Shopping Discussion

SIM Transfer fraud (ID theft?)

  • Last Updated:
  • May 9th, 2020 10:11 pm
[OP]
Deal Fanatic
Dec 11, 2008
6752 posts
2705 upvotes
Montreal

SIM Transfer fraud (ID theft?)

My mobile phone stopped working this morning so I gave Fido a call.
I was told that my number was transfered to another company (Lucky Mobile).

So I guess someone has all the information needed to transfer my number...
Fido is cancelling the transfer and sending me a new sim.
Changed my bank account's, credit card's and paypal's phone to my wife's. (And other non financial stuff like Google and social media)
I monitor my credit with RBC and the next update is coming next week, so I'll see if there are any new account requests.
What else should I do now? Or is there anything I can do about this?
70 replies
Deal Expert
User avatar
May 22, 2005
20034 posts
5426 upvotes
Good Morning
All your passwords needs a full sweep. This is my nightmare. Now that I am at home all the time, I wouldn't even know I would loose connection since I am on WiFi.


I am just gonna disable WiFi for a while, my mental health hasn't been great recently :(

I hope your cases are quickly resolved so you can move on. Goodluck!
Deal Expert
Jan 7, 2002
21864 posts
16200 upvotes
Waterloo, ON
Madevilz wrote: What else should I do now? Or is there anything I can do about this?
Ask Fido to put a PIN on your account. That way changes to your account, including port-outs, require that PIN. So even if a fraudster knows your phone number, even if it's because they stole your phone and wallet, without that PIN Fido isn't supposed to let anyone make changes to your account.

Nevertheless there have been reports of fraudsters "social engineering" their way around security checks, e.g. Winnipeg woman says scammers stole her mobile phone number | CBC News and Someone stole your cell number? Acting fast is critical, this industry expert says. I don't know if it's possible but you might want to ask Fido to put a note on your account that you want them to enforce the PIN requirement without exception, i.e. the onus is on you not to forget it.
veni, vidi, Visa
[OP]
Deal Fanatic
Dec 11, 2008
6752 posts
2705 upvotes
Montreal
bylo wrote: Ask Fido to put a PIN on your account. That way changes to your account, including port-outs, require that PIN. So even if a fraudster knows your phone number, even if it's because they stole your phone and wallet, without that PIN Fido isn't supposed to let anyone make changes to your account.

Nevertheless there have been reports of fraudsters "social engineering" their way around security checks, e.g. Winnipeg woman says scammers stole her mobile phone number | CBC News and Someone stole your cell number? Acting fast is critical, this industry expert says. I don't know if it's possible but you might want to ask Fido to put a note on your account that you want them to enforce the PIN requirement without exception, i.e. the onus is on you not to forget it.
Thanks for letting me know. Wonder why the Fido fraud center didn't say anything about the PIN.
They told me they locked our numbers and that they can't be transferred anymore. They are supposed to call me back, i'll ask for the PIN.
Jr. Member
Jul 22, 2007
141 posts
34 upvotes
Ottawa, ON
The danger of this event (being ported out without knowing, seemingly) is greatly exaggerated.
There is no financial loss to legitimate owner, nor gain to the would-be thief, to port-out a number (porting out a number to another cell-provider always requires a New Account. But a new account requires some Identifications, (or/and) a credit-card.
Some error/mistakes might have occurred, but certainly this doesn't look like someone trying to steal your money.
Notice: Porting out a number doesn't ask for, never asked for, doesn't require providing, of any financial info. You can port out just having your Number and one of the following: PIN, or Old customer Number, or IMEI of the phone. Why is it so easy ? Because there is nothing to gain out of it.
Member
Apr 10, 2020
273 posts
1046 upvotes
sintox wrote: The danger of this event (being ported out without knowing, seemingly) is greatly exaggerated.
There is no financial loss to legitimate owner, nor gain to the would-be thief, to port-out a number (porting out a number to another cell-provider always requires a New Account. But a new account requires some Identifications, (or/and) a credit-card.
Some error/mistakes might have occurred, but certainly this doesn't look like someone trying to steal your money.
Notice: Porting out a number doesn't ask for, never asked for, doesn't require providing, of any financial info. You can port out just having your Number and one of the following: PIN, or Old customer Number, or IMEI of the phone. Why is it so easy ? Because there is nothing to gain out of it.
There is a financial loss. A lot of companies these days link your phone number to your account for the authentication process. If you plan to reset your password or make any electronic transactions, you'll likely get a text message to your number. Someone having control of your number can possibly do a lot of damage. If there is nothing to gain out of it, why do scammers bother to do the SIM transfer?
Deal Fanatic
Dec 5, 2006
9268 posts
4552 upvotes
Markham
Should OP put some kind alerts in credit bureau?
Deal Guru
User avatar
Oct 24, 2012
11539 posts
2541 upvotes
Montreal
GeneralStore wrote: There is a financial loss. A lot of companies these days link your phone number to your account for the authentication process. If you plan to reset your password or make any electronic transactions, you'll likely get a text message to your number. Someone having control of your number can possibly do a lot of damage. If there is nothing to gain out of it, why do scammers bother to do the SIM transfer?
Exactly this : The SIM theft is to be able to access other accounts that require 2FA (Banking, confidential info emails).

