Industry Committee on March 12th, 2020

That's difficult to say. The players don't all say whom they outsource their data processing to, and some may not. There's no requirement to outsource to a third party analytics company. If you want to offer the best spam filtering, however, you're going to get the best analytics you can get, which may require you to share data with third parties.

Those parties right now are generally American, and while they say they may not share data, you have to worry about, first, the data's leaving the country, and second, the potential for data breaches and for data to be compromised.

It's not a fatal flaw. There are currently two or three proposals for solving this floating around the working group known as ATIS. There just hasn't been a consensus on it yet.

I believe the groups will get to a consensus, probably in the next six to eight months, but when the CRTC says it wants it done by September 30 of this year and the solutions to fundamental issues are still six to eight months away, those two conditions don't really line up together.

I don't believe so. I think there may be some regulatory changes needed once STIR/SHAKEN is done.

Currently carriers are not responsible for the calls they place on networks. Once STIR/SHAKEN allows you to identify which carrier is the source of a call, then you could probably empower the CRTC to.... If a carrier were known to be the source of a large majority of fraud calls, they might then somehow be found liable for those calls.

No, not necessarily, because I believe Bell also wants to stop fraud calls, because people are cancelling their land lines. One of their reasons for doing so would be just to stop the bleeding.

They thus may well do it anyway. They may want to sell it in certain contexts; non-consumer contexts, I believe, would be fine. At the consumer end, my only concern is about some people having this technology and others not.

Good morning, Madam Chair. Thank you and thanks to the committee for including us in the conversation surrounding this important topic.

Perfect.

My name is Kate Schroeder. I am a board member for the Canadian Network for the Prevention of Elder Abuse, which is also referred to as the CNPEA.

The CNPEA is a pan-Canadian network supported by leaders in the field of aging, research, health care, and elder abuse prevention and response, among other matters. The CNPEA connects people and organizations, fosters the exchange of reliable information and advances programs and policy development on issues related to preventing the abuse of older adults. We do this at local, regional, provincial-territorial and national levels through our knowledge-sharing hub at cnpea.ca.

We are pleased to have this opportunity to bring to light the challenges and impacts of fraud calls on older adults in Canada. The CNPEA's work focuses on gathering and disseminating adaptable resources, best practices and current research and policy development by Canadian expert stakeholders in order to increase our collective capacity to address and prevent the abuse of older adults. The following comments and recommendations are based on the extensive work of some of these experts.

Fraud calls are an attempt to deceive an individual to gain control over some aspect of that individual's life, whether financial or related to identity or some other aspect. These types of criminal attempts have an impact upon all Canadians, regardless of age, race, education or background. Vulnerable health, fledgling finances and a rarefied social network, among other factors, can heighten the risk of falling victim to potential scams, and this risk only increases as individuals age.

The rapidly shifting demographic in Canada is having impacts upon all aspects of our country and its economy. By 2031, some 23% of Canadians will be over the age of 65. By 2061 there could be 33% more seniors than children living in Canada. This shift is already presenting us with troubling new statistics in relation to fraud, and we expect these statistics to continue to increase as our population ages, since seniors are often identified as easier targets.

As of February 29, 2020, available statistics from the Canadian Anti-Fraud Centre indicate that so far this year there have been 7,804 reports of fraud or attempted fraud, and year to date over 4,119 Canadians have been confirmed victims of fraud, with more than $9.2 million lost.

According to the Canadian Anti-Fraud Centre, phone scams defrauded Canadians of an estimated $24 million between January 1 and October 31, 2019. Available statistics indicate that losses experienced by older adults account for as much as 25% of the total losses related to reported fraud and that this number is rising considerably.

The troubling aspect of these numbers is that they only reflect the fraud that's been reported. From available studies we know that the rate of fraud reported may be as low as 13%, often because older victims are afraid or ashamed to be deemed incompetent or otherwise deficient for falling prey to these calls.

Fraudulent calls are running rampant across Canada. Current scams include but are not limited to phone spoofing scams—numbers that imitate legitimate phone numbers—Canada Revenue Agency scams, grandparent scams, warrant calls, free reward calls offering trips and cruises, natural disaster scams, technology scams.

The grandparent scam, technology scam and the Canada Revenue Agency scam may be more likely to affect older adults. One major factor contributing to this is social isolation, which is considered a heightened risk factor for elder abuse in general. Isolated adults craving human connection, missing their family or lacking a support network may be more likely to fall for these scams and be more easily preyed upon.

The reasons that older individuals fall for these scams are often complex and interconnected. Potential risk factors that put individuals at greater risk may include the recent loss of a loved one; the lack of a support network; social isolation; economic insecurity; poverty; potential cognitive impairment; lack of awareness or understanding or the nature of these calls; and sophisticated, ever-changing technology.

Falling for these scams often leads to individuals feeling stigmatized. The complicated process of reporting and investigating these types of fraud lessens the chance of individuals completing the reporting process.

