Cell Phones

Fido LTE Data Plan (Tech Discussion)

  • Last Updated:
  • Aug 12th, 2020 8:10 am
Sr. Member
Oct 27, 2016
793 posts
364 upvotes
GTA
I ported out my voipms number, took about 3 business day. Winning carrier is PM. When i initiated the port in PM, it asks for a PIN and since voipms has no PIN protection i just left it blank.

After few mins i am able to place outgoing calls / sms using PM but incoming still goes to my voipms account.

After about 3 days, got an email from voipms that port out is completed. My number is automatically deleted from their system. Incoming and outgoing calls / sms using PM is working OK.
Images
  • Screenshot_20200420-205317.png
______________________________________________________________________________________________

cheap phone bill = Public Mobile 13$ + 3GB data only eSIM plan 0$ + Google Pixel 3a XL
Deal Addict
May 5, 2008
1858 posts
586 upvotes
garce wrote: Some updates in case others are interested on protection/prevention of getting your number stolen.
All cases require your account information. Assumption is that somehow a criminal has getting a hold of it.

Most large carriers
Have port out lock with a pin. So good
Otherwise, They will text you as to let you know the port out is starting. If you are lucky and catch the text, you can call to prevent. But you have hours (not days) to call before it is completed.

Fongo
Does not have a port out lock
They will text you as to let you know the port out is starting. If you are lucky and catch the text, you can call to prevent. See their comment
[support] Additionally we will send a text message out when we get a port out request. Since out lines are considered to be landlines our port outs take a few days so it will give you a chance to contact us to reverse it.
The big problem is the customer support speed. Even days is a problem. The above response took 9 days to come to me. Good luck getting a hold of somebody

Voip.ms
Does not have a port out lock for Canadian numbers. Customer support is super responsive. However no notifications versus fongo?
[me] Would you let me know if a ported is started
[support] Unfortunately port outs are dealt by upstream carriers and resellers (us) are not advised of this, only when a number leaves our side for removal.
[me] ok, would there be any type of message for me at some point. Or would I just notice my phone doesnt work at some point? Some companies send a text when a port is started (including fongo)
[support] You will receive an email from our side when the number is removed from your account. We do have the notification email; however, this is for US numbers so far.
Ouch.. Doesn not look good
Deal Expert
Jan 7, 2002
20035 posts
13377 upvotes
Waterloo, ON
garce wrote: Most large carriers
Have port out lock with a pin. So good
Otherwise, They will text you as to let you know the port out is starting. If you are lucky and catch the text, you can call to prevent. But you have hours (not days) to call before it is completed.
Since this is a thread about Fido's data-only plan...
1. How do I set up a PIN?
2. What do I do if I forget my PIN?
3. Fido's Help talks about getting a PIN by text, calling 611 for assistance, etc. How do I do that stuff with Fido's data-only plan where calls and texts are blocked?

And of course if there are good answers to these, especially Q2., then what's to stop social engineers from circumventing the PIN altogether?
veni, vidi, Visa
Deal Addict
User avatar
Nov 25, 2003
4311 posts
5735 upvotes
Vancouver
max011 wrote: I'll port one of my numbers out in the next few days.

I set up the Pin, and we will see if it changes anything...
OK, so port went tru... All is good...

Few things to note:

* Got confirmation email from VOIP.MS [as always!]

* THEY deleted my number from the system [which is new; I had to do it myself previously!]

* Port out PIN was not playing at all; no one asked for it and it didn't make any difference when porting out [unfortunately...]

EDIT: Oh, actually I still needed to delete the Sub account...
"A fool and his money are soon parted" Thomas Tusser (1524-1580)
Member
Dec 26, 2010
429 posts
93 upvotes
SW Ontario
max011 wrote: OK, so port went tru... All is good...

Few things to note:

* Got confirmation email from VOIP.MS [as always!]

* THEY deleted my number from the system [which is new; I had to do it myself previously!]

* Port out PIN was not playing at all; no one asked for it and it didn't make any difference when porting out [unfortunately...]

EDIT: Oh, actually I still needed to delete the Sub account...
Thanks, it is unfortunate then. If some criminal takes over your number: You will only know after everything has completed and IF you read the email from voip.ms
You will be scrambling and sweating trying to prevent the criminal to take over your accounts that rely on your phone for "forgot" password.
Moderator
User avatar
Dec 27, 2007
20350 posts
11563 upvotes
Kitchener
garce wrote: Thanks, it is unfortunate then.
PIN-protected accounts from big providers aren't any better btw, it doesn't take much to social engineer right through them.
Deal Addict
User avatar
Nov 25, 2003
4311 posts
5735 upvotes
Vancouver
garce wrote: Thanks, it is unfortunate then. If some criminal takes over your number: You will only know after everything has completed and IF you read the email from voip.ms
You will be scrambling and sweating trying to prevent the criminal to take over your accounts that rely on your phone for "forgot" password.
Not that bad, it's not. [Master Yoda]

For that scenario to work "criminals" would have to know a lot... They would need to already have access to some/all of your accounts to use your [stolen] phone number as a second step in authentication..

Not really likely for all of that to ever happen at once...
"A fool and his money are soon parted" Thomas Tusser (1524-1580)
Moderator
User avatar
Dec 27, 2007
20350 posts
11563 upvotes
Kitchener
bylo wrote: Since this is a thread about Fido's data-only plan...
1. How do I set up a PIN?
2. What do I do if I forget my PIN?
3. Fido's Help talks about getting a PIN by text, calling 611 for assistance, etc. How do I do that stuff with Fido's data-only plan where calls and texts are blocked?

