• Last Updated:
  • Feb 7th, 2020 8:39 pm
Tags:
42 replies
Deal Addict
Sep 19, 2009
1943 posts
767 upvotes
Toronto
Poor-quality journalism / fake news.

Although is somehow believable that Rogers performed a number transfer in error and many people can relate to that, the author fails to explain how the fraudster got acces to the credit card to charge $10k.
Deal Addict
Jan 19, 2017
2440 posts
1223 upvotes
andrew4321 wrote: Poor-quality journalism / fake news.

Although is somehow believable that Rogers performed a number transfer in error and many people can relate to that, the author fails to explain how the fraudster got acces to the credit card to charge $10k.
It is how can be done:https://cba.ca/sim-swap-scam
Deal Expert
User avatar
Aug 18, 2005
19059 posts
3721 upvotes
Burlington-Hamilton
andrew4321 wrote: Poor-quality journalism / fake news.

Although is somehow believable that Rogers performed a number transfer in error and many people can relate to that, the author fails to explain how the fraudster got acces to the credit card to charge $10k.
They used SMS password recovery to get into online banking and other online services.

This would have been enough to get the billing information and other personal information to make financial transactions in the person's name.

The article is wrong about this being a new scam. It's been going on for years. The correct way of protecting yourself is to never link your mobile number to password recovery. Use the Google 2FA app or similar, where available.

This also means you need to close all your accounts at TD, since they force you to add a phone for authentication.
Deal Addict
Sep 19, 2009
1943 posts
767 upvotes
Toronto
Jucius Maximus wrote: They used SMS password recovery to get into online banking and other online services.

This would have been enough to get the billing information and other personal information to make financial transactions in the person's name.

The article is wrong about this being a new scam. It's been going on for years. The correct way of protecting yourself is to never link your mobile number to password recovery. Use the Google 2FA app or similar, where available.

This also means you need to close all your accounts at TD, since they force you to add a phone for authentication.
You are not able to explain how the fraudster got access to the credit card info.
Deal Expert
User avatar
Aug 18, 2005
19059 posts
3721 upvotes
Burlington-Hamilton
andrew4321 wrote: You are not able to explain how the fraudster got access to the credit card info.
Is this troll post? Let me spell it out specially. Once they use SMS to recover the online banking login, and email accounts, they will have access to the person's bank statements. Combined with data from social media, they will have full account numbers and billing information, allowing them to reset other websites and passwords. Voila, a shopping spree!
Deal Addict
Sep 19, 2009
1943 posts
767 upvotes
Toronto
Jucius Maximus wrote: Is this troll post? Let me spell it out specially. Once they use SMS to recover the online banking login, and email accounts, they will have access to the person's bank statements. Combined with data from social media, they will have full account numbers and billing information, allowing them to reset other websites and passwords. Voila, a shopping spree!
Can you login into your online bank account and try to retrieve the credit card number, the expiry date and the cvv? All 3 of them, plus name / address are required to use a card online.
Deal Expert
User avatar
Aug 18, 2005
19059 posts
3721 upvotes
Burlington-Hamilton
andrew4321 wrote:
Can you login into your online bank account and try to retrieve the credit card number, the expiry date and the cvv? All 3 of them, plus name / address are required to use a card online.
No, but you can get enough information to unlock sites like Amazon and PayPal, which already have this info entered. The crooks bought concert tickets? Maybe they found her Ticketmaster account info in her email. And you have enough info to socially engineer the information from customer service of other companies. Lastly, not all online shopping sites require a CVV code.
Deal Addict
Sep 19, 2009
1943 posts
767 upvotes
Toronto
Jucius Maximus wrote: No, but you can get enough information to unlock sites like Amazon and PayPal, which already have this info entered. The crooks bought concert tickets? Maybe they found her Ticketmaster account info in her email. And you have enough info to socially engineer the information from customer service of other companies. Lastly, not all online shopping sites require a CVV code.
Low tech explanation of the events: Her teenage son had few school buddies over. They smoked a joint and one of them took pictures of mom's card left on the kitchen counter. Or a small store clerk / restaurant worker took pictures / wrote down cc info.
Deal Addict
Dec 12, 2009
4171 posts
1895 upvotes
Toronto
ml88888888 wrote:
It is how can be done:https://cba.ca/sim-swap-scam
Interesting link, Thanks.
Jucius Maximus wrote: They used SMS password recovery to get into online banking and other online services.
Jucius Maximus wrote: Is this troll post? Let me spell it out specially. Once they use SMS to recover the online banking login, and email accounts, they will have access to the person's bank statements. Combined with data from social media, they will have full account numbers and billing information, allowing them to reset other websites and passwords. Voila, a shopping spree!
From the link @ml88888888 posted in # 3 above it says:
Once they’ve gained the new SIM card connected to your phone number, they’ll have access to all services you’ve linked to your phone: bank accounts, emails, pictures, phone calls, text messages, etc.
Can you dumb it down how they get access to all the services for me? I get that they can scam your number. I don't get how they can access your actual phone that is password protected.
I'm not a troll. Don't do social media. Limit who I give my cell # to. Even have a 2nd burner phone with speakout for kijij etc.
Social Distancing means staying apart 2 meters or 6 feet, the depth of a grave.
Get closer and you might have one foot in the grave. (Pass it on)
Deal Expert
User avatar
Aug 18, 2005
19059 posts
3721 upvotes
Burlington-Hamilton
andrew4321 wrote: Low tech explanation of the events: Her teenage son had few school buddies over. They smoked a joint and one of them took pictures of mom's card left on the kitchen counter. Or a small store clerk / restaurant worker took pictures / wrote down cc info.
I'm not saying that kids running amok doesn't happen.

