SIM Swap Attack Question

SIM Swap Attack Question

SIM Swap Attack Question

SOLVED
TheWerewolf
I'm a Participant Level 2

SIM Swap Attack Question

Hi there.

There's been a number of articles in the press lately about 'SIM Swap Attacks'. This is when someone finds out your phone number and the carrier, then contacts the carrier and convinces them to reassign your phone number to a new SIM, obviously without the permission of the actual account holder. This is a massive problem because using your phone as a 'second factor' by texting a code to your phone to prove your identity has become commonplace and if someone can redirect your phone number to their SIM (and thus, their phone), they essentially become you.

Fido actually has a pretty clever way to stop this online - you have to have the original SIM's IMEI number, which you can only get if you have the original SIM, so big points to Fido there.

My question though is: if someone went into a store, called a Fido rep by phone or went into chat, what system is in place to make sure someone can't just claim to be me and take over my phone number?

To show how devastating this can be: 

https://www.zdnet.com/article/how-i-survived-a-sim-swap-attack-and-how-my-carrier-failed-me/

Accepted Solution

Re: SIM Swap Attack Question

Solved by Moderator

Hello @TheWerewolf.

 

I can totally see why you are concerned about this and I can assure you that we have security measures for Sim Swaps on our end.

 

For the first scenario, when someone goes to the store for a Sim card swap, we first need to ID you with pieces of ID. Without those, it's simply not possible.


If you call Fido, we first have to ID you. From there, we always suggest to our customer to do the change themselves on their online account. If that's not possible, there are still security questions that we ask you before doing the sim card swap.

 

I hope this reassures you.

View solution in context
28 REPLIES 28
Cm2017
I'm a Contributor Level 1

Ok so please disregard my previous post.  I found the following info:

 

I can't add port protection though online chat, it has to be done over the phone.  I can speak to an agent and request port protection be added to my account.  The agent will send this request to the proper department, it may take 3 business days max to be put in place.

 

 If I ever want to port my number to another carrier, I need to call in to speak to an agent (can't be done in store or through online chat) and request that port protection be removed, which could take 3 business days max to happen, so this should be planned for and done in advance if I think I'm going to switch carriers.  


Then when protection is removed, and the port request is initiated by the other carrier, the usual process happens - Fido sends an sms message to my phone asking if I approve the port, I need to answer yes within a few hours or the port fails.

 

 I'm very happy with this whole solution, I feel that it's secure.  Thanks very much to Fido and to the agent that I spoke to.  Peace,

 

 

Cm2017
I'm a Contributor Level 1

I contacted a Fido agent today, to have a pin code added to my account, so that my number can't be ported to another provider unless I'm contacted somehow and I give the correct pin and say yes, port the number.

 

 The agent told me that Fido doesn't have anything like a pin code or password feature to stop a porting request.  But, if Fido receives a porting request, Fido will send me an sms message asking something like "do you authorize this porting request?"

 

if I reply with yes, the porting will go through.  If I reply no, or don't reply at all, the request will time out in a few hours and the request is canceled or denied.

 

 This would seem to prevent an unauthorized porting, but I'm confused that the agent told me there's no pin code possible, as I've seen people in this forum say "yeah no problem just contact an agent and they'll put it on your account.."

 

 can anyone clarify?  Have you spoken to an agent and had a pin code or password put on your account?

 

 Thanks very much,

spandya
I'm a Participant Level 1

Hello

Is there a possibility of putting a lock on the account for SIM change. That way, only the mobile owner can login to his/her account online and update this settings before doing a SIM change. If SIM change feature is locked, it cannot be changed by FIDO customer service agents and hackers.

Hello @spandya,

 

Welcome to the Community.

 

The only way to change your SIM card is by doing if through your online profile or in store. We aren't able to block SIM card changed more than this. 

Also, in order to change the SIM card you need the previous SIM card numbers which also adds protection to this process. 



FidoKenny
Moderator

Hello @TheWerewolf.

 

I can totally see why you are concerned about this and I can assure you that we have security measures for Sim Swaps on our end.

 

For the first scenario, when someone goes to the store for a Sim card swap, we first need to ID you with pieces of ID. Without those, it's simply not possible.


If you call Fido, we first have to ID you. From there, we always suggest to our customer to do the change themselves on their online account. If that's not possible, there are still security questions that we ask you before doing the sim card swap.

 

I hope this reassures you.



TheWerewolf
I'm a Participant Level 2

Perfect!

 

I appreciate your response. As I said, I was already impressed by Fido's requiring the original SIM IMEI - that's pretty foolproof. It also means that I can't use 'someone stole my phone' as a way to get around it since I'd have to go into a store to get a new SIM and identify myself at that time, or have the account locked and order a new SIM, which the phone owner would notice immediately since the phone would stop working. Smiley

 

That takes a load off my mind. Wink

Thanks!

@TheWerewolf

 

Glad that this took a load off your mind.


I double checked on my end and I simply want to do a quick correction on what I explained earlier on this thread.

 

If you call the customer service, we can only activate a sim card which was sent to you following a hardware upgrade on your account. From there, you still need to be fully ID'D for the process.

 

If this new sim card you are trying to activate is not already registered on your Fido account, the only option available is to change it from your online account which only you can have access. The only other option is to activate it directly at a Fido store by presenting 2 pieces of ID.

