CRTC should open public consultations to update port protection, industry experts

Several Canadians have lost thousands of dollars after being the target of a SIM swap scam, and industry leaders think the CRTC should open the issue to public consultation and create new protections.

The SIM swap scam, or port-out fraud, is when a hacker collects information from an individual, often through phishing tactics, and uses it to create a new account with a telecom carrier. The carrier will take the information and transfer the person’s account to a new SIM card provided by the fraudster.

Once the transfer is complete, the fraudster is able to use two-factor authentication to gain access to banking apps and accounts that are linked to their phone number.

Right now the Canadian Wireless Telecommunications Association (CWTA) is at the helm of working with a group of carriers to put new protections in place. The group, called the Wireless Portability Council, includes Bell, Eastlink, Freedom Mobile, Rogers, SaskTel, TBayTel, Telus, and Vidéotron.

The group works to establish the technical specifications required to ensure that number ports, or transferring one number to another SIM card, occur within timelines that would meet the CRTC’s standards.

The CWTA said in an email that the industry is in the middle of “making changes to the number porting system that will add new levels of verification while continuing to meet the CRTC’s requirements.”

On January 15, the CRTC issued a notice to carriers requesting more information from carriers and the CWTA on the number of cases that have occurred and what the industry is doing to protect consumers.

John Lawford, executive director and general counsel of the Public Interest Advocacy Centre, told Yahoo Finance Canada that finding a solution shouldn’t be left in the hands of a group that doesn’t include all wireless service providers or consumers.

“[For the CWTA] it’s convenient and probably economical,” Lawford said, adding that PIAC sent a letter to the CRTC suggesting that the process should be open to a public hearing.

PIAC’s letter, dated January 21, indicates this is “far too serious an issue for the Commission to only involve the CWTA. All Canadian WSPs (wireless service providers), consumer groups, Canadian wireless users and other stakeholders should be involved in the resolution of this problem.”

The CWTA, in response, indicated that public consultation “will not add any value” and will “instead divert resources from the implementation of these additional safeguards.”

“In addition, public vetting of a solution intended to thwart fraudsters is counter-productive and negates the time and effort being put forth,” the CWTA wrote in the January 30 letter.

Ben Klass, a telecom expert and PhD student at Carleton University, agreed with Lawford and said the CWTA in this instance isn’t “speaking to the whole industry at this point.”

“It shouldn’t be left to some subset of carriers to develop a solution in secret,” Klass said, adding that it was concerning that the CRTC doesn’t have full knowledge of what is currently being done.

In 2007, the CRTC required carriers to implement number portability, which at the time was done to help consumers switch more easily between carriers.

Bell said it offers port protection but only to victims of previous fraudulent activity.

Telus offers port protection upon request and will send a text message to customers before a number is ported that asks the customer to contact Telus if they did not request a port.

Rogers offers similar port protection to Telus. The carrier also offers protection for victims who have already been affected.

Quebecor’s Vidéotron said it calls the customer’s number first before any changes can be made. If the customer doesn’t respond or they refuse that a change should be made, Vidéotron will refuse a SIM card change request. In stores, it will request the client seeking changes provide two pieces of identification before changes can be made.

SaskTel offers port protection to customers. Once activated it will alert customers whenever their number is being ported out. If a customer wants to port their number, the account holder is the only person who can call into SaskTel to do it.

Xplornet’s Xplore Mobile does not offer any port protection.

Klass said what the carriers have in place now to protect consumers is not enough.

“It strikes me that it’s very similar to how someone might experience bill shock. It’s not a problem you necessarily think about until you’re encountering it,” Klass said, adding that new regulation needs to be established.

With files from Sallyann Nicholls