Industry Committee on Oct. 3rd, 2022

As far as I'm concerned, STIR/SHAKEN is not fully implemented, so it's hard for me to tell if it's effectively working.

One thing we noticed with fraud that is initiated by telephone, though, is that scammers are using a lot of spoofing technologies to make you believe that the number that's calling you is actually local when it's not.

What it tells us at the Anti-Fraud Centre is that it's another example of scammers being very adaptive at finding ways to be able to still connect with their victims.

Good afternoon. My name is Randall Baran-Chong, co-founder of Canadian SIM-swap victims united.

I'd like to thank the committee for inviting me to reappear because, the last time I was here, the lockdown was announced that afternoon, so I hope not to be the harbinger of another pandemic.

To refresh your memories, number portability, which was introduced in 2007, was designed to enable customers to switch carriers easily while retaining their phone number, but it's something that has been exploited by fraudsters to transfer ownership of a phone number to themselves, often by manipulating the customer service representative of a telco.

Once in possession of your phone number, they take advantage of SMS and text-based authentication methods and click “forgot my password” to take access and control of the victim's accounts. If you think about it, that can be everything from your email to banking to cloud storage to crypto-wallets. Within our organization of over 20 victim advocates, we have people who have lost possession of all their data, had hundreds of thousands of dollars stolen, and, in my case, had a livelihood threatened with extortion.

What has happened since that last fortuitous meeting? As part of its November 2020 report, this committee—with a few different faces now—had two key recommendations, which I am paraphrasing. One was that a hearing be held and, in the absence of that, legislation.

The minister responded by saying that we entrust the CRTC and the wireless network portability council, which is composed of the telcos themselves, to handle it and do its job of self-enforcement, and that legislation is unnecessary, as unauthorized porting is covered as a crime.

I can speak for almost all victims in our group that our issue is not with criminal enforcement of this issue or with the perpetrators themselves; it's a real matter of distrust of the telcos and their regulator. To do something probably never done in this chamber before, I'm going to quote rapper Ice-T. Our attitude is more, “Don't hate the player, hate the game”.

What I mean by that is we know that criminals will always look for vulnerabilities to exploit, but it's the system, the telcos, that we entrust to protect our personal information that do the math of what it costs to prevent these frauds versus the near-zero cost of punishment they bear in the event of failure, and the regulator that exists to protect the public has failed us. In fact, both of them have been thus far dismissive, unsympathetic and ignorant of victims.

Since our last meeting, the following has been revealed: It's more prevalent than most people thought.

Ms. Gray alluded to this. An access to information request filed by a Globe Telecom reporter—who ended up being a victim of SIM-swap fraud, ironically—revealed 24,627 cases, to be exact, of unauthorized ports over the 10-month period of August 2019 to May 2020. That represented 1% of all ports.

Compare that to credit card fraud, where only 0.17% of transactions are fraudulent. At a peak, 2.5% of all ports were fraudulent. Its magnitude can be massive. Two Canadians, one in Montreal and one in Hamilton, have been charged with stealing between $40 million and $50 million in cryptocurrency and other credit card fraud in Canada and the United States.

Meanwhile, other victims in our groups are attempting to recoup millions in stolen funds due to telco customer service representatives surrendering personal information to fraudsters, enabling execution of the unauthorized port.

Finally, telcos have self-enforced in the meantime, and unsuccessfully in the beginning. After a number of failed attempts to address the problem, they introduced text notifications around the summer of 2020. This continues to fail. We know this because of victims who emerged afterward. There is a group of 14 that we are aware of who were attempting to recoup several million dollars back in 2021. Telcos have failed to prevent the exploitation of their representatives and they apply the practice inconsistently.

The fact remains this: Our digital identities and our phone numbers are only growing in criticality. Your SIM is the new SIN number—that is, until SMS-based two-factor authentication is replaced wholesale.

The second point is that the safety of our digital identity is as strong as the weakest link and, in this case, telco customer service representatives, CSRs, are the weakest link in the line of defence of our phone numbers.

Investigations have revealed phone conversations and chat logs of CSRs being socially engineered into providing information to fraudsters. This speaks to a lack of training, misaligned incentives to prioritize customer throughput over customer protection and a lack of punitive measures for the telcos themselves in the event of failure.

Finally, it remains that progress and practices around unauthorized porting remain opaque. The fact that we were unable to produce numbers and that they can only be produced through access to information requests speaks to that. There is no proactive disclosure of data on incidences or effectiveness of practices.

We need to have a hearing to get a more thorough understanding of the situation and response situation and allow for victims to be heard. Second, we need to codify rules that create consistency and durability in practices, including transparency in metrics. Third, we need to introduce enforcement for non-compliance, as I suggested back in 2020 when Australia introduced fines of up to 250,000 Australian dollars for non-compliance.

These three recommendations are all supported by over 12,500 Canadians who signed an OpenMedia petition to that effect.

Let's not wait another pandemic for things to happen on this. I welcome your questions, and a way to a cure.

Thank you.

Good afternoon, everyone.

I'd like to thank the committee members for offering me this opportunity to speak today.

My name is Kevin Cosgrove. I'm a network technician, educator and digital safety advocate in Windsor-Essex County in Ontario. I've been working in the IT field for almost three decades, but I've shifted to working more with actual people, through contacts, throughout our community. I've been working with law enforcement on digital fraud and educating the public in that area.

I teach classes each semester with seniors specifically. As we know, seniors are a major target for online, digital and phone fraud. In the stats I receive way down at my end of things, almost 25% of the victims of fraud are seniors. Each year we spend time with local police and educate seniors on how to avoid fraud.

