Cell Phones

WIRELESSWAVE - Security matter: ssp.fido.ca (Potential [for] identity theft?)

  • Last Updated:
  • Jun 14th, 2018 9:40 am
[OP]
Deal Fanatic
Apr 17, 2003
5881 posts
1364 upvotes
GVR

WIRELESSWAVE - Security matter: ssp.fido.ca (Potential [for] identity theft?)

I was at a WIRELESSWAVE location today, with an interest of getting a phone.

The rep asked me if I'm with a provider. I provided the information (Fido, phone number and postal code). He then proceed to request a piece of ID, which he entered into the terminal. He then looked at the particular device that I was interested in, and see if there was any promotion that applies. After that, he closed the tab (not the browser instance). I requested that he should close the browser, he insisted that the tab was closed, and that should have been sufficient. He provided the excuse that "I don't want to re-open the other tabs that are currently there". He then showed me a new tab opened with "ssp.fido.com" and claimed that "Look, I can't get it"...I mentioned it's the wrong domain (.com vs .ca)...he ignored me.

Questions:
1. Does the above sound like a typical process / protocol?
2. I believe the session token to ssp.fido.ca was still valid even with the tab closed. Would someone mind testing out how the ssp.fido.ca handles this scenario?
3. Does anyone know what kind of information is available to reps on ssp.fido.ca?
4. Is the information on there sufficient for identity theft?

I would really appreciate it if someone from WIRELESSWAVE and / or Fido (familiar with typical rep handling of client information) could respond.
Last edited by chatbox on Jun 19th, 2018 9:05 am, edited 2 times in total.
5 replies
[OP]
Deal Fanatic
Apr 17, 2003
5881 posts
1364 upvotes
GVR
soupmaster666 wrote:
Jun 13th, 2018 8:23 am
When you close the tab to your online banking, do you not expect it's memory to be purged?

Nobody at WIRELESSWAVE or Fido is going to understand session cookies.

#4: What information did you provide them? More than I can find in 5 minutes with a phone book and your Facebook profile?
That is a matter of how each secured site is implemented. What I expect could differ from site to site. I know, as a fact, that one of my banks website does not invalidate session tokens when a tab is closed. As such, going back to the bank's site does not require re-authentication (while still using the same browser instance).

Q4 was regarding what additional information the ssp.fido.ca system provides them.
Sr. Member
Jan 29, 2013
720 posts
115 upvotes
Toronto
chatbox wrote:
Jun 13th, 2018 9:14 am
That is a matter of how each secured site is implemented. What I expect could differ from site to site. I know, as a fact, that one of my banks website does not invalidate session tokens when a tab is closed.
This behaviour is also browser dependent.
[OP]
Deal Fanatic
Apr 17, 2003
5881 posts
1364 upvotes
GVR
qualdoth wrote:
Jun 13th, 2018 9:31 am
This behaviour is also browser dependent.
That's why I would much prefer it if the rep could have closed the browser. They should be trained and required to do so as standard protocol.

On a somewhat related matter: We don't know what information of ours does Fido (or any other telco / service providers) store and show to their employees / business affiliates (WIRELESSWAVE in this case). Is there something similar to GDPR in Canada?
Deal Guru
User avatar
Nov 28, 2013
13874 posts
4803 upvotes
Oakville
soupmaster666 wrote:
Jun 13th, 2018 8:23 am
When you close the tab to your online banking, do you not expect it's memory to be purged?

Nobody at WIRELESSWAVE or Fido is going to understand session cookies.
No, I don't expect its memory to be purged. Because *many* browsers will let you re-open a closed tab with ctrl-shift-t, and boom - it's right back at the page that was just open (for example, in Chrome, with RBC's online banking, this is exactly how it works). It brings that session right back.

Having said that, I don't think this was done for nefarious purposes - it would be trivially easy to trace this back to that person.
Lucky Koodo $40/6GB recipient
Deal Addict
Jun 17, 2013
4554 posts
1129 upvotes
Halifax
just because he closes the browser does not mean the information is purged. you are fighting a losing battle without the know-how to properly fight it.

you also don't know what is monitored on that computer. if there is screen share. if there is a keylogger etc. if you don't trust them, don't use them...pretty simple.

Top

Thread Information

There is currently 1 user viewing this thread. (0 members and 1 guest)