The Canadian Radio-television and Telecommunications Commission (CRTC), along with a group of telecom companies, have refused to release data about how pervasive of an issue SIM card fraud is in Canada. Further, the telecom regulator and the carriers themselves won’t detail measures taken to prevent SIM card fraud, saying it could help fraudsters commit crimes.
According to a report from Vice’s Motherboard, the CRTC responded to an information request filed by the Public Interest Advocacy Centre (PIAC), a non-profit that advocates for consumer rights. The CRTC’s response sided with telecom companies, supporting the decision not to disclose information about how mobile phone carriers plan to protect customers from SIM card fraud. Further, the CRTC refused to open a public consultation into the issue.
SIM card fraud — sometimes called SIM swapping or hijacking — is a fraud tactic that sees bad actors convince telecom companies to transfer a mobile phone number to a SIM card they control. Once the fraudster takes over the phone number, they can use it to access online services with sensitive information, such as bank accounts. Many online services use phone numbers as a secondary form of authentication (called two-factor authentication or 2FA). If a fraudster gains control of someone’s phone number, they may be able to trick online services into thinking they’re the account holder and allowing them access to the service.
SIM hijacking is on the rise
SIM swapping is on the rise both in Canada and around the world. Last year, the tactic briefly entered the spotlight after Twitter CEO Jack Dorsey was a victim. Bad actors used SIM hacking to take control of Dorsey’s phone number and then posted tweets to Dorsey’s account through Twitter’s text-to-tweet service.
And while not an indication of SIM swapping’s prevalence, my fiancé was a victim of SIM card fraud earlier this year. For those who haven’t experienced it first hand, it can be quite frightening. In our case, she received a message from her carrier warning that a number port had been initiated moments before her cell service disconnected entirely. The message had a number to call to prevent the port, but without service she wasn’t able to make the call. Further, the incident took place late at night, well after the call centres had closed. While we eventually recovered her phone number and had extra protections placed on the account to prevent future SIM hijacking, the attacker did have access to the number long enough to attempt breaking into several accounts. Thankfully, the attacker wasn’t able to gain access to anything important, but not everyone is so lucky.
Importantly, that experience revealed existing prevention measures offered by carriers aren’t adequate. For one, the only recourse for preventing the SIM hijacking offered by carriers wasn’t readily available, leaving an open window for fraudsters to steal phone numbers while victims can do nothing to prevent it. Secondly, carriers don’t add account-side protections designed to stop SIM swapping attacks until after a customer becomes a victim. When someone is a victim of SIM swapping, carriers do little more than get the number back and harden accounts to make SIM swapping more difficult in the future.
Carriers argue publicizing SIM swapping data would not benefit public
Motherboard explains that PIAC’s information request was filed on July 23 and sought information about how the Canadian Wireless Telecommunications Association (CWTA) — a consortium of Canadian telecom companies — proposed to combat SIM fraud. Before this, the CRTC requested the same information from the CWTA in January and May, and received responses from the CWTA in February and June respectively. There was a CRTC letter dated July 17th that was sent to mobile providers as well. A full record of the inquiry and responses can be found here.
Following PIAC’s request, CWTA provided “heavily redacted” responses with no “meaningful information” about measures to fight SIM hijacking, when those measures will be implemented, or how bad the problem is in Canada.
Further, the CWTA defended its response by arguing that disclosing such information would benefit bad actors using SIM hijacking. Canadian telecom companies also argued along that same line. Eastlink, for example, said there was “no benefit to the public disclosure” and that publicizing the data would “undermine the work that has been done to implement measures to prevent unauthorized mobile telephone number transfers and SIM swapping in Canada.” Rogers, SaskTel and Shaw all made similar arguments.
Interestingly, some carriers also argued that releasing data on the amount of SIM hijacking attacks “would provide competitors with access to highly confidential commercially sensitive information and which would allow them to develop new and more effective business plan and marketing strategies.” Shaw in particular called the release of such data “dangerous information to put on the public record.”
Fenwick McKelvey, an associate professor of communication studies at Concordia University, told Motherboard that while there is a need to protect security measures, the CRTC seems to practice security through obscurity by “default,” which is “undermining democratic oversight.” Instead, McKelvey says the CRTC should “work toward compromises that allow for better public knowledge and trust.”
Update 10/26/2020 at 11:26am: Corrected a section of the article to properly reflect the CWTA’s response in the matter. Previously, the article mentioned that the CWTA did not respond to past inquiries.