

How Rogers is making their customers vulnerable to fraud - akennberg
http://www.kennberg.com/2012/10/10/how-rogers-is-making-their-customers-vulnerable-to-fraud/

======
Shenglong
Rogers is actually pretty ridiculous. I was about to make a post about this,
but:

Rogers also sends text message spam every month. You can't opt out. I have
called on 4 separate occasions and spoken to a manager, asking to be opted out
of the spam. The first few times, they apologized and told me I'd be taken off
the list. After I wasn't, I asked to speak to a manager, who called me back.

He told me, "Sir, that isn't spam. Those are Rogers marketing messages." After
I told him that I, the customer, considered it spam and would no longer like
to receive them, he told me, "I will forward your request to our marketing
department, and they will determine whether it is spam."

Best company.

~~~
redthrowaway
I've passed up the 4S, the 5, and the S3 just so I can let my contract run out
in December and not have to deal with them anymore. What I wouldn't give for
some _real_ competition in the mobile provider space.

~~~
oalders
If only there were something even resembling competition in the Canadian
mobile space. I'm not sure if Rogers is better or worse than Bell or Telus,
because to me they're all pretty bad.

Recently, Bell customer service called my other out of the blue and talked her
into getting a new package for her long distance on her land line. She's a
senior citizen on a fixed income and she was under the impression that this
was a cheaper plan. It turns out this wasn't a better plan at all. When she
tried to cancel the plan she was told that she was on a contract and would
have to pay an early termination fee.

The really great part is that she was never told that she was under contract
and she never signed anything. There was apparently something in the fine
print of the paperwork they sent her after the phone solicitation that said
"we sent you this, so consider yourself as having agreed to a contract".

I couldn't believe it, so I called Bell customer service myself and I got the
same response. She switched providers and refused to pay the fee (over $100),
but Bell debited her bank account anyway, since she had set up pre-authorized
billing. Nice way of doing business.

~~~
steve8918
You have up to 60 days to dispute anything taken out of your bank account via
ACH. If I were you, I would pursue that route.

------
engtech
I had to talk to rogers about getting some money back after finally cutting
all of my services with them.

Because my old cellphone number was the account number, they started giving me
information about the Department of National Defense employee who now owns my
old cell phone number.

Hows that for a security failure on Rogers' part?

~~~
alister
I experienced another security failure on Rogers' part: Just a few weeks ago I
was able to reset the passcode on my Rogers cell phone account by supplying
just my cell number and date of birth. This was through an automated system
and no other information was requested. I wasn't even phoning from the cell
phone; I was phoning from a landline that isn't associated with my Rogers'
account in any way.

------
tux1968
Totally agree that this isn't a great idea on Rogers part. But it strikes me
that there is a relatively easy way to detect social engineering in this case.
Just give the caller ridiculous answers in response to their first few queries
and see if they balk. Only someone who knows the correct answers will
challenge you.

It would be really nice if there was a better way to ensure the identity of
parties on either end of a phone call. In my case, an inability to remember
dates causes a headache every time I try to do telephone banking where it
seems to be the only type of security questions they use.

~~~
MichaelApproved
_"Just give the caller ridiculous answers in response to their first few
queries and see if they balk."_

Sure, you me and many others on HN could try this or be defensive when we get
asked for our information but the common customer wouldn't balk. They would
just rattle off the information and continue the conversation.

The point of the article is that this style of marketing is training customers
to feel comfortable with giving out personal information when they're on the
receiving end of a call.

~~~
tomrod
Crazy. Are there any news articles where these type of social engineering
scams have been successful?

~~~
MichaelApproved
I remember when it was a big deal on AIM and other IM services. You'd get a
message from an official sounding screen name asking you to verify your
password.

These types of attacks are why you typically see messages like "we will never
ask for your personal information" from service providers.

~~~
alister
_"we will never ask for your personal information"_

It's a nice first step, but then they break the security model by sending
emails with a link to click on.

Every single service provider, bank, credit card, airline, or utility that
sends me email, sends it with embedded links.

