I’ve written in the past about how SMS is not a good 2-Factor Authentication method. In fact, its only slightly better than none.
Worse, some places just use your phone as a single-authentication (e.g. SMS you a password reset link, or just call you).
So you can image how comforted I was to hear that my carrier, my phone number, my email, was breached and is actively circulating in the ‘dark web’. Nice. Now, i’ve tried in the past (unsuccessfully) to get them to enable
port protection, its not something they offer. But this email from Koodoo this am (note: why did i read about this in the news a week in advance of the notice?) suggests there is a mysterious
port protection now enabled. Its not an option in my account I can see, but I guess I’m supposed to not worry (like Alfred E Neuman).
We recently detected a security incident impacting your account information. What happened: On February 13, 2020, an unauthorized third party using compromised credentials accessed our systems and copied August/September 2017 data that included your mobility account number and telephone number. It is possible that the information exposed has changed since 2017, in which case your current information is not compromised. What we are doing: We acted quickly to prevent further unauthorized access. Some customers could have been at risk of unauthorized number porting, where a fraudster could use the compromised information to gain control of a customer’s phone number by moving it to another carrier. This would mean that the fraudster would receive your calls and texts. To prevent this, we have applied port protection on your account. Port protection is a feature that prevents the porting of your number to another carrier unless you call us first. If you’d like to have this feature removed, please contact us. We have found evidence that the unauthorized third party is offering the information for sale online. With port protection in place, we do not believe that your information could be used for any fraudulent purposes. Nevertheless, we have reported this incident to Law Enforcement and the Office of the Privacy Commissioner of Canada and we are working closely with them on this matter. What you can do: As always, be diligent in monitoring your online accounts and email for any suspicious activity. Ensure that you do not reuse the same login credentials across different accounts, and use passwords that are difficult to guess. We also recommend that you not register your mobile telephone number on online accounts. If you have done so, you may want to remove it and use an alternative method to receive One Time Passcodes or 2 Factor Authentication codes. If you have any questions, please contact us at 1 866 995 6636, Monday – Sunday, 9:00 a.m. – 10:00 p.m. ET. At Koodo, we believe customer privacy is of the utmost importance. We are taking this matter very seriously. We remain committed to protecting your privacy. We sincerely regret any inconvenience or concern this may cause and look forward to continuing to serve you in the future.