Canadian media company, Rogers Communications, not only makes it incredibly easy for scammers and fraudsters to steal your phone number, hijack all your bank, credit, and personal accounts, but they also have no desire to stop them.
Bold statement, I know, but true all the same. Read the story below of T (a pseudonym for safety reasons) who recognized the theft as it was happening and immediately contacted his cell phone provider - who did everything in their power to not only exploit his vulnerability, but made every attempt to stop it impossible. Although he was continuously roadblocked by the media mogul, he was able to act quickly which stopped any irreparable damage before it happened. Some, however, are not so lucky.
Scammer Ported The Phone Number and Nobody Stopped Them
At approximately 10:00PM on a Sunday night, T received an email notification from Rogers thanking him for his .50 cent payment on his phone bill. A few minutes later, he received a text message from Rogers indicating that they had received verification for his phone number to be ported. Immediately, from that very phone, he called Rogers and while the agent on the other end was in the midst of discovering that his phone number had been ported out, the call was disconnected and his service was shut off.
He immediately ran down stairs to his wife, grabbed her phone and started calling all of his credit card companies and banking companies. As he did this, his wife called Rogers back from another phone.
When T had received the initial text message, it had offered a phone number for the Fraud Prevention Department and so his wife called that first. Immediately, she was transferred to voicemail where she would have to leave a message and wait until the following day for a phone call. This created a sense of vulnerability and panic that the could had never known before.
Why would stealing a phone number make T panic about his credit and debit cards? Because whoever it was that had stolen his phone number now had access to everything. If a friend of T's were to text that number, the person on the other end could phish for information and access even more of T's information - or maybe even get information on that person and do the same thing to them - but this isn't even the half of it.
What Is Phone Number Porting and Why Is It So Dangerous?
Phone Number Porting is the process of transferring your phone number from one phone (or SIM card) to another.So when you purchase the brand new version of your phone from Rogers, but are currently with another cellphone carrier, Rogers will port your phone number over so you don't have to change your number even though you have changed your provider. However, you don't actually need the physical phone - as long as there is a SIM card to attach the number to, you're good to go.
But how can they access all your personal information with just your phone number? Well, it's all about the 2-step authentication process. When you attempt to change your password for your email or your bank or Amazon, not only do you have to enter in all the pertinent information but then whomever you're trying to change your password with will send you a text message with a code to ensure it's actually you. So, with that phone number, the scammer can go into any and all of your accounts, change all your passwords and do whatever they like with your money.
I know it sounds like the 2-step authentication thing may be the biggest issue (and I'm not saying that that isn't an issue as well), but the fact that Rogers makes it ridiculously easy to port your phone number is an bigger issue - because it's about security and protection.
First of all, while almost all cell phone companies now require an additional PIN before they will even speak with you (my cell phone company included), Rogers - Canada's largest cellphone provider - hasn't even hinted at that. Secondly, all this guy needed to port the phone number was the phone number and the account number. That's why he made that 50 cent payment - to ensure (or maybe to prove?) that the account number was correct and from there he just ported the phone number over to his phone. And he/she did it all without even talking to anyone! He/she did it online. There was no one there to verify any additional
information, no one to ask probing questions (before I got my PIN with my cell phone company, just to ask about my data charges, I had to tell them how much my last payment was, how much my last bill was and how much data I have on my phone. I found it irritating at the time, but now I'm so thankful they do that!).
While T's wife spoke to Rogers, she asked him if he could cancel the port, or cancel the phone number so that this person would no longer have access to anything. After all, it didn't matter how many times T attempted to change his passwords, the scammer would just be able to change it back. The Rogers rep said that he could do that, but not until the morning. He could, however, offer my husband a new, temporary phone number until the port was cancelled and he had retrieved his phone number but he would have to....wait for it....DO A CREDIT CHECK! I MEAN...!
That's when T took over the phone call and demanded his phone number be suspended. He didn't care about a new phone number at that moment, he just wanted to be sure that this scammer had no access to any of his personal information and could, in essence, steal his life.
After some time, it seemed as though Rogers was doing what he needed to do but he said he needed to launch a Fraud Investigation and only then would he be able to suspend the phone number. He told T he would transfer him over immediately. And he did. But T was met with the same voicemail as before.
So, in summary, not only was the scammer able to steal T's phone number without having to speak to anyone, without having to verify his identity, but it was also impossible to cut the line because there was no manager to give the authority to do so (according the agent we spoke to).
Why Does Rogers Make It So Easy?