Some of the issues we've noticed that impede the reporting process are the fear of appearing incompetent; the fear of having their autonomy or decision-making abilities questioned; the fear of admitting to their children or loved ones that they made a mistake, as talking about money and technology often can be a fraught experience in families between parents and children; the potential lack of awareness of where to report; and, the potential to encounter ageism when trying to explain their situation.

What we are certain of is that these types of fraud calls are on the rise and are impacting all Canadians. Solutions must be unique and intergenerational in approach as well as collaboratively arrived at between private and public sectors, consumer groups, financial agencies and law enforcement. Some of the biggest keys to prevention and detection are awareness, education and easy access to reporting, as well as a respectful and informed approach to communicating with and supporting older victims.

Our overall recommendations from the CNPEA include the following: to develop awareness campaigns in all forms—social media, web based, print, TV—to help people, regardless of age, to understand the different scams and forms of fraud currently circulating; to support and promote bystander intervention training programs at financial institutions, law firms and other consumer groups; to support the development of programs not only to help Canadians navigate the complexities of reporting fraud but to markedly improve the access to support after reporting to prevent revictimization; to encourage the development of awareness and support programs that are accessible from home or other living arrangements; to improve access to regular and affordable transportation in rural areas to prevent social isolation and to facilitate access to necessary resources; and, ongoing proactive communication from various stakeholders—CRA, banks, telecommunication companies, senior service providers—to provide updates on current scams impacting older adults.

Thank you.

Good afternoon. My name is Randall Baran-Chong. I’m an entrepreneur from Toronto, hence why I wanted to articulate myself through a PowerPoint.

I'm here to represent Canadian SIM-swap Victims United, a grassroots organization of victim advocates from across Canada and across all walks of life, formed as a result of what’s described as one of the phone frauds that experts fear most. As victim advocates, we take our harrowing experience into hope for greater awareness, combine that with expert advice, and engage industry and leadership like you to promote action, with the sole objective of not adding another name to our roster.

Though my story starts back at the end of October 2019, this really begins back in 2007, with one of your former colleagues, Maxime Bernier, minister of industry at the time, announcing wireless network portability. In essence, what that was all about was to provide consumers the power to essentially vote with their dollars in terms of moving from carrier to carrier without being encumbered by losing their number.

It was all about empowering consumers and their choice to go to the carrier they wanted, but while well intended—like the road to hell, it was paved with good intentions—it led to the hell that many of us victims know as the SIM swap scam, also known as the unauthorized customer transfer or unauthorized porting. What that essentially describes is the transfer of someone's phone number from their own SIM to another SIM without the authorization of the account holder.

Let's dissect generally how SIM swapping works. The vast majority of SIM swaps are financially motivated. These fraudsters begin by doing their homework to gather the goods. What I'm referring to is the fraudsters getting a real understanding of who these victims are at a personal level and trying to find some identifiers about them, but really, if they're trying to do it through an unauthorized porting, they want to get the key pieces of information that are required to execute the port. These are, first, the phone number itself, and then one of the following, as described by the Wireless Network Portability Council, which has defined these rules: the account number of the holder, the device ID or a PIN. If you think about it, you only need the phone number plus one of those identifiers, and the phone number is highly accessible for most of us, so you already have half the job done.

How do you get the rest of it? This is where the methods of these fraudsters take place.

One of the major methods they use is social engineering, which means taking advantage of the human fallibility of the customer service reps. Oftentimes, they'll pretend: “I'm the customer, I lost my phone, I desperately need to get a phone back.” They'll play the system. They might even say that they forgot their PIN and will provide other types of information that are even more accessible, such as postal code or maiden name and things like that, to get around it and get access to the porting information.

They'll use phishing, fake phone numbers or fake emails purporting to be from Rogers and saying to enter your account number, but it's really the hacker who is getting your information. They can also use social media to find personal information about the person and, recently, even through data leaks. Telus and its flanker brand Koodo announced that their customers from 2017 and prior had their account information compromised by an unauthorized user, and they all had to get port protection put on their accounts.

Finally, and most nefariously, they have inside employees. This is something that we've seen in the United States, where employees at companies like AT&T and T-Mobile actually sold account information for $20 or less to these fraudsters.

That is how they execute the port.

Now that they have the information, what they'll often do is get a prepaid phone account. There's no identification required to get a prepaid phone because of PIPEDA; it's essentially untraceable to these people. Now that they have the information, they'll call and execute the port with that carrier and, under the CRTC decision from 2005, this has to be executed within 2.5 hours or less.

I saw on Tuesday that one of you got a CRA scam text, and I hope you never see on your phone that your SIM is no longer in service. That's how the victim finds out that they've been ported over. The victim has not really been involved. When I had mine happen, it was at 11:40 at night, and I suddenly saw that my phone was no longer working. I thought it was technical, but it turns out that I was being ported.

