SIM Swap Attack Question

Reply
Highlighted
I'm a Participant Level 2
I'm a Participant Level 2

SIM Swap Attack Question

Hi there.

There's been a number of articles in the press lately about 'SIM Swap Attacks'. This is when someone finds out your phone number and the carrier, then contacts the carrier and convinces them to reassign your phone number to a new SIM, obviously without the permission of the actual account holder. This is a massive problem because using your phone as a 'second factor' by texting a code to your phone to prove your identity has become commonplace and if someone can redirect your phone number to their SIM (and thus, their phone), they essentially become you.

Fido actually has a pretty clever way to stop this online - you have to have the original SIM's IMEI number, which you can only get if you have the original SIM, so big points to Fido there.

My question though is: if someone went into a store, called a Fido rep by phone or went into chat, what system is in place to make sure someone can't just claim to be me and take over my phone number?

To show how devastating this can be: 

https://www.zdnet.com/article/how-i-survived-a-sim-swap-attack-and-how-my-carrier-failed-me/

Accepted Solution

Re: SIM Swap Attack Question

Hello @TheWerewolf.

 

I can totally see why you are concerned about this and I can assure you that we have security measures for Sim Swaps on our end.

 

For the first scenario, when someone goes to the store for a Sim card swap, we first need to ID you with pieces of ID. Without those, it's simply not possible.


If you call Fido, we first have to ID you. From there, we always suggest to our customer to do the change themselves on their online account. If that's not possible, there are still security questions that we ask you before doing the sim card swap.

 

I hope this reassures you.

View solution in context
Flag this to a Moderator
Message 1 of 19
3,400 Views
Highlighted
I'm a Contributor Level 1
I'm a Contributor Level 1

Re: SIM Swap Attack Question

Hi Charles,

 

Thanks for the reply. Earlier today I contacted Fido over the phone and added an account PIN as well as a security question to my account. These measures as well as my Fido voice ID should put my mind at ease, but here’s why they didn’t.

 

The Sim swapping scam is essentially an extension of identity theft which bypasses all these measures.

 

If I, or someone impersonating me goes to another provider and requests that my Fido number be ported out, the porting process bypasses all of Fido’s security measures mentioned here. This is why scammers are having such success with this SIM swapping scam, and why the RCMP is saying it’s on the rise.

 

What I think needs to happen is the service provider which is porting out its own customer should be the one authenticating their ID, not the service provider that is processing the port-in, if that makes sense.

 

Granted this adds some inconvenience to the porting process however I will gladly take a bit of inconvenience to avoid the potential devastation from SIM swapping scams.

Flag this to a Moderator
Message 11 of 19
918 Views
Highlighted
Moderator
Moderator

Re: SIM Swap Attack Question

I understand your concerns @Rob76.

 

Having a PIN and voice ID should definitely help with the security of your account and prevent someone from being able to access the information needed for a port out. 

 

I'll send you another PM though, we'll look closer into this with you Smiley

 

Keep an eye on your inbox. 



Flag this to a Moderator
Message 12 of 19
907 Views
Highlighted
I'm a Participant Level 1
I'm a Participant Level 1

Re: SIM Swap Attack Question

@FidoNick,

Just stating that "customers’ privacy and security very seriously..." is not enough to reassure me. With good social engineering, malicious SIM swaps still occure. Can I request that a SIM swap be allowed in my account only if I go to a Fido store in person with IDs; no SIM swap over the phone or the Internet?

Flag this to a Moderator
Message 13 of 19
787 Views
Highlighted
Moderator
Moderator

Re: SIM Swap Attack Question

Hey @velum! Smiley 

 

It's not possible to make such request at this time, however rest assured that we have strict security measures in place to avoid fraudulent SIM swaps. 

Right now it's only possible to activate a new SIM card online through My Account, or at a store. 


If you do it online, you'll need account access and both SIM card numbers will required (old and new). 
If you do it a store, an ID with picture will be required.


While it's possible to swap a SIM card on our end through customer service, we can only do it if the SIM card you wish to activate is already registered to your account. 


Hope this clarifies a bit! 


 



Flag this to a Moderator
Message 14 of 19
766 Views
Highlighted
I'm a Participant Level 1
I'm a Participant Level 1

Re: SIM Swap Attack Question

I think the corn isn't just that Fido has strict security policies it is that if the SIM card and phone number aren't locked down, then someone can go to ANOTHER service provider and take over someone elses phone number. They would just need to find one service provider that will accept stolen ID, fake ID or a credible number and port over the number. It is an issue that all service providers should look into and take seriously.

Flag this to a Moderator
Message 15 of 19
680 Views
Highlighted
I'm a Participant Level 1
I'm a Participant Level 1

Re: SIM Swap Attack Question

what can we do as clients to prevent this?

Flag this to a Moderator
Message 16 of 19
665 Views
Highlighted
Moderator
Moderator

Re: SIM Swap Attack Question

We definitely understand your concerns regarding this!

 

It's always a priority for us to keep your information safe and we recommend to everyone to do the same. You can always add a PIN to your Fido account. It's also important to not give out your details to anyone and be wary of phishing and smishing attempts (link to phishing thread). 



Flag this to a Moderator
Message 17 of 19
625 Views
Highlighted
I'm a Participant Level 1
I'm a Participant Level 1

Re: SIM Swap Attack Question

Hi,

 

I haven't seen an answer from a Fido rep that indicates that they understand the issue here.  Fido has security procedures in place to protect a scammer from initiating a port-out through Fido, whether in person at a store, or online or on the phone.  But that isn't how these scams are done.  The port-out is initiated at another carrier.  

 

So Fido's security procedures are basically useless in protecting against the way these scams are almost always done.  A scammer can go to Bell and request a port-out, and none of Fido's procedures (as I currently understand them) will make a bit of difference.  

 

I contacted a Fido agent to ask if I could somehow lock my account down so that a port-out requested through another carrier would have to wait until I was contacted and gave the correct passcode.  The agent said he would have someone contact me but I haven't heard anything.

Flag this to a Moderator
Message 18 of 19
262 Views
Highlighted
Moderator
Moderator

Re: SIM Swap Attack Question

Hey @chrismbc! Welcome to the community. Smiley

 

The wireless industry established the requirements and parameters surrounding porting phone numbers. We have different measures in place to prevent unauthorized port-out. We also send an SMS to notify our customers any port-out has been requested.

 

If we didn't call you back yet don't hesitate to reach out to us for a follow-up! You can contact us here.



Flag this to a Moderator
Message 19 of 19
242 Views