Hushed, a private mobile telecommunications company says this about porting phone numbers: "'Porting' a number is the process of moving an existing phone number from one service provider to another carrier[...] A major reason that people are hesitant to switch carriers is the misapprehension that they will lose their phone number by doing so. This is actually untrue! It’s very easy and simple to transfer numbers from one carrier to another and take your number with you."
But how easy is it? Super easy, according to Rogers. As mentioned before, T learned that all the scammer needed to provide in order to port the phone number to another wireless carrier was the phone number itself and the account number - no date of birth request, no PIN request, nothing. Which is interesting because if one were to go to the Rogers website in the FAQ section, in order to transfer a phone number from another carrier to Rogers, you would apparently need:
A recent bill, which should have your correct name, address and account information just as they appear in the former carrier’s database.
Your account number, PIN or password, and/or Electronic Serial Number (ESN) / International Mobile Equipment Identity (IMEI) from your previous provider.
So, why then, is it even easier than this to port a phone number out of Rogers? Well, I wanted to find out. I Googled it, but didn't find a whole lot. I did, however, find a conversation chain in the Rogers Community Forum in the Scam, Phishing & Fraud Discussions category*. The initial question was regarding this exact scam and how a lot of other cell phone companies have opted into using PINs and other additional security measures, and suggested that since he/she was unable to find any information on this online that perhaps it should be suggested to upper management.
This was "RogersTony's" response:
"We appreciate you providing us with your suggestion to help make things more secure for everyone on our network. We do require more information to port a number than the customer's name and phone number so we do have measures in place to prevent this type of thing from happening already."
A second poster stated: "Two times my number has got ported in a scam in the past 4 months. We set up a pin on the account, when I called yesterday and we went through the security questions I wasn’t even asked for the PIN number we created on the account."
Roger's response was less than ideal: "Your account's security is of the utmost importance to us. I would like to take care of this for you so that you can rest easy going forward.
There are some measures we can take to prevent port outs. Please PM us @CommunityHelps..."
So why does this person get personal treatment? Why aren't all accounts given this same amount of security?
This last post got me though: "My Rogers number was just PORTED! Though Rogers did recover my number in a few hours from BELL, the criminal tried to withdraw $3000.00 from my TD account. TD stopped the transaction. I dare say that TD has security in place for fraud prevention, but Rogers only thinks they do."
And the response? Well, it's laughable. "We appreciate you took the time to bring this up to our attention and share your situation with the Community. I can certainly imagine the concern and inconvenience this matter caused you.
We do require the other provider to confirm some personal information to allow the port of a phone number and have measures in place to prevent this from happening to our customers. Unfortunately, it seems like the fraudster may have had access to some of your data already." Like....are you kidding?! Yes!! That's the whole thing! These "fraudsters" have access to our data, which is why additional security measures need to be in place!
This whole thing got me pretty curious: What measures do they have in place? Is it simply that their staff isn't being properly trained to ask the right questions? Is the online porting system too simple? So I contacted Rogers myself, even though I'm not a customer of theirs, so I contacted the online chat.
After waiting on hold for roughly an hour, I was finally connected with an agent who informed me that there was no way for you to port your phone number from Rogers to another carrier without the new carrier requesting it. However, he did say that all the new carrier needed in order to request this new port was the Roger account number and phone number.
However (yes, there is an "however"), if a current customer of Rogers, for whatever reason, get a new SIM card for their phone, all they would have to do is this:
Now, I'm not super tech savy, but yes, I do recognize that a scammer would need to have specific personal information before doing either of these two things mentioned, but at the end of the day - does it still not seem a little too simple?
First of all, if the phone number needs to be ported through another provider, how was the scammer able to do it? Rogers did say that Bell was the carrier that T's number was ported to, however, when he called Bell, they had no record of that phone number. T says, "It's a spoof - it wasn't requested through Bell - where the request actually came from, we don't know."
So what is Rogers (and other cellphone providers) saying about this? Well, according to Roger's quotes from a CTV article dated September 25th, 2019, as usual, they're passing the buck: “In regards to porting, we are working with the Canadian Wireless Telecommunications Association to review ways to increase customer protections while also adhering to the guidelines that ensure customers can easily switch providers and keep their phone number.”**
Well, all I know is that while other smaller providers are asking for everything except your first born to inquire about your bill, all Rogers needs to port out your phone number is the number and the account number. What about a PIN? What asking for the mother's maiden name? What about requesting additional security features, just to be certain?
And the strangest (and most baffling) thing is that no one on the "ground-level" at Rogers seems to know what is going on. Cindy Waltenbury, a friend of mine, mentioned that she has a friend who works at Rogers (I will omit the name for obvious reasons), who says he had no idea any of this was going on. Likewise, with the three people T spoke to at Rogers, they didn't quite understand what the big deal was and he literally had to explain it to them.
