cancel
Showing results for 
Search instead for 
Did you mean: 

Bad security practice

GonzoYolo
I'm a participant level 2
I'm a participant level 2

Asking to visit fido.ly domain by SMS is BAD security practice NO fido NO!

Came here just to say that.

13 REPLIES 13

fififidododo
I'm a participant level 1
I'm a participant level 1

I 100% agree with OP. I screenshot the message to show my friend how elaborate scammers are today, and then deleted the SMS. It's horrible practice for a scam aware user.

Pierre42
I'm a participant level 1
I'm a participant level 1

I didn't click the fido.ly link, I'm not sure if it's really from fido. If they want me to click on things, it has to come from fido.ca. I agree, this is a TERRIBLE practice from fido to send offers using some URL that we have no way of trusting. Anyone who clicks on these URLs fails security practices against smishing... Bad fido for sending URLs like that, there is no reason why you can't send a shortened URL from fido.ca so that we know it's legit. I'm certainly not going to encourage bad practices by clicking on links. OR: having to google to see who owns fido.ly to make sure it's legit. It's just a bad experience all around, stop doing that.

Hello @Pierre42,

 

Welcone to the community!

 

We understand your concern regarding these links though they would be safe if they are sent by us. We tend to use fido.ly links as some of our links can be quite long and this helps with keeping our texts short and simple. 



jkodish
I'm a participant level 1
I'm a participant level 1

Terrible security practice. I checked my Fido app. There was no listing of the 5 gig bonus anywhere. Asking people to sign in via SMS message is exactly what phishing organizations do. If this is a legitimate offer we should be able to type fido.ca in or go into our accounts and see it there. .ly happens to be the top level domain for Lybia....

Hey @jkodish, Alex here! 

 

The .ly link is a fido.ca shortened link using bit.ly so you can trust the links that you see in our text messages.  As for the 5 GB bonus that you mentioned, you might not be able to see it directly from your account as some offers can only be claimed from these text messages. 

 

If you need any help with your account, feel free to get in touch with our customer service through any of the channels here, we'll be happy to help. 



BobC83
I'm helpful level 1
I'm helpful level 1

I'm curious how "fido.ly" is shorter than "fido.ca" I mean, yes, the domain should be predictable. What's to stop me from getting a fido.mx or fido.tv or fido.org domain and phishing for account numbers that way?

Hello,

 

  You're right, Fido.ly is not shorter than Fido.ca. However, they might not wish to merely direct people to the Fido.ca. Rather they use Fido's custom Bitly domain. If you weren't aware, Bitly is an URL shortening service. Fido can use the service to shorten links such as https://forums.fido.ca/t5/General-Support/Bad-security-practice/m-p/198862/highlight/true#M70964 (link to your post) to Fido.ly. The actual link would be too long to include in a text message. So Fido.ly would be much shorter than the actual URL.

 

Cheers

 


DS77
I'm a participant level 1
I'm a participant level 1

But all websites ending .ly is hosted in lybia which is nowhere close to canada nor trustable.

 

It is very simple to just create redirection webpages with just fido.ca/agreatserialnumber redirecting else where on your website.

 

As security practice, as i dont do business outside canada, all external ip and domain outside of canada are banned like those are systematicly restricted deleted purged and or ignored by system before getting to users.

 

So that make your promotions not reach my users at all. I am not the only one applying that kind of zero trust politics.

 

So you are wasting budget on your "scam" promotion by trying to not use a simple fido.ca/greatserialnumber.html

 

+ you would not have to pay for that shorten link services hosted in lybia.

MarcOlivier
I'm a participant level 1
I'm a participant level 1

Ok, I think I get it now. 

However I think @GonzoYolo is right regarding the fact that it's confusing for people that are not familiar with the concept and it goes against everything we hear about to prevent fraud. 

 

Im a computer engineer myself and i actually worked for Fido for 5 years a while ago. My friends have the habit of contacting me when they have questions and I can tell you I already told 3 persons to quickly delete the sms they got with the Fido.ly link because it was fraud. 

 

Maybe you can report that to your marketing people to prevent bigger long term communication issues with their clients. #justsaying

Cawtau
Senior MVP Senior MVP
Senior MVP

Hello GonzoYolo,

 

  Welcome to the community!

 

  I'm not sure Fido is using that as their domain per se. I'm guessing they are using a custom URL shortener service like Bitly. I understand a Fido URL might not be that long, but those services also offer businesses analytic metrics. If they are using Bitly, you should be able to preview the link by adding a plus sign to the end of the shortened link (see here).

 

Hope this helps 😀

 

Cheers

 


GonzoYolo
I'm a participant level 2
I'm a participant level 2

I know there might be a technical (or marketing most likely) reason for them to have done it. I work in the IT/webdev industry and I started this thread to criticise what I saw. I'm not really looking for an answer here, just pointing out the problem and hope someone from the company pays attention to it. Fido needs to be educating users about security practices not doing the contrary.

mikeyjpas
I'm a contributor level 2
I'm a contributor level 2

Did that actually come from Fido? I receive many many many SMS from fraudulent numbers asking to click on various links that look similar to fido but not fido

GonzoYolo
I'm a participant level 2
I'm a participant level 2

Yes, actual promotional SMS coming from their usual promotional channel number. Didn't visit the link from the SMS, obviously. But upon logging onto their website I received the same promotion as a popup message. Actually signed up for it. But the whole incident made me think BAD FIDO.