SIM Swap Attack Question

SIM Swap Attack Question

SIM Swap Attack Question

SOLVED
I'm a Participant Level 2

SIM Swap Attack Question

Hi there.

There's been a number of articles in the press lately about 'SIM Swap Attacks'. This is when someone finds out your phone number and the carrier, then contacts the carrier and convinces them to reassign your phone number to a new SIM, obviously without the permission of the actual account holder. This is a massive problem because using your phone as a 'second factor' by texting a code to your phone to prove your identity has become commonplace and if someone can redirect your phone number to their SIM (and thus, their phone), they essentially become you.

Fido actually has a pretty clever way to stop this online - you have to have the original SIM's IMEI number, which you can only get if you have the original SIM, so big points to Fido there.

My question though is: if someone went into a store, called a Fido rep by phone or went into chat, what system is in place to make sure someone can't just claim to be me and take over my phone number?

To show how devastating this can be: 

https://www.zdnet.com/article/how-i-survived-a-sim-swap-attack-and-how-my-carrier-failed-me/

Accepted Solution

Re: SIM Swap Attack Question

Solved by Moderator

Hello @TheWerewolf.

 

I can totally see why you are concerned about this and I can assure you that we have security measures for Sim Swaps on our end.

 

For the first scenario, when someone goes to the store for a Sim card swap, we first need to ID you with pieces of ID. Without those, it's simply not possible.


If you call Fido, we first have to ID you. From there, we always suggest to our customer to do the change themselves on their online account. If that's not possible, there are still security questions that we ask you before doing the sim card swap.

 

I hope this reassures you.

View solution in context
24 REPLIES 24
Moderator

Hello @TheWerewolf.

 

I can totally see why you are concerned about this and I can assure you that we have security measures for Sim Swaps on our end.

 

For the first scenario, when someone goes to the store for a Sim card swap, we first need to ID you with pieces of ID. Without those, it's simply not possible.


If you call Fido, we first have to ID you. From there, we always suggest to our customer to do the change themselves on their online account. If that's not possible, there are still security questions that we ask you before doing the sim card swap.

 

I hope this reassures you.



I'm a Participant Level 2

Perfect!

 

I appreciate your response. As I said, I was already impressed by Fido's requiring the original SIM IMEI - that's pretty foolproof. It also means that I can't use 'someone stole my phone' as a way to get around it since I'd have to go into a store to get a new SIM and identify myself at that time, or have the account locked and order a new SIM, which the phone owner would notice immediately since the phone would stop working. Smiley

 

That takes a load off my mind. Wink

Thanks!

@TheWerewolf

 

Glad that this took a load off your mind.


I double checked on my end and I simply want to do a quick correction on what I explained earlier on this thread.

 

If you call the customer service, we can only activate a sim card which was sent to you following a hardware upgrade on your account. From there, you still need to be fully ID'D for the process.

 

If this new sim card you are trying to activate is not already registered on your Fido account, the only option available is to change it from your online account which only you can have access. The only other option is to activate it directly at a Fido store by presenting 2 pieces of ID.

 

We understand how important the security of your information and we added those measures so only you can make this type of change for your account.

 

I hope this helps Smiley



I'm a Participant Level 2

Thanks for this information.

However, I would like to chime in my opinion that the weakest link to the security chain is the mobile service provider's human agent who can be co-opted or corrupted to sell or cooperate and peddle these sensitive client information to savvy hackers using social engineering tactics exploiting human weaknesses via emotional appeal.   A hacker can talk out a disgruntled employee or 'motivate' him with a good bounty in exchange for those information.

 

How do service providers like Fido anticipate this weakness???

Hey @Frank2019!

 

We take our customers’ privacy and security very seriously, and as fraudsters use constantly evolving techniques to try and take advantage of consumers across the wireless industry, we continually strengthen our security measures and verification procedures to protect our customers against fraudulent activity. We reinforce this with our ongoing training in authentication best practices for our frontline team members, supported by our dedicated cyber security and anti-fraud teams who monitor 24/7 for potential threats.

 

Hope that helps answer your concerns! Protecting our customers is a top priority for us.



