
Ontario police warn of SIM swapping fraud - walterbell
https://www.cbc.ca/news/canada/toronto/ontario-provincial-police-sim-swapping-phone-number-porting-1.5354567
======
dzhiurgis
The whole dependency on phone line/number is staggering. You can't do anything
nowadays without a number. Can't apply for a visa, buy anything online or do
your taxes. All of this while phone calls are anti-feature - they are low
quality, abused by scammers and (at least on iOS) - no way to disable
entirely.

What's even more weird - if you happen not own a phone - there's no digital
service/website where you can call 911 (or local equivalent). You can't even
text 911 in most countries.

~~~
pluma
This is funny to read as where I live (Germany) banks have been slowly
migrating away from SMS-based verification to app-based code generators that
in turn require one-time authorization via physical mail.

And we're generally lagging behind when it comes to digital solutions, so I
would expect other countries to be ahead of the curve and no longer using SMS
for anything important.

~~~
toomuchtodo
Banks are a great use case for TOTP or other 2FA auth methods that aren't SMS,
as if you need to verify identity in person, you can require the user come to
a physical branch (in the US, you can get something called a "medallion
signature guarantee" [1], which is typically required to verify your identity
if you're moving more than $250k in assets between financial service firms).
Services that can't provide identity verification services in meatspace are at
a disadvantage, which is why they fall back to SMS as identity verification
and management.

ID cards that support cryptographic functions (such as Estonia's National ID
[2], or in the US, DoD CACs [3]) would go a long way to fixing these problems.

[1]
[https://en.wikipedia.org/wiki/Medallion_signature_guarantee](https://en.wikipedia.org/wiki/Medallion_signature_guarantee)

[2] [https://e-estonia.com/solutions/e-identity/id-
card/](https://e-estonia.com/solutions/e-identity/id-card/)

[3] [https://www.cac.mil/](https://www.cac.mil/)

~~~
pluma
FWIW in Germany we have PostIdent, which consists of taking a printout to the
local post office, showing your ID card and then having the clerk fill out and
sign the printout and send it to the organisation you're trying to
authenticate with. This is typically done for age restrictions in online
delivery services (e.g. being able to order goods marked as 18+ on Amazon --
not signing up for porn sites or stuff like that), for example.

The ID card technically comes with a PIN and there were supposed to be special
readers that could be used with a handful of authorized online services to
verify your identity but as far as I can tell not much came from that as end
users would have needed to buy special hardware and services interested in
using that would have required special licensing or something.

That said, SMS is less secure than e-mail, so this seems like an odd choice
these days (much like magnetic stripes rather than chip and pin).

~~~
toomuchtodo
I was unfamiliar with this, thank you for bringing it to my attention!

------
mifreewil
It’s hilarious how all these articles are about how to protect yourself
instead of talking about why the carriers don’t better protect against this

~~~
mifreewil
It’s the same as the credit industry creating identity theft instead of
protecting against attacks on their own systems

~~~
kjaftaedi
IMHO governments should be doing more to provide modern identity verification
solutions so there isn't a need to rely on more or less decentralized systems
that can be so easily gamed.

------
tmikaeld
This was a common occurrence in Sweden a few years ago, they would target
small businesses by changing their address by sending in an address change,
then take over the phones and then order a ton of stuff online for which they
are never cought. It could go up to millions of SEK in debt before it was
discovered by the victim, because invoice time is usually 30 days and credit
score will be perfect until after the scam.

Since BankID (identity verification) became a norm, this has essentially
stopped.

~~~
2rsf
You can now lock your address using BankID

------
Narkov
> a relatively new kind of fraud calling "SIM swapping"

Either the journalist has misinterpreted information given to them or the
Ontario police are at least a decade behind current scams. SIM swapping or
port-fraud is at least a decade old problem.

------
Scoundreller
It also doesn’t help that Canadian cell phone plans usually include no roaming
at all or horribly expensive roaming.

So if an attacker knows you’re making a day trip to go to one of the malls
that dot the border, they can pounce and you won’t know until damage is done.

Meanwhile, T-Mobile plans include so much Canadian roaming that your plan is
better than local Canadians’.

~~~
na85
>Meanwhile, T-Mobile plans include so much Canadian roaming that your plan is
better than local Canadians’.

Truth. I know a guy who works for NORAD and his (US-based) data plan is
60/month and includes unlimited data anywhere in Mexico, Canada, or the US. No
roaming, no nothing.

How the Canadian telcos haven't been prosecuted for price-fixing is beyond me.

~~~
jacquesm
> How the Canadian telcos haven't been prosecuted for price-fixing is beyond
> me.

Because they - and the Canadian banks and a whole bunch of other entities -
are monopolists with a wink. Their competitors only exist for them to be able
to claim they are not a monopoly.

There is also the LCBO, which is an outright state operated monopoly.

[https://en.wikipedia.org/wiki/Liquor_Control_Board_of_Ontari...](https://en.wikipedia.org/wiki/Liquor_Control_Board_of_Ontario)

Canadians pay way too much for many services and goods compared to those South
of the border because of these quasi monopolies and the associated lack of
competition.

~~~
tistoon
> Because they - and the Canadian banks and a whole bunch of other entities -
> are monopolists with a wink.

Do you think that neo-bank Revolut will make it? I remembered ING direct
managed to come to Canada a decade ago, but was brought back by Scotia Bank
right after (now named Tangerine) - as you said - to façade competition.

------
tekstar
Ok, so, how does a paranoid individual protect themselves from this attack?

Aside from "don't link your phone to these accounts" which isn't always
possible as many banks in Canada only recently added SMS based 2FA.

Some ideas:

\- separate phone for 2FA. This seems quite annoying in practice.

