I was victim of a Sim Swap

DjPxH
DjPxH Posts: 24 ✭✭
edited July 23 in My Mobile

Hello all,

Earlier this evening my phone lost service and I soon as I started receiving emails about passwords changes I realised I was a victim of a Sim Swap. (They used sms to reset my email password)

How was this possible? My fizz account has a unique password, I never received any txts about a phone change nor calls.

What can be done to avoid this in the future?

Thankfully I was able to retrieve my number back by contacting a support agent who was helpful after confirming my identity and I believe no harm has been done.

I removed sms as two factor verification and added an authenticator on all of my account.

Anything I should do to avoid this and Fizz please allow us to lock our numbers or sim cards.

Anyone care to explain what might have happened? Support can't seem to explain.

Answers

  • elena code xzi4t
    elena code xzi4t Posts: 8,436 ✭✭

    Hi @DjPxH

    This is scarring me

    @Whizz can you please look on this

  • Whizz
    Whizz Posts: 23,047 admin

    Hello everyone, and thank you for reaching out DjPxH.

    This seems like an isolated case, however, we took note of it. We already tried to lower the chance of having your SIM card hijacked through a SIM swap, by authenticating you with documents that can prove your identity, as other people should not have access to them. 

    In addition, we suggest you have strong passwords for your Fizz accounts and use different passwords for each account, to be more secure. 

    Another tip would be to not reply to messages that appear to be spam or click on links you are not sure are legitimate. 

    Lastly, we can assure you that we will be at your disposal 24/7 and we will help you regain access to your account or SIM card as quickly as possible. 

    Have a good one!
    -Sergiu, Community Moderator

  • DjPxH
    DjPxH Posts: 24 ✭✭

    I already have my account back, thankfully I was not sleeping and realised soon enough what was happening.

    I always use unique generated passwords and obviously don't click on anything I shouldnt be.

    It shouldnt be that easy to simswap an user. There's no way the hacker got access to my credit card used on file as it's a fairly new one (used to verify identity on fizz chat)

    Can this be escalated as I need more info for the police report.

  • wenhan
    wenhan Posts: 1,174 ✭✭

    I'm not too sure how this is happening as well because for standard number ports we need to reply to the text to approve porting the number. unless they bribed an employee who was working for the company to directly change the sim for them.

    I dont think there is anything we can do to prevent things like this from our end. As far as I'm aware, sim swap tricks the customer service agents into switching the sim. So it may be possible your data was hacked and leaked somewhere to allow them to do this. Keep in mind that if they changed your account passwords as well, they must be aware of certain other information you have. I would look into getting a identity theft/fraud alert service.

  • DjPxH
    DjPxH Posts: 24 ✭✭
  • jvh_NVPF2
    jvh_NVPF2 Posts: 890 ✭✭
    edited July 23

    It's a shame we still use text 2FA as it's unsafe.

    If you're able to, swap the services you do use over to TOTP if it's available.

    I recommend the app Aegis as it works for every service that doesn't implement their own TOTP algorithm (Steam being the outlier). Google and Microsoft will "fight" you (annoying extra steps) to use your own app but TOTP is standardized so they will let you use any app so long as you have the QR scan parameters.

  • DjPxH
    DjPxH Posts: 24 ✭✭

    Thanks for the advice, I changed 2FA everywhere I could think of. I knew it wasn't safe but didn't think it could happen so easily.

  • M T. #12340
    M T. #12340 Posts: 737 ✭✭

    There is nothing that you can do beside stop using 2FA.

    As mentioned by wehnan, you supposed to receive an sms to approve the port out and you did not.

    Fizz needs to do their owner internal investigation.

  • DjPxH
    DjPxH Posts: 24 ✭✭

    I tend to believe it was a sim swap instead of a number port, well according to chat support. I wish an email or sms was sent when a sim is replaced. As far as I know e-sim is not supported by sim, so they would need an actual Fizz sim card? Is it safe to assume that if that's the case, it's most likely someone locally?

    Or am I mixing things up. I need to understand, especially why no flag was raised on Fizz side. Don't get me wrong, I love the company and i'm sure it could happen at other providers but actions need to be taken.

  • zipilgrim
    zipilgrim Posts: 139 ✭✭

    Sorry to hear this happened, glad you have your account back. This is scary, I didn't think it was so easy to bypass 2FA. Thanks for sharing your story, I think I'll go see what I can do about moving away from it too.

