I was victim of a Sim Swap
Hello all,
Earlier this evening my phone lost service and I soon as I started receiving emails about passwords changes I realised I was a victim of a Sim Swap. (They used sms to reset my email password)
How was this possible? My fizz account has a unique password, I never received any txts about a phone change nor calls.
What can be done to avoid this in the future?
Thankfully I was able to retrieve my number back by contacting a support agent who was helpful after confirming my identity and I believe no harm has been done.
I removed sms as two factor verification and added an authenticator on all of my account.
Anything I should do to avoid this and Fizz please allow us to lock our numbers or sim cards.
Anyone care to explain what might have happened? Support can't seem to explain.
Answers
-
-
Hello everyone, and thank you for reaching out DjPxH.
This seems like an isolated case, however, we took note of it. We already tried to lower the chance of having your SIM card hijacked through a SIM swap, by authenticating you with documents that can prove your identity, as other people should not have access to them.
In addition, we suggest you have strong passwords for your Fizz accounts and use different passwords for each account, to be more secure.
Another tip would be to not reply to messages that appear to be spam or click on links you are not sure are legitimate.
Lastly, we can assure you that we will be at your disposal 24/7 and we will help you regain access to your account or SIM card as quickly as possible.
Have a good one!
-Sergiu, Community Moderator0 -
I already have my account back, thankfully I was not sleeping and realised soon enough what was happening.
I always use unique generated passwords and obviously don't click on anything I shouldnt be.
It shouldnt be that easy to simswap an user. There's no way the hacker got access to my credit card used on file as it's a fairly new one (used to verify identity on fizz chat)
Can this be escalated as I need more info for the police report.
0 -
I'm not too sure how this is happening as well because for standard number ports we need to reply to the text to approve porting the number. unless they bribed an employee who was working for the company to directly change the sim for them.
I dont think there is anything we can do to prevent things like this from our end. As far as I'm aware, sim swap tricks the customer service agents into switching the sim. So it may be possible your data was hacked and leaked somewhere to allow them to do this. Keep in mind that if they changed your account passwords as well, they must be aware of certain other information you have. I would look into getting a identity theft/fraud alert service.
0 -
Will do, thank you very much for your input.
0 -
It's a shame we still use text 2FA as it's unsafe.
If you're able to, swap the services you do use over to TOTP if it's available.
I recommend the app Aegis as it works for every service that doesn't implement their own TOTP algorithm (Steam being the outlier). Google and Microsoft will "fight" you (annoying extra steps) to use your own app but TOTP is standardized so they will let you use any app so long as you have the QR scan parameters.
1 -
Thanks for the advice, I changed 2FA everywhere I could think of. I knew it wasn't safe but didn't think it could happen so easily.
0 -
There is nothing that you can do beside stop using 2FA.
As mentioned by wehnan, you supposed to receive an sms to approve the port out and you did not.
Fizz needs to do their owner internal investigation.
2 -
I tend to believe it was a sim swap instead of a number port, well according to chat support. I wish an email or sms was sent when a sim is replaced. As far as I know e-sim is not supported by sim, so they would need an actual Fizz sim card? Is it safe to assume that if that's the case, it's most likely someone locally?
Or am I mixing things up. I need to understand, especially why no flag was raised on Fizz side. Don't get me wrong, I love the company and i'm sure it could happen at other providers but actions need to be taken.
0 -
Sorry to hear this happened, glad you have your account back. This is scary, I didn't think it was so easy to bypass 2FA. Thanks for sharing your story, I think I'll go see what I can do about moving away from it too.
0 -
Thank you for your support. As stated above, moving away from sms 2FA is your best option.
This!
0 -
SIM swapping attacks typically involve an employee of the carrier.
In short, they most likely used stolen credentials from a data breach to verify it was you and asked support to swap the SIMs.
1 -
If that's the case, when I contacted fizz for my number back, they asked a picture of a piece of ID and a picture of my last digits of my CC used for the account. There's no way the attacker had a picture of my CC to confirm his identity for the sim swap. :(
0 -
This happened to me with a previous carrier. On top of the swap I began receiving hundreds of spam emails every hour. They were hoping that I wouldn't go through all the my emails and see the legit ones from the purchases they made.
I suspect it was probably an insider from the carrier.
1 -
Sorry to hear that. I also suspect an inside job unfortunately as I was not notified of any changes.
1 -
Neither was I. I noticed that I had no phone service. Nothing from the carrier.
0 -
Most of Fizz support is outside of Canada. Unfortunately for a relatively small amount of money an attacker can "buy" an employee there and have all the required data. @Whizz please check this internally, as this is very serious case.
0 -
Thanks for the support. I should also add that both of my numbers where Sim Swapped (within minutes), my second number which only two family members know the existence (only used as emergency number). So someone either had access to my account (while using a very unique generated password) or internal access.
0 -
I'm extremely sorry to hear that... It has to be an inside job forsure. I'm speechless about all this situation. Stay strong brother.
1 -
Much appreciated. Thank you!
1 -
So this "confirms" it was an internal employee "fault".
1 -
Hi @DjPxH
reading over and over your post (since I am scare about what happen to you) I have a couple of questions
- The SIM swap was done with another provider or with Fizz
- Is your email compromised too? If I remember correctly, if you do the procedure to recover a lost password an email should be sent in order to authorize the reset
You should contact the GRC in order to see the next step
1 -
I have no idea. I lost service without any warnings, I contacted chat support which told me no request was made in my account but they did see the swap and reversed it after I confirmed my identity.
My email was not compromised until I lost my phone number, he used sms 2fa to reset my password.
0 -
You and Fizz should contact law enforcement, not just for yourself, but also for us, one of us can be the next one
2 -
Thank you everyone for your messages on the thread.
To follow up on the previous message, we want to assure you that no employee was involved in this situation. A supervisor has verified the account, and our records indicate that the initial sim swaps were not performed by an agent.
To ensure your security, we have escalated this situation to our security department for further investigation. Should we uncover any new information, we will promptly notify you by email.
In the meantime, we recommend that you change the password for your email account to protect against potential phishing attempts. Here are a few tips for creating a strong password:
Use a mix of upper and lower case letters, numbers, and special characters.
Avoid using easily guessable information such as birthdays or common words.
Consider using a password manager to generate and store unique passwords.
We apologize for any inconvenience this may have caused and appreciate your understanding and patience as we work to resolve this matter.You can also consider the suggestions the other community members provided in this post.
We are always at your disposal and you can contact us privately using this FAQ https://fizz.ca/en/support..
Have a good one!
-Sergiu, Community Moderator.1