CRTC asks carriers to crackdown on SIM card fraud
Thieves are hijacking cell phone numbers to reset passwords on accounts to steal from Canadians. It's done using two-factor authentication via text links to gain access to email, apps via access to Apple accounts and information stored in the cloud.
For months now CTV News has been reporting on SIM card theft. That’s where thieves hijack your cellphone number to move it to another carrier. It’s called porting your number. We’ve reported how the carriers have made it so easy to move from one cell service to another that thieves have been able to easily take over numbers.
We’ve reported how customers said their number was moved by using only the name of carrier, the name of the cell customer and the carrier account number linked to the phone number. We’ve also demonstrated how customer service representatives at cell companies can be easily tricked out of providing some of that information to thieves.
Once your number has been hijacked the culprits can gain access to your financial accounts. Often that’s done by using two-factor authentication to reset passwords using a code or link sent via text message. Once they gain access to email, Apple logins, etc. they can eventually gain access to financial accounts.
We’ve reported on several cases where victims have lost thousands of dollars to the scam. Just recently a Saskatchewan farming family said they had hundreds of thousands stolen from their farm operating accounts after a cell phone number was hijacked.
On Jan. 15, the Canadian RadioTelevision and Telecommunications Commission sent a notice to cellphone carriers demanding answers, stating: "The commission has become aware that certain Canadian mobile customers have been subject to fraudulent activity involving unauthorized porting of their mobile phone numbers.”
The Canadian Wireless Telecommunications administers the phone porting rules but the CRTC wonders if they are following the guidelines.
In 2011 (see Telecom Regulatory Policy 2011-191), the Commission required that customer confirmation be obtained through one of the following methods:
• written order confirmation
• oral order confirmation verified through an independent third party
• electronic order confirmation by the use of a toll-free number
• electronic order confirmation via the Internet
• oral order confirmation where an audio recording of the consent is retained by the new service provider
• order confirmation obtained through other methods, as long as an objective documented record of customer consent is created by the customer or by an independent third party
The CRTC wants to know how unauthorized ports are happening. It also wants data from the CWTA and its member carriers about the prevalence of SIM swapping in Canada and number of instances it’s happened with each carrier over the last six months.
It also wants a description of the information carriers obtain from customers as part of the process to port numbers to a different carrier and how it’s used or verified before the switch happens.
In addition to other information requested, the CRTC wants to know how the industry is going to deal with unauthorized fraudulent ports and SIM swapping.
Some suggestions from industry members have included requiring a PIN to protect numbers from being ported and confirmation from the cell phone customers via a text message or link response that they actually requested a change to another carrier.
The CRTC has given the cell industry until Feb. 14 to respond.