\- a daily twilio script that SMS's your number as an indication that you've
still got it. Easy to implement, but also easy to ignore and would only
indicate after the fact that you lost your account.

~~~
tmikaeld
In Sweden you now require hardware identity verification which can only be
issued by a bank or similar authority. (It also work similar to Venmo but
without the fees)

It's odd that Canada don't have this?

~~~
dzhiurgis
I'd love love love if government Id card could be used as U2F via NFC.

Also, in Lithuania (and many other countries) 2FA is hardware locked to your
SIM card - can't really get new one without showing your Id in a shop (the
shop doesn't really use the chip on Id tho).

~~~
2rsf
> the shop doesn't really use the chip on Id tho

Same for SIM swapping here in Sweden, they check your ID very superficially

~~~
tmikaeld
It varies between operators and it's been much stricter since the scams a few
years ago.

------
rb808
Actually I'm starting to think the cell phone operators are doing a smart
thing on this.

In an ideal world you could trust the cell phone operators to diligently
protect your number and you could rely on this to help Google/Chase/GoDaddy
identify your account. The problem is this makes it complicated for the cell
phone operators and why should they be the ones to have to enforce your
identity protection to benefit FANGs/Banks/etc? It always seemed a bit dumb to
me that you need a phone number for most accounts in this internet age.

Maybe they could offer a service for a fee where they will be stricter and you
have to show a passport to the office to get a new sim issue.

In the meantime I'm sure they've figured out its more benefical in the long
term that they just sell cell phone plans that are flexible and we need a
better solution to identify people and their accounts.

~~~
thewarpaint
No one should be able to receive a text message meant for my number,
regardless of the specific purpose of the message. That should be a basic
security feature of the service, not something that comes for an extra fee.

------
Scoundreller
The article confuses SIM Swapping and Phone Porting Fraud.

The latter may be harder to undo given that it cancels your account. And
providers always claim it’s impossible to give people their old plans back.

------
nayuki
The consequences of SIM swapping fraud can be severe, like this example of
getting thousands of dollars stolen from an online bitcoin account:
[https://medium.com/coinmonks/the-most-expensive-lesson-of-
my...](https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-
details-of-sim-port-hack-35de11517124)

~~~
Jd
Friend of mine lost $24mm : [https://www.wsj.com/articles/he-thought-his-
phone-was-secure...](https://www.wsj.com/articles/he-thought-his-phone-was-
secure-then-he-lost-24-million-to-hackers-11573221600)

------
upofadown
It's sort of odd that the list of precautions omitted the most obvious one:
don't link online accounts to your phone number if that account can be reset
with access to that phone number. Yeah, using a password manager is great, but
not if it can be trivially bypassed. The phone companies should not be
expected to be some sort of security gateway service.

------
brenden2
There are 2 distinct but compounding issues here:

1) Consumers are largely at the mercy of platforms (Google, Apple, FB, etc)
and they don't _really_ control their data. 2) Phone companies don't care
enough to perform adequate due diligence, and regulation hasn't caught up. The
phone companies lean toward making changes easy to prevent customer backlash.

Issue 1 can be improved slightly by not placing your entire digital life in
the hands of one or two companies. Additionally, don't link your phone with
these accounts if possible (although many, if not all, now require a phone
number). Even better, store your data on your own computers instead of "the
cloud" (which just means giving your data to someone else).

Issue 2, I suspect, can only be resolved if there's a change in regulation.
Phone companies aren't going to go out of their way unless it starts to hurt
them in their pocket books, which it would if they were fined when this
happens.

~~~
tomComb
I'm not clear on how #1 is related to the SIM swapping problem.

Yes, I encounter a lot of services that put way too much weight on phone
number (maybe because phone number has some legal status) but not the big
platforms. For Google, at least, they go well beyond making other methods
available - they really seem to encourage/push users to use better second
factors.

In my experience the big platforms are the least guilty. My Google
account/data is by far the most secure account I have online or off.

~~~
iudqnolq
I'm not sure if - given my threat model - it makes sense for me to disable
phone based 2FA on my Google account.

I'm not prominent at all, so I don't expect to be individually targeted. I
store 2FA tokens in my password manager (1Password) so that I could recover
from my phone being stolen or damaged. However, I don't have a printout of my
1Password backup code stored under my mattress (or in my desk) because I don't
completely trust my roommates.

If I had my phone and laptop with me and was mugged, or if both were damaged
at the same time, I would be locked out of everything if I didn't have phone-
based 2FA. With it I could get a replacement SIM card, regain access to my
Google account, and then use that to bootstrap password resets to everything
else.

(For the same reason, my only duplicate passwords are memorized randomly
generated passwords for phone, primary Google account, and laptop (and there
is some duplication between them))

~~~
deanmoriarty
Why not simply save the backup codes on a couple usb keys encrypted with a
reasonably long password that you can remember, and leave one at home and one
in another geographical area (e.g. parents house)? I do that and feel pretty
good in completely ditching SMS 2fa. Once a year or so I plug the USB keys to
check they still work. I, like you, don’t expect to be a target and have a
very minimal social media/web presence with my real name.

~~~
iudqnolq
Any advice on finding a small object you need infrequently in say a parent's
house? I have a poor track record with that sort of thing that makes me
hesitant.

~~~
deanmoriarty
Haha no. My dad has a lock safe where they store jewels and important
documents, and I just put it there.

------
37
Is this something that 2FA would protect against? Doesn't seem like it...

~~~
taysix
Correct, if it's 2FA with a phone number. Avoid 2FA with a phone number if
possible and use any other method (OTP, YubiKey's, etc.)

------
robertelder
'a relatively new kind of fraud calling "SIM swapping"'

~~~
zik
...which has been happening for years and is well known to telcos who seem to
be doing very little about it despite the fact that it's their security flaw.

