Protect SIM
Hi @Whizz
I would like to offer a suggestion for a problem that you are already analyzing. This may not be the best solution or the solution, but I believe it could be helpful.
Regarding SIM swapping, you should enable a flag to lock the SIM swap process. If a member contacts you to replace a lost, broken, or stolen SIM, you should put the request on hold for 12 hours. During this time, send an email/SMS notification to inform the member that the procedure has started and will be completed in 12 hours. This will give them an opportunity to take action if there is any wrongdoing.
This feature should be enabled for every member by default and for sure inform all the user about this new feature.
You should be able to disable it if desired/needed, also if you disabled probably give couples of hours before this will be in effect and also inform that the feature was disabled the same by SMS/EMAIL.
If disabled, probably should be temporary, it should remain disabled for a specific period, such as 24 hours .
For sure add some MFA authentication such OTP for our account too, it can be optional for start.
For the members, feel free to comment on this, but please avoid using this post as an opportunity to score points. You have the break room for that.
Answers
-
I think Fizz needs to implement better screening to verify the user's identify before going ahead with any requests like switching the number to a different sim card. Inherently, it is easier to impersonate someone through chat than through a call, for example no voice authentication. Some banks during the call will also send OTP to your email to verify the identity before they will proceed further. Currently just providing two pictures of two piece of identification to Fizz to initiate a swap does not seem sufficient compared to other service providers.
Based on what some other members who experienced sim swap said, they use randomly generated passwords for their Fizz account which leads me to suspect the perpetrators are contacting support without logging into the accounts. Requests for sim swap without being logged into the account needs to be further scrutinized.
Regarding the suggestion of holding the request for 12h, I think for this should not be implemented as the intended purpose of the system is to help people who have lost, stolen or broken sim cards. If I'm in this situation, I would not want to wait a further 12h before I can reaccess my phone number. I do agree that if a swap has been processed, there should be a notification sent out to the registered email of the account. SMS would not work as the number would have already been swapped to the scammer's phone.
4 -
Couldn't agree more on everything you just said.
1 -
Regarding the suggestion of holding the request for 12h, I think for this should not be implemented as the intended purpose of the system is to help people who have lost, stolen or broken sim cards. If I'm in this situation, I would not want to wait a further 12h before I can reaccess my phone number. I do agree that if a swap has been processed, there should be a notification sent out to the registered email of the account. SMS would not work as the number would have already been swapped to the scammer's phone.
This is the reason why I said that you need to have a SIM protection in your account, if this is enabled you should disable or wait. It can be to confirm also by email to swap, if you lost the control of Fizz account and your email, probably the problem is somewhere else.
3 -
Most of these attacks have been through resetting passwords through email.
The best course of action is to change 2FA from SMS to TOTP or any hardware based alternative.
If you use a password manager and the attacker is unable to login because they are using SMS 2FA to reset passwords to gain access to your account, TOTP on your email will stop them in their tracks.
Almost every email provider supports TOTP and is a very simple change.
2 -
The 2FA not based on a device or email should be a must, the government is pushing it
3 -
Most of these attacks have been through resetting passwords through email.
I didn't get that point, since member reported that the password was changed using the SMS but for me is using the email if I use the forgot password procedure.
For sure we need to push the checking
2 -
since member reported that the password was changed using the SMS
I don't think any company/service sends password reset links through SMS but I could be wrong.
They use SMS to reset your email password which now they can use to reset passwords to other accounts.
The best way to protect yourself temporarily is to set up TOTP on your email to lock them down for now while Fizz investigates the issue.
0 -
What is even scarier is that most of our big Canadian Financial Institutions (FI) don't use proper 2FA. They implement these in their own apps most of the time.
If anyone has banking with a big FI and have significant cash holding/TFSA/RRSP, please switch your authentication away from SMS and to something more secure like their own banking app or email 2FA (then lock down your email with TOTP).
1 -
The hackers have had access to every single identity document stored on my OneDrive that is now inaccessible due to negligence on Fizz’s part. I will be a at risk of fraud until the day I die because of this.
Granted, I should have used Google Authenticator and not text 2FA, but this doesn’t remove from the fact that there is substantial responsibility on Fizz and the lack of information right now is very frustrating.
Whizz has said previously that these line transfers have not been initiated by employees. We can’t do them ourselves, so how is it happening?0 -
I think many users are eager to find out how this happened and what will be done to prevent it from happening again.
2 -
I don't mean to beat you while you're down but a bit of advice, ideally you shouldn't keep sensitive documents in the cloud as they say, "the cloud is just another man's pc."
You can't trust cloud providers to keep out of your documents, much less other malicious actors.
Try to keep those documents local and on an encrypted drive if possible.
1 -
I always keep my documents compressed and encrypted (AES-256) in password protected RAR files. That way it doesn't matter as much where they are stored.
1 -
Good advice
0 -
> @jvh_NVPF2 said:
> I don't mean to beat you while you're down but a bit of advice, ideally you shouldn't keep sensitive documents in the cloud as they say, "the cloud is just another man's pc."
> You can't trust cloud providers to keep out of your documents, much less other malicious actors.
>
> Try to keep those documents local and on an encrypted drive if possible.
I think I made that realization perfectly clear in my comment… but thank you for the obvious advice.1