Haseeb Awan was sitting at his computer in his Mississauga condo one February morning, trying to make a phone call that just wouldn’t go through.
Initially, he brushed it off as a network issue – until an e-mail from his phone carrier landed in his inbox bearing the subject line, “We’re sorry to see you go.”
But Mr. Awan hadn’t cancelled his phone service, as the e-mail suggested he had. He had fallen prey to an increasingly prevalent scam referred to as “unauthorized porting” or simply “port fraud,” which occurs when a fraudster impersonates a customer and transfers their phone number to a different carrier in an attempt to gain access to their bank account through their banking app.
The growing incidence of port fraud, and its close relative, the “SIM swap,” has drawn the attention of law enforcement, anti-fraud officials and the telecom and banking industries.
Representatives of Canadian telecom companies have been meeting regularly to develop new procedures to tackle the recent spike in incidents, said Eric Smith, senior vice-president of the Canadian Wireless Telecommunications Association.
“They are looking at ways in which to put in some additional checks and balances to better ensure that a request for a port is a legitimate request," Mr. Smith said, adding, “This is a high priority for the industry.”
There are no national statistics available on the prevalence of SIM swaps and port fraud, and Canada’s largest carriers declined to say how many such incidents their customers have experienced. But a Telus spokesperson said efforts by fraudsters to gain access to customer accounts with the goal of accessing banking information are on the rise.
“As part of our commitment to protect our customers’ personal information, Telus has implemented a suite of proprietary security protocols designed to provide secure authentication of customers,” Richard Gilhooley said in an e-mail. Rogers also said it has implemented new measures to tackle unauthorized porting.
However, successfully fighting off the efforts of fraudsters will require collaboration not only between carriers but also between the telecom industry and the financial sector, according to EnStream LP, an identity-verification company.
A year ago, EnStream – which is owned by Canada’s three largest wireless companies, BCE Inc.'s Bell Canada, Rogers Communications Inc. and Telus Corp. – was having a hard time selling banks on the value of its identity-verification services. But the increase in fraud attempts and other cyberattacks has made the issue top of mind.
“Now, all of the Big Six are interested in doing something to get alerts about SIM changes," said Almis Ledas, EnStream’s president and chief operating officer.
Both port fraud and SIM swaps involve a fraudster impersonating a customer to take over their phone number and gain access to their accounts, including social-media and bank accounts.
In a SIM swap, the scammer calls the customer’s mobile service provider, claiming their phone has been lost or stolen and requesting to link the victim’s phone number to a new SIM card that the scammer controls.
The fraudster then downloads a bunch of popular apps, hits “lost password” on all of them and, after receiving verification codes by text message, is able to create a new password and take over the victim’s accounts.
The major difference in a port fraud is that instead of contacting the victim’s carrier, the scammer contacts a different wireless provider and requests that the victim’s number be ported over – taking advantage of rules meant to make it seamless for customers to switch wireless providers.
EnStream’s system allows a bank that is about to send a one-time password to someone’s phone by SMS to first check whether there were any recent changes to the customer’s wireless account, such as a SIM card change or a port. Currently, only one financial institution uses the technology routinely for all such password requests, while others are in various stages of testing, evaluating or discussing the technology.
“Banks are very cautious, slow-moving organizations," said Mr. Ledas, who has been in discussions with financial institutions for the past two years. “In given time, they will all be doing this, but they are not doing this today.”
Fortunately for Mr. Awan, the hacker didn’t manage to infiltrate his bank account, but the invasion of his privacy left him feeling shaken.
“It was a very stressful moment," said Mr. Awan, whose experience inspired him to launch an initiative called DontPort.com that uses a series of firewalls to prevent SIM hacks.
“It’s like you’re sitting at home and you know that someone entered your house without permission."
PUBLISHED DECEMBER 29, 2019
© Copyright 2020 The Globe and Mail Inc. All Rights Reserved.globeandmail.com and The Globe and Mail are divisions of The Globe and Mail Inc., The Globe and Mail Centre 351 King Street East, Suite 1600 Toronto, ON M5A 0N19 Phillip Crawley, Publisher