My apologies for that.
In terms of what we think, from the Canadian perspective, first, there need to be changes to the regulations and something similar to what Australia has done with pre-porting authorization needs to be introduced. It's as simple as getting a text from the new carrier that says, “Did you request this porting over?” With what Australia introduced, essentially you have to get either a call or a text from the new carrier. Let's say your phone is actually legitimately stolen. Then you have to go into a store to actually provide government ID to validate that it's you and that you are executing the port. But as John Lawford from PIAC kind of alley-ooped me there in setting things up, there needs to be more transparency as well around the process.
The CWTA has requested that a lot of the information about processes be redacted or not shared, but it's widely known within cybersecurity that security through obscurity doesn't work. As an example of that, one of the things that Rogers did was to text people to say, “We received a request that you wanted to port your phone number. If it wasn't you, call us.” This fails on three different levels.
First, there are instances when people, because of the distrust that's been caused by all these frauds, think that it's a fake text in itself, so they just ignore it. Then the port still gets executed within that two and a half hours. In the second case, there have been instances of people trying to reach them through the hotline and they are never able to get through. One port was executed within 12 minutes of receiving the text. In the third case, if a really smart fraudster looks at it, they'll look at your social media, find out when you're on vacation, and then execute the port so you don't even have your phone on you.
There are obvious ways in which we can at least temporarily get rid of this, and then we need to move away from SMS-based two-factor authentication entirely.