It also does not explain how Rogers confirmed that she had 'cancelled' her phone.

Here's a good example of SIM jacking from a few years back:

Deal Addict
User avatar
Sep 10, 2005
4115 posts
1326 upvotes
GTA
ROYinTO wrote: Can you dumb it down how they get access to all the services for me? I get that they can scam your number. I don't get how they can access your actual phone that is password protected.
I'm not a troll. Don't do social media. Limit who I give my cell # to. Even have a 2nd burner phone with speakout for kijij etc.
The scammer doesn't get physical access to your phone. The scammer essentially steals your phone number so that all calls and texts end up going to his phone.

So, for instance, if your email account has your phone number associated to it, he can attempt to do an account recovery using your number. He would do something like click the "I forgot my password" option and the email provider will send a text to your phone number to verify the owner of the account. The text goes to his phone now and he gets a link or code to reset the password to your email account. Now he can change the password and access your emails and potentially many other accounts you have associated with this email address.

If you signed up to Amazon with this email address, he can probably access that now as well. If your bank account is signed up with this email address, now he might have access to that..etc. etc.
Deal Addict
Mar 3, 2018
1437 posts
1371 upvotes
GTA
Dave98 wrote: The scammer doesn't get physical access to your phone. The scammer essentially steals your phone number so that all calls and texts end up going to his phone.

So, for instance, if your email account has your phone number associated to it, he can attempt to do an account recovery using your number. He would do something like click the "I forgot my password" option and the email provider will send a text to your phone number to verify the owner of the account. The text goes to his phone now and he gets a link or code to reset the password to your email account. Now he can change the password and access your emails and potentially many other accounts you have associated with this email address.

If you signed up to Amazon with this email address, he can probably access that now as well. If your bank account is signed up with this email address, now he might have access to that..etc. etc.
Do you think using another phone number like your spouses for 2FA on your accounts is an effective strategy. The scammer may have your email and phone number but your 2FA is setup under a different number.
Jr. Member
User avatar
Nov 21, 2015
174 posts
154 upvotes
-37.68611 176.16667
DaveTheDude wrote: Do you think using another phone number like your spouses for 2FA on your accounts is an effective strategy. The scammer may have your email and phone number but your 2FA is setup under a different number.
Yes. That works. I have 2FA texting to another tel. number.
Deal Expert
User avatar
Aug 18, 2005
19059 posts
3721 upvotes
Burlington-Hamilton
DaveTheDude wrote: Do you think using another phone number like your spouses for 2FA on your accounts is an effective strategy. The scammer may have your email and phone number but your 2FA is setup under a different number.
Some people do have a "secret" number to use for 2FA. If I want to do this, I would not use a spouse's number or any number that other people know about. I would have a totally separate line and / or a VoIP number to use for these cases. (VoIP numbers are comparatively cheap...)

As for myself, I avoid using phone/SMS-based 2FA to begin with. The points of failure are numerous, and you simply cannot control them. NEVER link a phone number for security wherever possible!
Where it's available, I always use the TOTP / Google Authenticator app-based option (example video) when available. I just save the TOTP seed / QR Code image in a password manager, and backup that database regularly. This way it's impossible to steal the account by stealing the phone number.

This does require a lot of diligence because you've got to keep your backups in order, otherwise you could truly get locked out of your accounts.

This is also why TD Canada Trust's new standard of requiring a phone number to keep for verification is absolute idiocy. I would never use TD for anything important.
Last edited by Jucius Maximus on Nov 20th, 2019 8:40 am, edited 1 time in total.

Top

Thread Information

There is currently 1 user viewing this thread. (0 members and 1 guest)