I'm a Participant Level 1

@FidoNick,

Just stating that "customers’ privacy and security very seriously..." is not enough to reassure me. With good social engineering, malicious SIM swaps still occure. Can I request that a SIM swap be allowed in my account only if I go to a Fido store in person with IDs; no SIM swap over the phone or the Internet?

Hey @velum! Smiley 

 

It's not possible to make such request at this time, however rest assured that we have strict security measures in place to avoid fraudulent SIM swaps. 

Right now it's only possible to activate a new SIM card online through My Account, or at a store. 


If you do it online, you'll need account access and both SIM card numbers will required (old and new). 
If you do it a store, an ID with picture will be required.


While it's possible to swap a SIM card on our end through customer service, we can only do it if the SIM card you wish to activate is already registered to your account. 


Hope this clarifies a bit! 


 



I'm a Participant Level 1
I'm a Participant Level 1

I think the corn isn't just that Fido has strict security policies it is that if the SIM card and phone number aren't locked down, then someone can go to ANOTHER service provider and take over someone elses phone number. They would just need to find one service provider that will accept stolen ID, fake ID or a credible number and port over the number. It is an issue that all service providers should look into and take seriously.

I'm a Participant Level 2

It’s good to know Fido’s commitment to security. Thank you.

i see training and frequent audits on processes and security procedures as the only way to level up security.

 

 

I'm a Contributor Level 1

Is there anything Fido customers can do to further secure their account against SIM swapping?

 

This just happened to two colleagues of mine this past week, both were on Rogers network. Somehow Rogers agents were fooled to allow the unauthorized porting out of their numbers to other networks. In both cases it lead to 2FA breaches on their PayPal accounts - for thousands of dollars. And it was a real pain to deal with - a nightmare actually.

 

So again, what can customers do to prevent this?

I'm a Participant Level 1

what can we do as clients to prevent this?

We definitely understand your concerns regarding this!

 

It's always a priority for us to keep your information safe and we recommend to everyone to do the same. You can always add a PIN to your Fido account. It's also important to not give out your details to anyone and be wary of phishing and smishing attempts (link to phishing thread). 



I'm a Participant Level 1

Hi,

 

I haven't seen an answer from a Fido rep that indicates that they understand the issue here.  Fido has security procedures in place to protect a scammer from initiating a port-out through Fido, whether in person at a store, or online or on the phone.  But that isn't how these scams are done.  The port-out is initiated at another carrier.  

 

So Fido's security procedures are basically useless in protecting against the way these scams are almost always done.  A scammer can go to Bell and request a port-out, and none of Fido's procedures (as I currently understand them) will make a bit of difference.  

 

I contacted a Fido agent to ask if I could somehow lock my account down so that a port-out requested through another carrier would have to wait until I was contacted and gave the correct passcode.  The agent said he would have someone contact me but I haven't heard anything.

Hey @chrismbc! Welcome to the community. Smiley

 

The wireless industry established the requirements and parameters surrounding porting phone numbers. We have different measures in place to prevent unauthorized port-out. We also send an SMS to notify our customers any port-out has been requested.

 

If we didn't call you back yet don't hesitate to reach out to us for a follow-up! You can contact us here.



I'm a Participant Level 2

What about two-factor authorization for my online Fido account? I looked to see if there was a way I could turn it on, but there was nothing in place for that. So if someone gets a hold of my password, that's it, they're into my account. I'd much rather that I have to use an authenticator app on my iPhone to provide the code when I try to login to my Fido account. Right now, it's not very safe, especially for something as critical as access to my phone account.

Hey @BrendanD,

 

To login to your My Account profile on Fido.ca will only require your password, there is no 2 factor authentication in place. That said, the best protection and security measure available would be to not share your password. You can also choose to setup a mobile recovery number for My Account. You can use it to reset your My Account Password or recover your username,

 

As a side note, swapping the SIM card online requires both SIM's info, the new and the old one. In other words, someone would required having your SIM card and your password to be able to purchase a new SIM and do the switch.

 

However, we understand how important your account's security is. We invite you to reach out to us at these channels to go over the security measures we have in place to secure your account.

