cancel
Showing results for 
Search instead for 
Did you mean: 

SIM Swap Attack Question

TheWerewolf
I'm a participant level 2
I'm a participant level 2

Hi there.

There's been a number of articles in the press lately about 'SIM Swap Attacks'. This is when someone finds out your phone number and the carrier, then contacts the carrier and convinces them to reassign your phone number to a new SIM, obviously without the permission of the actual account holder. This is a massive problem because using your phone as a 'second factor' by texting a code to your phone to prove your identity has become commonplace and if someone can redirect your phone number to their SIM (and thus, their phone), they essentially become you.

Fido actually has a pretty clever way to stop this online - you have to have the original SIM's IMEI number, which you can only get if you have the original SIM, so big points to Fido there.

My question though is: if someone went into a store, called a Fido rep by phone or went into chat, what system is in place to make sure someone can't just claim to be me and take over my phone number?

To show how devastating this can be: 

https://www.zdnet.com/article/how-i-survived-a-sim-swap-attack-and-how-my-carrier-failed-me/

28 REPLIES 28

fiedospuppies
I'm a contributor level 2
I'm a contributor level 2

No the process FIDO has relies heavily on human judgment and screening. Humans make mistakes. There is no process. I'll show you on this example of porting number to a different provider which is slightly different but shows similar issues. 

 

Porting number could open a whole new can of worms because now you have 2 companies dealing with it, old which doesn't care anymore because you are leaving anyways and new provider is happy to get you as a new customer. So why would put any barriers in place. 

 

Until recently moving to a different provider was very easy. I would just call my new provider and that's it. I don't know how much the process changed since and from what I understand - it is left up to the telecom providers to set their own rules of conduct and due dilligence.  Is CTS regulating it? They should.

 

Logging into FIDO acount, adding 2FA is OK measure and it helps.

 

Here is example of how porting a number is done in Europe. 

 

Ti port my number to a different provider i MUST log into my account *and* write down a special "porting" code to port my number. It's a 12 or more digits number (not IMEI or SIM number), but a special code specifically for account transfers. That code is hiddent and I need to be able to login into the account and know the security answer before it is revealed to me.

 

I call then the new telecom company, sign up for the plan I want, I'll provide them the "porting code" and they send me new SIM card to my address. SIM cards are FREE and not like Rogers, Fido, Bell etc charging moneys for SIM cards. 

 

On the day when I specify, my new telecom provider will do the porting process. It takes 2-3 days. Yes, it's a bit longer because there is a procedure to follow. 

 

Immediately when the porting process starts, I will be literraly bombarded with phone calls from the existing provider asking for call back to confirm if I really want to port my number. I received text message saying, I need to call them back and unless I call back, the porting process can not continue. 

 

Some telecom providers in Europe (I don't know of any other than some cheap British discount phone providers) not sell SIM cards in the market freely and they would not be activated unless the SIM card is sent directly to my registered address I have on the account. 

 

Once I receive SIM card, I'll call the new provider to complete the activation process. 

 

 A while ago I have done a similar port from Rogers to a virtual provider in the U.S.  Guess, what, I didn't get a single phone call from Rogers. Nothing. I even faked my signature on the porting application since I didn't have time to print and scan it. Rogers has accepted porting process without any issues. 

 

So all FIDO moderators can do is giv you False hope, try to do damage control and to do whatever can to silence criticim. 

 

The security procedures are archaic. Yes, things have improved, but as I said, the process depends on people following the steps. 

 

Ethereum blockchain will at some point of time in the near future replace contracts including the ones that run with Fido. Yes, blockchain seeds and private keys can be lost. But I would feel better knowing porting of my SIM number is handled by a computer algoritm and a smart contract than by an underpaid employee wanting to go home soon.

 

I always recommend everybody: Have 2 or 3 phone numbers, one that you use for your bank and CRA only and nobody else, the 2nd number you use for everything else and perhaps a 3rd number (could be virtual) as a trash number.  Same approach many of you do with emails...

 

Until then we have to hope whoever handles my SIM Swap or porting request is a dilligent just enough to use reasoable care. 

 

Hey @fiedospuppies

Thank you for your feedback. Smiley

 

We take our role of protecting our customers’ personal information very seriously.
As fraudsters use evolving techniques, we continually strengthen processes to prevent fraudulent SIM swaps and port-outs.

For example, we've recently started to offer the port protection, which is a measure used to prevent a port from happening by blocking any attempt to move the number to another carrier. 

You can contact us if you wish to add it to your account!



Wishmaster666
I'm a participant level 2
I'm a participant level 2

I've seen all the mods use the same robotic statement that you take our security very seriously etc...you have to say that. It's a ploy to make the customer feel safe when in reality the customer is at an extremely high risk and Fido isn't doing anything. Mark my words when I say it's just a matter of time before some scammer hacks the Fido/Rogers systems and shows you your vulnerabilities. 
a customer should be able to call in and have it put in file that they do not authorize any number porting. How hard is that.
I'm  going to do my due diligence and contact the CRTC and find out what exact safety measures are required/mandated. If your personal security was compromised then we wouldn't even be having this conversation right?

id like a Fido customer service representative to forward me the information to their legal team. If my information can't be protected I am prepared to take legal action. 

Hey @Wishmaster666

 

We sent you a PM regarding your concerns.

 

Talk to you soon!



Hey @Rob76

 

I can definitely understand. As @FidoNick mentioned, we take your security seriously on our side. We have many measures in place to avoid these situations. It's also possible for us to add a 4 digits PIN to your account as another security option.

 

I'll send you a PM so we can review the details together



Rob76
I'm a contributor level 1
I'm a contributor level 1

Hi Charles,

 

Thanks for the reply. Earlier today I contacted Fido over the phone and added an account PIN as well as a security question to my account. These measures as well as my Fido voice ID should put my mind at ease, but here’s why they didn’t.

 

The Sim swapping scam is essentially an extension of identity theft which bypasses all these measures.

 

If I, or someone impersonating me goes to another provider and requests that my Fido number be ported out, the porting process bypasses all of Fido’s security measures mentioned here. This is why scammers are having such success with this SIM swapping scam, and why the RCMP is saying it’s on the rise.

 

What I think needs to happen is the service provider which is porting out its own customer should be the one authenticating their ID, not the service provider that is processing the port-in, if that makes sense.

 

Granted this adds some inconvenience to the porting process however I will gladly take a bit of inconvenience to avoid the potential devastation from SIM swapping scams.

FidoClaudia
Community Manager
Community Manager

I understand your concerns @Rob76.

 

Having a PIN and voice ID should definitely help with the security of your account and prevent someone from being able to access the information needed for a port out. 

 

I'll send you another PM though, we'll look closer into this with you Smiley

 

Keep an eye on your inbox. 



TheWerewolf
I'm a participant level 2
I'm a participant level 2

I suspected that might be the case. Most cellcos can only use a SIM they distribute, so it would have to be a Fido SIM, and you can't get one of those without it being registered to an account, so they'd have to somehow register it to my account and then do the swap over, which would require my original phone number, my password for online, my PIN or physical ID... so yeah, not going to be easy. 

 

Which is the answer I was hoping for. Smiley

 

Thanks again, Kenny.

I appreciate your taking the extra effort there!

TW