I've seen a personnal accountant have his number ported out fraudulently and it was a huge hassle for him to warn every of his client about potential ID theft since the criminal who ported the number managed to reset his professional email account using 2FA.
[OP]
Deal Fanatic
Dec 11, 2008
6752 posts
2705 upvotes
Montreal
smartie wrote: Should OP put some kind alerts in credit bureau?
Should I? And how do I do this?
Trying to google "credit bureau canada" for some kind of contact, couldn't find anything other than transunion's and equifax's website.
Jr. Member
Jul 22, 2007
141 posts
34 upvotes
Ottawa, ON
Any hint on which Can banks ? Coz there are only 8-10 banks, and my two banks doesn't allow to change creds with texting. Also remember there is a limit on sending money without leaving traces (Why the limit ? Because the bank will reverse or refund customers who report fraudulent trans, so they (banks) want to keep it within limit).
Deal Expert
Jan 7, 2002
21864 posts
16200 upvotes
Waterloo, ON
GeneralStore wrote: There is a financial loss. A lot of companies these days link your phone number to your account for the authentication process. If you plan to reset your password or make any electronic transactions, you'll likely get a text message to your number. Someone having control of your number can possibly do a lot of damage. If there is nothing to gain out of it, why do scammers bother to do the SIM transfer?
Indeed. Some banks now require 2FA to login to your account. Email systems also strongly encourage 2FA. So while SIM porting alone doesn't let a hacker cause financial loss, it's one factor that they need to do it. Once a hacker breaks into your email account they can find relevant info like bank account and credit card numbers, name and address, date of birth, SIN, etc. that they can use in conjunction with your phone number to login to your bank's online system. Even if they don't have your bank login password there's enough to social engineer their way to a password reset. From there they can do funds transfer and cause other losses. The same sort of info can get them into your Amazon account to make unauthorized purchases and so on. Google will provide countless examples of clever use of individual pieces of information to complete a jig-saw puzzle of someone's identity.

While the theft of a phone number may seem to be a mere inconvenience, in the hands of a hacker it's pure gold.
veni, vidi, Visa
Member
Apr 10, 2020
273 posts
1046 upvotes
Madevilz wrote: thanks

Is this a case for Fraud Warning?
Also, is it a free service?
I would consider it more as a fraud alert, since there isn't any confirmation of any misuse. You can place a fraud alert for free with Equifax, but you will need to pay for TransUnion.
Deal Expert
Mar 25, 2005
21808 posts
2602 upvotes
sintox wrote: The danger of this event (being ported out without knowing, seemingly) is greatly exaggerated.
There is no financial loss to legitimate owner, nor gain to the would-be thief, to port-out a number (porting out a number to another cell-provider always requires a New Account. But a new account requires some Identifications, (or/and) a credit-card.
Some error/mistakes might have occurred, but certainly this doesn't look like someone trying to steal your money.
Notice: Porting out a number doesn't ask for, never asked for, doesn't require providing, of any financial info. You can port out just having your Number and one of the following: PIN, or Old customer Number, or IMEI of the phone. Why is it so easy ? Because there is nothing to gain out of it.
sintox wrote: Any hint on which Can banks ? Coz there are only 8-10 banks, and my two banks doesn't allow to change creds with texting. Also remember there is a limit on sending money without leaving traces (Why the limit ? Because the bank will reverse or refund customers who report fraudulent trans, so they (banks) want to keep it within limit).
This is completely false and misguided.

As other posters have identified the ability to intercept or hijack 2FA is a major security flaw. TD only offers 2FA via text, which is idiotic. You don't "change creds" with 2FA, it's a requirement to log in.

Also not sure how you'd move any amount of money "without a trace?" Every transaction is logged.
Member
Apr 10, 2020
273 posts
1046 upvotes
Madevilz wrote: thanks

Is this a case for Fraud Warning?
Also, is it a free service?
I stand corrected - TransUnion offers it for free if you do it online on their self-service website. You only have to pay if you do it by telephone or mail.
Deal Addict
User avatar
Apr 12, 2013
1883 posts
831 upvotes
Markham
good chance someone stole your bill which has your account number, in order to port your number you need to do that. The more reason for online billing. Also double check your passwords as said by the others.
[FS] BNWT Bellfield Faux Fur Trim Parka

Koodo, Public Mobile, Lucky Mobile Customer
Jr. Member
Jul 22, 2007
141 posts
34 upvotes
Ottawa, ON
Before everyone gets over excited about being victimized, remember that porting-out always requires an ID, or/and, a Credit-card/Debit card (from a Can bank/inst). So that's the trace. Some hard-head will try to counter-argue with: "But maybe they stole the credit-card from other person too". Then the argument will never end because as soon as one method of prevention is presented, you will say: But he has that stolen too. There is no end.

About no trace, one can take money without trace (other than a hooded shadow) by using ATM withdrawal. But the ATM-PIN has no relationship with email creds. ATM-pin can never changed with email or texting. At any rate, the amount there, is not a concern at all (banks-wise). As for other ways (larger amount) to another Can bank/inst, then there is a trace behind, so the thief will hear the police very very soon. As for withdrawing money to an oversea bank/inst, then the Can bank/inst WILL call confirm you before any significant amount is actually transferred.
Last edited by sintox on May 6th, 2020 1:53 pm, edited 1 time in total.
Deal Addict
User avatar
Sep 10, 2005
4633 posts
1958 upvotes
GTA
I feel like I need to clear up this misunderstanding that I keep seeing in these SIM hijack threads. People keep making this mistake that this has to do with 2FA when it doesn't.

The issue here is online services allowing password resets via phone number. It's not about bypassing 2FA

Top