 

Hope this helps Smiley



I'm a Participant Level 1

No the process FIDO has relies heavily on human judgment and screening. Humans make mistakes. There is no process. I'll show you on this example of porting number to a different provider which is slightly different but shows similar issues. 

 

Porting number could open a whole new can of worms because now you have 2 companies dealing with it, old which doesn't care anymore because you are leaving anyways and new provider is happy to get you as a new customer. So why would put any barriers in place. 

 

Until recently moving to a different provider was very easy. I would just call my new provider and that's it. I don't know how much the process changed since and from what I understand - it is left up to the telecom providers to set their own rules of conduct and due dilligence.  Is CTS regulating it? They should.

 

Logging into FIDO acount, adding 2FA is OK measure and it helps.

 

Here is example of how porting a number is done in Europe. 

 

Ti port my number to a different provider i MUST log into my account *and* write down a special "porting" code to port my number. It's a 12 or more digits number (not IMEI or SIM number), but a special code specifically for account transfers. That code is hiddent and I need to be able to login into the account and know the security answer before it is revealed to me.

 

I call then the new telecom company, sign up for the plan I want, I'll provide them the "porting code" and they send me new SIM card to my address. SIM cards are FREE and not like Rogers, Fido, Bell etc charging moneys for SIM cards. 

 

On the day when I specify, my new telecom provider will do the porting process. It takes 2-3 days. Yes, it's a bit longer because there is a procedure to follow. 

 

Immediately when the porting process starts, I will be literraly bombarded with phone calls from the existing provider asking for call back to confirm if I really want to port my number. I received text message saying, I need to call them back and unless I call back, the porting process can not continue. 

 

Some telecom providers in Europe (I don't know of any other than some cheap British discount phone providers) not sell SIM cards in the market freely and they would not be activated unless the SIM card is sent directly to my registered address I have on the account. 

 

Once I receive SIM card, I'll call the new provider to complete the activation process. 

 

 A while ago I have done a similar port from Rogers to a virtual provider in the U.S.  Guess, what, I didn't get a single phone call from Rogers. Nothing. I even faked my signature on the porting application since I didn't have time to print and scan it. Rogers has accepted porting process without any issues. 

 

So all FIDO moderators can do is giv you False hope, try to do damage control and to do whatever can to silence criticim. 

 

The security procedures are archaic. Yes, things have improved, but as I said, the process depends on people following the steps. 

 

Ethereum blockchain will at some point of time in the near future replace contracts including the ones that run with Fido. Yes, blockchain seeds and private keys can be lost. But I would feel better knowing porting of my SIM number is handled by a computer algoritm and a smart contract than by an underpaid employee wanting to go home soon.

 

I always recommend everybody: Have 2 or 3 phone numbers, one that you use for your bank and CRA only and nobody else, the 2nd number you use for everything else and perhaps a 3rd number (could be virtual) as a trash number.  Same approach many of you do with emails...

 

Until then we have to hope whoever handles my SIM Swap or porting request is a dilligent just enough to use reasoable care. 

 

Hey @fiedospuppies

Thank you for your feedback. Smiley

 

We take our role of protecting our customers’ personal information very seriously.
As fraudsters use evolving techniques, we continually strengthen processes to prevent fraudulent SIM swaps and port-outs.

For example, we've recently started to offer the port protection, which is a measure used to prevent a port from happening by blocking any attempt to move the number to another carrier. 

You can contact us if you wish to add it to your account!



I'm a Participant Level 2

I've seen all the mods use the same robotic statement that you take our security very seriously etc...you have to say that. It's a ploy to make the customer feel safe when in reality the customer is at an extremely high risk and Fido isn't doing anything. Mark my words when I say it's just a matter of time before some scammer hacks the Fido/Rogers systems and shows you your vulnerabilities. 
a customer should be able to call in and have it put in file that they do not authorize any number porting. How hard is that.
I'm  going to do my due diligence and contact the CRTC and find out what exact safety measures are required/mandated. If your personal security was compromised then we wouldn't even be having this conversation right?

id like a Fido customer service representative to forward me the information to their legal team. If my information can't be protected I am prepared to take legal action. 

Hey @Wishmaster666

 

We sent you a PM regarding your concerns.

 

Talk to you soon!