Cell Phones

SIM Jacking Protection for Canadians?

  • Last Updated:
  • Sep 24th, 2019 11:22 pm
[OP]
Sr. Member
Aug 30, 2015
575 posts
788 upvotes
BC

SIM Jacking Protection for Canadians?

There's growing news about the risks of a hacker accessing your entire digital life via SIM Port Hacking or SIM Jacking which in short is:
  1. A hacker convinces your mobile carrier to issue your SIM to them
  2. This gives the hacker access to the most common two-factor-authentication: SMS codes
  3. They then take over your primary email by changing your password using SMS confirmations to verify ID
  4. And with your mobile number and primary email in their control - they can pretty much change the password/access anything they want
You can read about someone's experience getting hacked here:
https://medium.com/coinmonks/the-most-e ... de11517124

And here's some advice on how to protect against it:
https://blog.usejournal.com/secure-your ... fb95e8355d

So to my question: What tricks do Canadians have to protect ourselves?

Do carriers in Canada offer these solutions that are listed as suggested safeguards:
Add an extra password to the account that is needed for your SIM card to be ported to another device
Set your account to require that SIM porting can only be performed face to face in a cellular phone brick and mortar store
Any other suggested best practices out there?
3 replies
Sr. Member
Dec 4, 2017
529 posts
229 upvotes
The two articles in the OP are pretty good, especially in showing options like Google Authenticate or hardware keys, separation of email accounts, etc.

We are a bit limited here in Canada as it appears that the major banks only support SMS for two-factor authentication. They are completely behind the times. Where have they largely fixed this problem? Much of Africa. Many countries there have simple verification behinds the scenes before allowing new account activity to check with the carrier that the SMS wasn't recently issued to a new SIM card. It's largely wiped out this type of fraud there.

I can think of two other means to get around the vulnerability of SMS:

1. Use email or phone calls for authentication codes. Hint: security systems trust old-fashioned landlines more than anything else.

2. Don't use any kind of app that could possibly rely on a SIM card's phone number. Instead, use the institution's web page directly, even on mobile.

I'd like to recommend using a VoIP to completely get around the SIM issue entirely while retaining SMS strengths, but most VoIP services can't fully support shortcodes that are in use by many companies.
[OP]
Sr. Member
Aug 30, 2015
575 posts
788 upvotes
BC
IanBrantford wrote: I'd like to recommend using a VoIP to completely get around the SIM issue entirely while retaining SMS strengths, but most VoIP services can't fully support shortcodes that are in use by many companies.
Oh interesting - I had considered generating a VOIP number I only use for this purpose but had no idea most VoIP services were not able to fully support SMSs. Would the messages just never come through? I use VOIP.ms - any idea if they have this problem (or if not, what key phrases should I search for to get to the bottom of it)?

Thanks!
Sr. Member
Dec 4, 2017
529 posts
229 upvotes
setlist wrote: Oh interesting - I had considered generating a VOIP number I only use for this purpose but had no idea most VoIP services were not able to fully support SMSs. Would the messages just never come through? I use VOIP.ms - any idea if they have this problem (or if not, what key phrases should I search for to get to the bottom of it)?
Yes. the messages just don't come through at all. voip.ms is like this. I use it and it was unable to handle a banking setup that I was doing (and the voice call verification didn't work either, as I lacked a voice call PIN).

I was in a rush and simply gave the bank the real number for the SIM that I had in the phone at the time. Fortunately, because I use VoIP for everything else, no one else really has that number. Other services that I use that require two-factor authentication have worked using voice calls.

If you want to try a VoIP for short codes, I've read here on RFD in the past that the best bet is the TextMe Up app.

Top

Thread Information

There is currently 1 user viewing this thread. (0 members and 1 guest)