Industry Committee on March 12th, 2020

There's something called soft-token authentication. There are things like Google Authenticator or Authy or things like that, which are available for quite a few different types of apps and things that we use. A lot of social media offers it. But often it's a secondary offered form of authentication. It's not widely known. It's accessible only to smart phone users unfortunately. But there are still a lot of things we use in which they promote two-factor authentication by SMS, and still banks often promote that only.

It is not a misconception and definitely social media is extremely prevalent with our younger generation, but it is also extremely prevalent with senior Canadians. Facebook is a very, very hot popular thing for aging Canadians. It is unfortunately a breeding ground for fraud, romance scams and all of those types of things. It all stems from that need for connection, that want for a relationship, the need to feel connected. It's that social isolation piece we focus on that is stemming from those connections that our senior population are trying to build in that social network.

I think there are certainly programs out there. I know the Canadian Competition Bureau has “The Little Black Book of Scams”. It's available. It talks about all of these things.

It's really about promoting these resources that are available and having them widely available in all sorts of different social services, banks and agencies. I think there is a need.

Again, because our senior demographic is so robust, one person may see it online and another may see it in print, so we really have to cover off all of those areas. I would say there is a need for a more robust promotion of those materials that are out there.

Also with regard to the new things that are coming out, to speak to what Mr. Baran-Chong just said, I think we're really good at promoting information about the CRA scams, romance scams and things like that, but there needs to be more robust communication from telecommunication companies and things of that nature, on the emerging scams and the things people need to be aware of.

Yes, it is happening. I think as our demographic continues to age, our world is moving to a more mobile cellular network type of environment certainly. I think we can all concur that this doesn't necessarily eliminate the problem.

I think it's twofold. If they're simply eliminating their land lines, there's obviously concern that only adds fuel to the fire of social isolation and to the concern that if something is wrong, how we will get in touch with these people to make sure they're safe and okay.

Again, with regard to the cellular network piece of it, we get just as many fraud calls on our cellular devices as we do on our land lines. I definitely think we're seeing that. I think it's concerning, because it only adds more concern regarding the potential risks to those individuals.

Absolutely. I think first codifying that within the regulations is important, because what we've often seen the carriers do is to fall back on saying they're complying with the regulations. However, the decision was made back in 2005, and obviously the kind of threat environment has changed quite significantly.

As Mr. Lawford alluded to earlier, the CRTC also needs to be much more transparent in asking the CWTA and the industry to be more transparent about the prevalence of this. Are they effectively dealing with this?

We appreciate that the CRTC issued the letter back on January 15 of this year, but the letter that came back from CWTA was highly redacted with regard to anything that was interesting to us, such as the measures being taken and the prevalence. As well, there was no sense from us of what the CRTC would assess as effective measures from the industry, the kinds of potential enforcement measures they'd take if they didn't act upon this or the implementation schedule, because the longer this persists, the greater the number of victims that will be racked up.

I think there at least needs to be recognition, especially for the customer-facing elements in terms of the protections that are introduced, that there should be more disclosure about that and participation of customers in that. I mentioned the issue with the texts that went through. People weren't aware that a new protection was introduced, so they were immediately skeptical of it. These kinds of measures need to be more publicly aired.

I can understand, though, that one part that needs to be addressed is around training their staff more. I can't tell you how many times I've called my telcos and had to teach these customer service reps about their porting policies—in fact, up until last night; I almost used social engineering to get my pin from someone who really didn't.... I provided information that's very easy to obtain.

There needs to be training of employees too. I can understand if that part is not necessarily publicly disclosed, but there needs to be two sides to this.

That's the soft-token authenticator I was alluding to earlier. It's like Google Authenticator. It generates a code on your phone and asks you to essentially replicate the number you're getting on your app and put it in. Instead of getting a text message, you're using that number. You can also use a hardware token. Some people might have seen those RSA keys that generate a number as well. A hardware or soft token could be used to authenticate. Essentially, you just don't want to tie it to your phone.

I'll give you an example. There was recognition, I think, by the different law enforcement agencies that have been dealing with this that there needs to be more coordination. Even though maybe these criminals are working in teams that are close to each other, these victims span across the country. The RCMP is launching a national cybercrimes coordination unit, which will be launching this year, I believe at the end of April. They will be able to better coordinate these cases. When we as victims share our stories, we're often able to almost hear these common denominators between these crimes. We pass that off onto the law enforcement agents who are working on our cases.

As we said, we need codification of these new types of pre-porting notifications and verifications and more transparency around what's going on with the porting. We need to ensure that the telcos are implementing policies and doing it consistently. Finally, I think governments and industry should be studied, in terms of the ones that have sensitive data, on whether they're using SMS-based 2FA, and how we can transition away from that. Otherwise, we put ourselves at the peril of SIM-swapping.

I was offered $100.

Yes, I think that speaks volumes.

Individuals are partly responsible as well in terms of their data, for example, what they put into things like the cloud. To some degree, I'm paying a top-bracket idiot tax for uploading almost everything. I actually wasn't even aware that all that stuff was being uploaded, because I didn't really use it.

I wanted to come forward with my story to let people know that you should be careful about what's being put on there. Cyber experts, ironically, are saying to go offline, don't use cloud, save on an external hard drive. They're even saying to not save passwords on your browsers; write it down on paper, and write with a marker, so that the pen doesn't imprint on the paper. We're making a 180° turn in terms of how we are becoming more careful about the stuff we store. On the consumer side, that's the most important part, to be aware of what we have there.