The day after T had the biggest panic of his life, he went to Rogers and spoke to them about the situation. A lot was said, a lot was offered, and one of those "offers" was to place a phone call for verification and authorization in the event that another request is made to port his phone number out. Why is this not something that is automatically put in place when purchasing the phone? Shouldn't it be?
How Do Other Companies Handle This?
To ensure that I wasn't being naive and simply biased against Rogers (and to ensure you of that as well), I contacted three other companies to find out how they treat new SIM cards and phone number porting. Here's what they all had to say:
VIRGIN MOBILE (owned by Bell): To move your phone number to another SIM card, you have to physically go into a store. You cannot do it online. In terms of porting out a phone number, I contacted Virgin Chat and before he would even give me details on how to do this, he asked me for my full name, phone number and PIN. Then he explained to me that in order to port out a phone number it can only be done by another service provider and then they would have to call Virgin in order to do it. Likewise, should you choose to bring your pone and number from another provider to Virgin, it's still not simple. You need the serial number of the phone, your PIN, account number and the name exactly as it is with your previous provider.
BELL MOBILITY: To transfer your phone number to another SIM card, you must physically go into a store. And although the Bell agent I spoke to over chat had a difficult time understanding what I was talking about, once he finally understood, he said that porting is a whole department on its own and you can't do it online.
TELUS: Unfortunately, it looks like Telus is also a culprit to this (warning to Telus users). Their website explains how to transfer to a new SIM and you can do it all online. Click "Telus" above to read how easy it would be to do this. However, in order to port out your phone number, it's not so simple. In order to port out the phone number, they require your PIN, your account number, and the IMEI code on the phone.
So What Is Going To Be Done About It?
Well - nothing. T was not the first person to be stuck in this situation and he won't be the last. If you search this type of thing on Google, you will find loads of articles, and about 99% of the stories you will read will be about Rogers customers.
In my online travels researching this issue, I came across tens of articles about this very thing. Even CTV published an article about this only several months ago and yet, T was able to have his phone number ported out with the snap of a finger. So, who is responsible for this? Who should be held accountable when a phone is illegally ported and someone loses hundred, or thousands, of dollars due to the poor security features Rogers offers?
At the end of the day, here is what I really want to know:
1. Had T not acted as quickly as he had and shut everything down as soon as he did, and the scammer accessed his credit cards and bank account - would Rogers take responsibility for it? Would they be held accountable, and perhaps even charged as an accessory? No. They wouldn't.
2. Why did they make is so easy for the scammer to port the phone number but so difficult to stop the port in its tracks to avoid the situation from escalating? Perhaps there is an easy answer there but I will let you figure that one out on your own.
And lastly: What is going to be done about this? How many people need to be affected by this? How many times does an article need to be written about this before something is done about it? These are people's lives. Their money, their nest eggs, their security. And all of that is being threatened over something so very simply.
Regardless of whether this is a Rogers issue or a CRTC issue (however, no other company I have ever dealt with makes it this easy to port a phone number), following a simple, yet effective, protocol is surely the answer here. Why is Rogers (who blames CRTC) so concerned with following "regulations" in allowing consumers to access and port their phone numbers when they make it nearly impossible to find out how much I owe on my bill or to change my data plan?
There is something seriously wrong with the entire scenario and I don't know that it's as cut and dry as we all have been lead to believe. Just sayin'....
OK, So What Can I Do To Ensure This Doesn't Happen To Me?
As far as I have gathered from Rogers, there is no way to protect yourself from actually having your phone number stolen since they refuse to add specific security features to your account (unless you've already become a victim of this scam), but there are things you can do yourself to ensure this never happens to you:
1. Keep a close eye on your credit card balances and your bank account at all times
2. When/if you find out a large company has had their clients' personal information leaked (like Desjardins did a little while back), change your phone number.
3. Download a verification app (like Google Identification) that authenticates to the actual phone rather than to your phone number.
3. Ensure you turn off the option to use your cellphone number as your second verification step. Use an email address you don't usually use for anything else or whatever other options that specific company offers.
4. If possible (if the service provider allows it), use a third name on your account that is not readily available (like a middle name or hyphenate your maiden name and married name).
I don't know who is at the top of this oddly structured security pyramid, but what I do know is that our livelihoods are being threatened and the reason it is seems to be of no concern to the very people who hold our well-being in their hands.
**CTV News Article: "Cellphone industry leaves Canadians vulnerable to identity theft"
Comments