an online poker account were stolen from him after someone scammed his Telus number. According to him, the password that protected his SIM card against unauthorized transfers was “1-2-3-4,” the default sequence installed by the provider when the account was created.
“Telus has been negligent. I feel violated. I no longer feel safe,” he told La Presse.
Telus did not comment on these two cases.
The CRTC is “lethargic,” according to an expert
Given the scale of the situation, in July 2020 the CRTC asked that all mobile network providers submit a monthly report indicating the number of subscribers that were victims of this type of fraud. The providers, however, refused to make this information public, claiming that its dissemination would allow hackers to exploit the smallest details and increase the attacks.
The CRTC announced on Wednesday that it would release some information illustrating the “data trend” related to the phenomenon on July 8, but no specific details about each vendor will be made public. The agency declined to answer La Presse’s questions for this report.
“It shows how much the CRTC needs a serious boost,” Trudel said. “The organization has dragged its feet for 20 years, when it is its mandate to take these issues seriously. There is a lethargy that causes it to no longer play its role.”
A House of Commons report from November 2020 notes that “very little, if any, compensation is generally given to victims of illegal SIM card transfers.” Montplaisir was offered a $40 rebate on her Public Mobile bill for the month of April as compensation.
“When you consider that I had to spend, at least, twenty hours or so on the phone to resolve the problem, I consider that to be the least they could do,” she said.
How do SIM swap scams work?
Every cell phone is equipped with a removable subscriber identity module (SIM) card, which has a microchip containing information about the customer of a mobile telephone network. This is the key to accessing the network.
In a SIM card swap scam, the hacker contacts the victim’s mobile network provider pretending to be the victim, claims that they have lost their phone, that their SIM card no longer works or that they wish to change providers, and requests that the number be transferred to another SIM card.
If the scam succeeds, the hacker only needs to insert this second SIM card into a phone to gain complete control of the victim’s account. In most cases, the victim does not immediately realize that their service no longer works.
From then on, the hacker receives the victim’s text messages. If the victim has protected their email, bank or social media accounts with two-step verification that sends a temporary password by text message, the hacker receives that password. The individual can then reset access codes and take control of the victim’s accounts, as well as collect personal data. In most cases, the victim, who does not know the new access codes, is no longer able to log into their own accounts.
