Ross McLaughlin and Sandra Hermiston, CTV Vancouver
Published Tuesday, October 23, 2018 6:00AM PDT
Last Updated Tuesday, October 23, 2018 7:03PM PDT
In today’s online world, security is becoming a game of Whac-A-Mole. Just when you think you’ve locked everything down, up pops another tactic to steal your identity.
Erynn Tomlinson, who works in the digital world, thought she had taken all the necessary steps to protect herself, but still lost more than $30,000 after thieves were able to steal her identity. She says they did it by hijacking her phone number and she blames her cellphone provider for not doing a better job to protect her.
Tomlinson had set up two-factor authentication –which involves registering to receive a security code via text message or email in order to log into your accounts.
However, hackers were able to hijack her phone number to by-pass that security measure. Once thieves had her number, she says using 2FA sent via text, they were able to reset her password to her email account, and then gain access to her Apple account, apps in the cloud and eventually her money.
“That device is only kept safe and protected by your phone provider, so in this case Rogers," Tomlinson said.
She says thieves got Rogers to activate a new SIM card by impersonating her.
“They would say things like 'I forget what credit card is on file. Can you give me that?' And the agent would give them the last four digits," she said, “or they would say, 'I have the wrong birthdate on file my ex-husband called and changed it and I don't remember his'”.
The imposter dropped in and out of at least eight online chats trying to gain access to her account.
"They know how to get little bits of pieces of information and combine them together to recreate the whole of that person," said Simon Fraser University tech expert, Peter Chow-White.
Rogers online chat uses an initial verification process that includes a link to a form to fill out. The form requires customers to answer basic questions, like date of birth, name and phone number, before the customer service can continue.
Tomlinson provided CTV news with a copy of the online chat history she says she obtained from Rogers as part of her rights under privacy laws.
It shows, in one chat session, the imposter failed to get the postal code right and the agent directed them to go into a Rogers store to show their identification to be authenticated.
Yet, other chat sessions indicate that after the initial verification questions, the imposter got different Rogers representatives to reveal different bits of information about Tomlinson’s account, including the email address on the account, the account number, the date of birth, credit card information on the account, the previous month’s bill and the amount of data she had on her plan.
A Rogers representative also confirmed that the notes on the account indicated at one point, there had been ‘possible fraud.'
But eventually the imposter was authenticated and a new SIM card was activated allowing thieves to take over her number on a different phone. Tomlinson says after that happened, it took only about 20 minutes for the imposter to gain access to her financial accounts.
"This shouldn't have been done on chat or over the phone. This should require somebody to go into Rogers with two pieces of identification to make this change," Tomlinson said.
In an emailed statement to CTV News, Rogers said “we take our customers' privacy very seriously. Our Privacy Office and Corporate Investigations team are investigating this case and working with authorities to provide them with any assistance they need."
Hackers are able to gather information about you in other places like social media and through phishing attempts but Tomlinson is holding Rogers accountable, saying the company had a responsibility to protect her privacy. She has now filed a civil lawsuit seeking damages.
The company would not answer any specific questions about how or why it happened. However, Rogers does have voice recognition security measures in place that customers can activate.
Customers can also set up a personal identification number on their accounts. Tomlinson says she’s now done that.
There are also authentication apps you can use instead of text messages to get security codes. A code is sent to an app which requires another password to access it.