Customers have now been trained to click on links and give their passwords to
login screens if they look halfway authentic.

~~~
MichaelApproved
At least in this case, I'm calling the bank. Meaning, I'm vising their page
and I can confirm that it's actually the bank that I'm communicating with.

Browsers have been getting better about protecting users when it comes to
online bank phishing attacks. Secure connections are emphasized more and
getting rid of basic auth in the URL helps defend the customer from spoofing
tactics.

------
ricksta
Canadian cellphone companies are pretty much a oligopoly with 3 big players,
Rogers, Telus, and Bell. All 3 of them are super expensive and locks people in
on super long 3 year contracts. These companies are so shady they create
multiple "discount brands" to make consumer feels like they have more choices.
It's not till recently that Canadian government realized the need to create
competition and auctioned off some AWS spectrum to a couple "startups", namely
Wind and Mobilicity and couple other ones.

~~~
oniTony
And the competition has quickly sued the government over Wind not being
Canadian enough. [http://www.theglobeandmail.com/technology/tech-news/court-
sc...](http://www.theglobeandmail.com/technology/tech-news/court-scraps-
cabinet-ruling-on-globalive-dealing-blow-to-new-entrant/article572948/)

------
dhughes
At work we had privacy training videos shown one was an employee who spoke
about the mobile phone company he has service with, no names but he'll call it
"Mogers".

When he signed up for service with "Mogers" they messed up his name on his
bill, instead of e.g. "John Smith" they put "J ohnSmith".

Then a week or so later he starts getting junk mail addressed to a "Mr J
ohnSmith".

------
steve8918
The same thing happened to me, but in the US. I think it was one of my credit
card companies calling me, and they started asking me to identify myself. I
refused, and I asked them for a number I could call in to. They gave me a
number, I googled it to ensure that it was legitimately them, and then called
the number.

------
supersaiyan
I had the same thing happen with my bell account, I got a voice mail saying a
representative was coming to my house to install a cable box, which I hadn't
ordered, the number that was left wasn't the traditional bell 310 number, so I
called the bell number on my bill, only to find out that they had not left
that actual message - I never called that number because I didn't want to get
more spam. These types of calls from tel comm have become so prevalent, once
for cable, once for mobile, once for my internet, that I've become numb
actually listening to what they are actually saying anymore; I'm sure if my
parents were left this message they would have easily given personal
information no problem.

------
blindfly
Full disclosure: I work for the aforementioned. Much of this stuff doesn't
appear to make any sense from the outside, and sometimes puzzles those on the
inside. I'm not company PR nor am I trying to be. Actually, to be honest as
I'm disgusted by the company for how they are handling things. Morale is in a
slump and pressure from above to cut costs and increase profit is insane.

But to get back on topic: The policy this blogger has encountered deals with
how a dealer must authenticate a customer before making any financially-
impacting decisions or contractual obligations. As far as the lawyers are
concerned this is to protect the company. If we mail out a new iPhone 5 and
charge an account $100, then when it turns out you are not who you said that's
simply too bad for us. We just lost an expensive phone. Arguably, it appears
to make no sense in some scenarios like the one mentioned (where one could
reasonably assume they are speaking to the correct person) but the reality is
the person calling you has no bloody clue who you are. The account likely came
up on their screen and the system dialed your number. You could be the account
holder or a kid holding the phone.

The poor sucker calling you is likely sitting in a mile-long row of phones
tethered to the desk by cords forced to listen to people complain all day
long. Really, that's no different than just about every call centre. You asked
for a manager... now guess what? You (if you're lucky) just got transferred to
another call centre. Go figure.

Sales and service isn't all about money but that's all these big blind
companies are able to see. You can complain about it all day long and it
doesn't change a thing. Call up and cancel your service, perhaps then one of
the dolts overseeing operations will see the light.

------
kefs
Relevant:
[http://www.youtube.com/watch?v=F2EJJ8BCfCg&hd=1](http://www.youtube.com/watch?v=F2EJJ8BCfCg&hd=1)

------
GiraffeNecktie
Just redirect calls from Rogers and other toll-free numbers to your voice mail