  • DjPxH
    DjPxH Posts: 24 ✭✭

    Thank you for your support. As stated above, moving away from sms 2FA is your best option.

    This!

  • jvh_NVPF2
    jvh_NVPF2 Posts: 890 ✭✭

    SIM swapping attacks typically involve an employee of the carrier.

    In short, they most likely used stolen credentials from a data breach to verify it was you and asked support to swap the SIMs.

    https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/what-is-sim-swapping

  • DjPxH
    DjPxH Posts: 24 ✭✭

    If that's the case, when I contacted fizz for my number back, they asked a picture of a piece of ID and a picture of my last digits of my CC used for the account. There's no way the attacker had a picture of my CC to confirm his identity for the sim swap. :(

  • BeakBird
    BeakBird Posts: 3,587 ✭✭

    This happened to me with a previous carrier. On top of the swap I began receiving hundreds of spam emails every hour. They were hoping that I wouldn't go through all the my emails and see the legit ones from the purchases they made.

    I suspect it was probably an insider from the carrier.

  • DjPxH
    DjPxH Posts: 24 ✭✭

    Sorry to hear that. I also suspect an inside job unfortunately as I was not notified of any changes.

  • BeakBird
    BeakBird Posts: 3,587 ✭✭

    Neither was I. I noticed that I had no phone service. Nothing from the carrier.

  • Andrei_ref_R7VK1
    Andrei_ref_R7VK1 Posts: 8,121 ✭✭

    Most of Fizz support is outside of Canada. Unfortunately for a relatively small amount of money an attacker can "buy" an employee there and have all the required data. @Whizz please check this internally, as this is very serious case.

  • DjPxH
    DjPxH Posts: 24 ✭✭
    edited July 23

    Thanks for the support. I should also add that both of my numbers where Sim Swapped (within minutes), my second number which only two family members know the existence (only used as emergency number). So someone either had access to my account (while using a very unique generated password) or internal access.

  • Kejinsan CODE VB5UM
    Kejinsan CODE VB5UM Posts: 7,516 ✭✭

    I'm extremely sorry to hear that... It has to be an inside job forsure. I'm speechless about all this situation. Stay strong brother.

  • Andrei_ref_R7VK1
    Andrei_ref_R7VK1 Posts: 8,121 ✭✭

    So this "confirms" it was an internal employee "fault".

  • elena code xzi4t
    elena code xzi4t Posts: 8,436 ✭✭
    edited July 23

    Hi @DjPxH

    reading over and over your post (since I am scare about what happen to you) I have a couple of questions

    • The SIM swap was done with another provider or with Fizz
    • Is your email compromised too? If I remember correctly, if you do the procedure to recover a lost password an email should be sent in order to authorize the reset

    You should contact the GRC in order to see the next step

  • DjPxH
    DjPxH Posts: 24 ✭✭

    I have no idea. I lost service without any warnings, I contacted chat support which told me no request was made in my account but they did see the swap and reversed it after I confirmed my identity.

    My email was not compromised until I lost my phone number, he used sms 2fa to reset my password.

  • elena code xzi4t
    elena code xzi4t Posts: 8,436 ✭✭
    edited July 23

    You and Fizz should contact law enforcement, not just for yourself, but also for us, one of us can be the next one

  • Whizz
    Whizz Posts: 23,047 admin

    Thank you everyone for your messages on the thread.

    To follow up on the previous message, we want to assure you that no employee was involved in this situation. A supervisor has verified the account, and our records indicate that the initial sim swaps were not performed by an agent.

    To ensure your security, we have escalated this situation to our security department for further investigation. Should we uncover any new information, we will promptly notify you by email. 

    In the meantime, we recommend that you change the password for your email account to protect against potential phishing attempts. Here are a few tips for creating a strong password:

    Use a mix of upper and lower case letters, numbers, and special characters.
    Avoid using easily guessable information such as birthdays or common words.
    Consider using a password manager to generate and store unique passwords.

    We apologize for any inconvenience this may have caused and appreciate your understanding and patience as we work to resolve this matter.

    You can also consider the suggestions the other community members provided in this post. 

    We are always at your disposal and you can contact us privately using this FAQ https://fizz.ca/en/support..

    Have a good one!
    -Sergiu, Community Moderator.

This discussion has been closed.