 

We understand how important the security of your information and we added those measures so only you can make this type of change for your account.

 

I hope this helps Smiley



Frank2019
I'm a Participant Level 2

Thanks for this information.

However, I would like to chime in my opinion that the weakest link to the security chain is the mobile service provider's human agent who can be co-opted or corrupted to sell or cooperate and peddle these sensitive client information to savvy hackers using social engineering tactics exploiting human weaknesses via emotional appeal.   A hacker can talk out a disgruntled employee or 'motivate' him with a good bounty in exchange for those information.

 

How do service providers like Fido anticipate this weakness???

Hey @Frank2019!

 

We take our customers’ privacy and security very seriously, and as fraudsters use constantly evolving techniques to try and take advantage of consumers across the wireless industry, we continually strengthen our security measures and verification procedures to protect our customers against fraudulent activity. We reinforce this with our ongoing training in authentication best practices for our frontline team members, supported by our dedicated cyber security and anti-fraud teams who monitor 24/7 for potential threats.

 

Hope that helps answer your concerns! Protecting our customers is a top priority for us.



velum
I'm a Participant Level 1

@FidoNick,

Just stating that "customers’ privacy and security very seriously..." is not enough to reassure me. With good social engineering, malicious SIM swaps still occure. Can I request that a SIM swap be allowed in my account only if I go to a Fido store in person with IDs; no SIM swap over the phone or the Internet?

Hey @velum! Smiley 

 

It's not possible to make such request at this time, however rest assured that we have strict security measures in place to avoid fraudulent SIM swaps. 

Right now it's only possible to activate a new SIM card online through My Account, or at a store. 


If you do it online, you'll need account access and both SIM card numbers will required (old and new). 
If you do it a store, an ID with picture will be required.


While it's possible to swap a SIM card on our end through customer service, we can only do it if the SIM card you wish to activate is already registered to your account. 


Hope this clarifies a bit! 


 



fh4
I'm a Participant Level 1
I'm a Participant Level 1

I think the corn isn't just that Fido has strict security policies it is that if the SIM card and phone number aren't locked down, then someone can go to ANOTHER service provider and take over someone elses phone number. They would just need to find one service provider that will accept stolen ID, fake ID or a credible number and port over the number. It is an issue that all service providers should look into and take seriously.

Frank2019
I'm a Participant Level 2

It’s good to know Fido’s commitment to security. Thank you.

i see training and frequent audits on processes and security procedures as the only way to level up security.

 

 

Rob76
I'm a Contributor Level 1

Is there anything Fido customers can do to further secure their account against SIM swapping?

 

This just happened to two colleagues of mine this past week, both were on Rogers network. Somehow Rogers agents were fooled to allow the unauthorized porting out of their numbers to other networks. In both cases it lead to 2FA breaches on their PayPal accounts - for thousands of dollars. And it was a real pain to deal with - a nightmare actually.

 

So again, what can customers do to prevent this?

shutterbug21
I'm a Participant Level 1

what can we do as clients to prevent this?

We definitely understand your concerns regarding this!

 

It's always a priority for us to keep your information safe and we recommend to everyone to do the same. You can always add a PIN to your Fido account. It's also important to not give out your details to anyone and be wary of phishing and smishing attempts (link to phishing thread). 



chrismbc
I'm a Participant Level 1

Hi,

 

I haven't seen an answer from a Fido rep that indicates that they understand the issue here.  Fido has security procedures in place to protect a scammer from initiating a port-out through Fido, whether in person at a store, or online or on the phone.  But that isn't how these scams are done.  The port-out is initiated at another carrier.  

 

So Fido's security procedures are basically useless in protecting against the way these scams are almost always done.  A scammer can go to Bell and request a port-out, and none of Fido's procedures (as I currently understand them) will make a bit of difference.  

 

I contacted a Fido agent to ask if I could somehow lock my account down so that a port-out requested through another carrier would have to wait until I was contacted and gave the correct passcode.  The agent said he would have someone contact me but I haven't heard anything.

Hey @chrismbc! Welcome to the community. Smiley

 

The wireless industry established the requirements and parameters surrounding porting phone numbers. We have different measures in place to prevent unauthorized port-out. We also send an SMS to notify our customers any port-out has been requested.

 

If we didn't call you back yet don't hesitate to reach out to us for a follow-up! You can contact us here.



BrendanD
I'm a Participant Level 2

What about two-factor authorization for my online Fido account? I looked to see if there was a way I could turn it on, but there was nothing in place for that. So if someone gets a hold of my password, that's it, they're into my account. I'd much rather that I have to use an authenticator app on my iPhone to provide the code when I try to login to my Fido account. Right now, it's not very safe, especially for something as critical as access to my phone account.

Hey @BrendanD,

 

To login to your My Account profile on Fido.ca will only require your password, there is no 2 factor authentication in place. That said, the best protection and security measure available would be to not share your password. You can also choose to setup a mobile recovery number for My Account. You can use it to reset your My Account Password or recover your username,

 

As a side note, swapping the SIM card online requires both SIM's info, the new and the old one. In other words, someone would required having your SIM card and your password to be able to purchase a new SIM and do the switch.

 

However, we understand how important your account's security is. We invite you to reach out to us at these channels to go over the security measures we have in place to secure your account.

 

Hope this helps Smiley