From that point forward, any calls that are outbound or inbound—texts, anything like that—are in the possession of the fraudsters themselves. For this next stage, which we call “forget it and reset it”, I'm sure many of you have text-based factor authentication with your social media accounts, bank accounts and things like that. If you forget your password, you click on “I forgot my password”, and it will send you a text for a one-time password to reset your password. Then, essentially, they can redefine the password.

Now that the fraudster has your phone number, they are receiving those texts or calls, and they are going in and locking you out of your very own account. It then comes to the plundering. Oftentimes, these fraudsters will work in teams to create this havoc. It manifests itself when you see emails flooding into your inbox saying that your account password has been changed and a new contact has been added to your account, and all you can do is watch.

In my particular case, which happened at night, as I've mentioned, I called my carrier and was told, “Thank you for calling customer service. Our hours are from 8 a.m. to 8 p.m., Monday to Friday.” They put up a 12-hour defence for an enemy that fights a 24-hour war. To get the phone number back, it oftentimes takes several hours or, in some of the cases we've seen, up to a few days.

How is the damage done? There are three key ways in which they try to take advantage of this. One is the direct theft. In particular, crypto is a flavour they prefer, because it's very hard to trace them afterwards, but there are average victims, such as the Johnson family of Peebles, Saskatchewan, who lost hundreds of thousands of dollars from their farm account. Others take advantage of the apps that have credit cards linked to them, as in the case of nurse Sheila O'Reilly from Oakville.

In my case, they tried to extort and blackmail me. They got access to my cloud drive. Essentially, as a small business person, with my small business account and my personal account all being on this cloud drive, five years of my life are now in someone else's hands. I told this story to someone in the United States who lost a million dollars—90% of his life savings—and he said, “Your offence that you had against you was much worse.” He feels bad for me.

Oftentimes what they'll do is take this data and monetize it on the dark web for the low low low price for log-in credentials of $20 to $120 and to $3,000 for full identification. In other cases, they will take over accounts. Jack Dorsey, for example, the founder of Twitter...if the founder of Twitter can be a victim of a crime like this, who amongst us is safe? Even celebrities such as Mariah Carey and Adam Sandler have been victims of this. In other cases, they target accounts that have desirable user names. There's a man in Toronto named Jack Hathaway, who lost his Instagram handle “cosplay”, which is a highly valued target.

Unlike things like phone spoofing or these other frauds that you heard about earlier, these aren't necessarily done from call centres overseas that we feel we're helpless to take action on. As recently as November an arrest was made of an 18-year-old from Montreal who has participated in the theft of $300,000 from Canadians and over $50 million from Americans.

What this really demonstrates is that these aren't sophisticated programmers, hackers and coders who are doing this. These are the people who know how to play the game. These are commonly done—in the arrests that have been made in the United States, for example—by people under the age of 25.

We came to the realization that our phone numbers are our new form of identity. Our SIM is like our new SIN, and security is as strong as the weakest link, whether it's technical or human. Finally, when it comes to unauthorized porting, it can have lifetime impacts, so we need to change the way we think about these things.

How is it being dealt with elsewhere? In the United States, they're treating it as a national security risk. In places such as Africa, they're using co-operation between the banks and the telcos to identify fraud risk. In Australia, they have actually taken regulatory action to introduce pre-porting processes to identify whether or not you have actually validated the requests. They've even introduced buy-ins for telcos that don't comply with the authorized porting process.

Okay.

Thank you.

My apologies for that.

In terms of what we think, from the Canadian perspective, first, there need to be changes to the regulations and something similar to what Australia has done with pre-porting authorization needs to be introduced. It's as simple as getting a text from the new carrier that says, “Did you request this porting over?” With what Australia introduced, essentially you have to get either a call or a text from the new carrier. Let's say your phone is actually legitimately stolen. Then you have to go into a store to actually provide government ID to validate that it's you and that you are executing the port. But as John Lawford from PIAC kind of alley-ooped me there in setting things up, there needs to be more transparency as well around the process.

The CWTA has requested that a lot of the information about processes be redacted or not shared, but it's widely known within cybersecurity that security through obscurity doesn't work. As an example of that, one of the things that Rogers did was to text people to say, “We received a request that you wanted to port your phone number. If it wasn't you, call us.” This fails on three different levels.

First, there are instances when people, because of the distrust that's been caused by all these frauds, think that it's a fake text in itself, so they just ignore it. Then the port still gets executed within that two and a half hours. In the second case, there have been instances of people trying to reach them through the hotline and they are never able to get through. One port was executed within 12 minutes of receiving the text. In the third case, if a really smart fraudster looks at it, they'll look at your social media, find out when you're on vacation, and then execute the port so you don't even have your phone on you.

There are obvious ways in which we can at least temporarily get rid of this, and then we need to move away from SMS-based two-factor authentication entirely.