And of course if there are good answers to these, especially Q2., then what's to stop social engineers from circumventing the PIN altogether?
You can "probably" call them via any other line on 1 (888) 481-3436 and authenticate yourself then set/reset your PIN.

With that said, as long as people can still "press 0 to speak to an agent" there will always be a chance for social engineering.
Moderator
User avatar
Dec 27, 2007
20350 posts
11563 upvotes
Kitchener
max011 wrote: They would need to already have access to some/all of your accounts to use your [stolen] phone number as a second step in authentication..
well, that's what social engineering is all about (in digital security context), they can get access to a lot of your information by working their way one bit at a time without ever hacking any of your actual accounts (right till they take control of your phone line).

You would be surprised to know the extent of information a poorly trained CSR would give away thinking (s)he is helping a customer in need.
Deal Addict
User avatar
Nov 25, 2003
4311 posts
5735 upvotes
Vancouver
aasoror wrote: well, that's what social engineering is all about (in digital security context), they can get access to a lot of your information by working their way one bit at a time without ever hacking any of your actual accounts (right till they take control of your phone line).

You would be surprised to know the extent of information a poorly trained CSR would give away thinking (s)he is helping a customer in need.
In my experience, even the lowliest of all CSRs where always following a script and asked a lot of questions to confirm identity.

If someone has that many info on you, right, they targeted you & you are screwed already...
"A fool and his money are soon parted" Thomas Tusser (1524-1580)
Moderator
User avatar
Dec 27, 2007
20350 posts
11563 upvotes
Kitchener
max011 wrote: In my experience, even the lowliest of all CSRs where always following a script and asked a lot of questions to confirm identity.
The guy who was screwed by amazon three times in a couple of months would beg to differ :)

https://medium.com/@espringe/amazon-s-c ... 375b3428c4

Correct name and email (publicly available) wrong address and phone number that the rep never really verify, 1st try got them the correct billing address and phone number and 3rd try got them the last digits of the credit card, with 0 attempts to login into the actual amazon account.

Now, this info is actually more than enough (with some skill) to take over a phone line from Rogers (and net $30K out of it).

https://www.cbc.ca/news/technology/mark ... -1.5009279

In all cases, the weakest link is a poorly trained CSR (apparently doesn't take as many tries to land on one) who thinks that (s)he is helping a customer in need. That's where social engineering shines, the account holder is no longer the target of the attack, so your precautions get less and less relevant, the CSR is.
Deal Expert
Jan 7, 2002
20035 posts
13377 upvotes
Waterloo, ON
aasoror wrote: You can "probably" call them via any other line on 1 (888) 481-3436 and authenticate yourself then set/reset your PIN.

With that said, as long as people can still "press 0 to speak to an agent" there will always be a chance for social engineering.
Which was my point. If the PIN works like a BitCoin password, i.e. lose it and you've lost the account, then there are going to be a lot of pissed off customers who forgot the PIN they set up, perhaps years earlier, when they opened the account. OTOH if there's a mechanism to get/reset the PIN over the phone then "what's to stop social engineers from circumventing the PIN altogether?"

That said, as the articles you cited (and many more) point out, the carriers need to do a better job of training their CSRs in detecting/thwarting social engineers.

In addition the CRTC needs to revisit their mandate that carriers must port-out numbers without delay. One obvious way to do that would be to exempt accounts that are PIN locked so that the carrier can get positive confirmation from the account holder before they make any changes to that account. That sort of protocol seems to have ended the practice of domain name hijacking that was so common a few years ago.
veni, vidi, Visa
Deal Addict
User avatar
Nov 25, 2003
4311 posts
5735 upvotes
Vancouver
bylo wrote: That said, as the articles you cited (and many more) point out, the carriers need to do a better job of training their CSRs in detecting/thwarting social engineers.
Which OTH means hiring more capable and trainable [don't want to say "more intelligent" out loud!] CSRs... and paying them accordingly... by hiking up the prices in the process and pissing off the customers...

So I don't think it will happen ever...
"A fool and his money are soon parted" Thomas Tusser (1524-1580)
Deal Expert
Jan 7, 2002
20035 posts
13377 upvotes
Waterloo, ON
max011 wrote: Which OTH means hiring more capable and trainable [don't want to say "more intelligent" out loud!] CSRs... and paying them accordingly... by hiking up the prices in the process and pissing off the customers...

So I don't think it will happen ever...
While that may be one solution to the problem it's not my preference.

Currently the carriers are in willful compliance with the CRTC mandate to port-out numbers without delay. If the CRTC relaxed that mandate for PIN-locked accounts by getting "positive confirmation from the account holder before they make any changes to that account" then the PIN lock would actually work as intended.

That's the solution I'd prefer to see. And it wouldn't require any additional CSR training or add to the cost of administering/porting accounts.
veni, vidi, Visa
Moderator
User avatar
Dec 27, 2007
20350 posts
11563 upvotes
Kitchener
bylo wrote: If the CRTC relaxed that mandate for PIN-locked accounts by getting "positive confirmation from the account holder before they make any changes to that account" then the PIN lock would actually work as intended.
That would create a loophole that can easily be abused by the carrier (since the losing carrier would still have the upper hand on the transfer to the winning carrier and all kind of tricks can be played as they "wait to validate said account holder confirmation"), anyone familiar with moving cable modems between ISP would know.

I don't think it's that straight forward to solve, CRTC needs to smarten up about it, perhaps give clients the option to forfeit their rights of "instant-porting" (as a second layer of protection over PINs), heavily penalize carriers releasing numbers with mismatching or partially matching information or perhaps create a third party entity to validate the port requests (client-initiated) before it's passed forward to the losing carrier.

Top