I know this committee has certainly focused on things at the higher levels—dealing with the telcos and other things at international levels—but I'm the guy down in the trenches having the little old lady coming to me, telling me she got scammed, needing that type of help, and asking who she should call.

My biggest frustration in working at a local level and being an educator specifically focused on these matters is that the information is already available and out there. The RCMP, especially, has a phenomenal amount of information. When I speak to people in my classes, however, no one's heard of it. It's not that the RCMP is not doing a good job or is not doing any outreach, but when I speak to people, they're unaware.

As the committee is aware, the RCMP has a fabulous publication known as The Little Black Book of Scams. It's a wonderful publication, and they've had it for quite a few years. After doing this for almost 20 years, I only know one person who saw a physical copy of it. That's definitely an issue with some of the programs we have; some of the education and outreach we're getting from the RCMP isn't necessarily getting down to every level.

Of course, there's also sometimes a disconnect when the RCMP is not the leading authority in a jurisdiction and relies more on local police to deal with that. They're doing their own jobs. Basically, each little area we're running into is trying to reinvent the wheel instead of having a unified response to some of this stuff.

A big focus I have, when I'm teaching seniors and putting stuff out in the community, is making it accessible. When I got into doing this almost 20 years ago, I noticed that the focus on details, definitions and such things is unwieldy for the average person picking up a pamphlet and trying to understand it. I'm not disparaging some of the information out there, but an 84-year-old woman does not care what the differences are among phishing, smishing, spear phishing or whale phishing. They don't care about those types of details. They need information to keep themselves safe without reading a PSA, a public service announcement pamphlet that goes in the wrong direction for educating the public.

I'm definitely ready for any questions you may have. I think I had a few questions for the RCMP when I was sitting back there. However, that's not my place.

Thank you very much for the opportunity.

There was some mention earlier about STIR/SHAKEN and what kind of progress has been made there. Even though I'm a civilian, I speak with criminal intelligence analysts at the CAFC and the financial crimes unit in Windsor. According to them, the types of calls that are specifically targeted by STIR/SHAKEN have diminished. People are no longer reporting receiving calls that say “Canada Revenue” on their phone. They may see that exact same phone call show up as a long-distance number, but in terms of a spoof call being displayed as law enforcement or Canada Revenue, that has definitely decreased, according to the information I've been given.

On my level, and just from the education side of things, I do look into the CAFC and the RCMP and the resources that they have, and the resources are excellent. I sometimes rewrite things for my own classes or I just use their own materials. There's no need to reinvent the wheel with some of this stuff. In just talking to people, many of them don't know it's there.

I can't speak at all to why there's not enough information given out, or a split in jurisdictions where local law enforcement or the RCMP are not taking a local interest. I'm not sure of the exact reason. The material is there. On your side, and the committee's side, of course, you have an interest in the actual statistics and the numbers. The average person is not interested in accessing that information.

In terms of fraud prevention, awareness, and everything else, I teach a special program with our local university. It's for people 55 and older. I've been doing it every semester for eight years now, and there's always a class that signs up. I also do talks with our regular police. The interest is definitely there. There's no question about that. I have people coming to me, and not just me, trying to chase people down and put pamphlets into their hands, but the information is already available. People can look this stuff up online. They can get pamphlets. They can visit their local police. There's an unlimited number of ways people can be educated to prevent this stuff, but somehow there's a disconnect. That's why I've been focusing my own work, even working with MP Brian Masse, on trying to educate the public specifically.

It's been going well. I'm hoping that after a few years there will be a big hole in a map where reporting and fraud happens. That might be a little optimistic, but getting the information, as far as I'm concerned, does not require SHAKEN/STIRRED. It does not require enforcement. It doesn't require U.S. law enforcement co-operation. If every person whom I've reached so far knows what a scam is, whether it's through SMS, text, online, or a phone call, they can identify the fraud in the first place. None of the other approaches is effective.

That actually speaks largely to what I was talking about, and I couldn't agree with him more. Having the information isn't the issue; getting that information to those who need it the most is the issue. That speaks to having a proper communications environment.

I want to reiterate that there are many people doing good work. A case in point is what Mr. Cosgrove is doing. From a national perspective, it's my humble position the RCMP, and by extension the federal government, doesn't see fraud and fraud awareness as a priority.

To be fair, during my time within fraud, I've never seen any federal government actually pursuing fraud or fraud awareness as a priority, so this is not something unique to just now. The only thing that's more pressing now is we're seeing losses completely off the charts compared to what we were seeing 10 years ago.

I believe my third recommendation was around what the Australian communications commission did. What it did was introduce a process, which was very similar to what we proposed back in 2020, that essentially there had to be an authorization by the customer to execute the port. If the company did not comply with that, for every incidence of the company not doing that, there would be a fine of up to $250,000. One of the Australian carriers has paid over $200,000 for 15 instances of non-compliance. They didn't go for the full max for each instance, but certainly it happens, and we've seen the reductions because of that policy, so there is that deterrent element.

I guess it's because it's equally personal, since I'm a victim myself. Since then, I have been able to hear the recording from the police of the customer service representative who impersonated a Rogers employee, called the Rogers store, and essentially got my information. It was surrendered very easily. The scammer essentially impersonated this employee and was able to provide a customer number and all the other stuff. I think it speaks to a broader problem within the telcos and the ability to socially engineer and exploit these folks.

I think part of the problem is that if you think of an incentive, I can tell you an outcome. The problem is that these customer service reps—and I have sympathy for them—are not very highly paid and they are not very highly trained. A lot of their metrics are based upon how many customers they can get through during their shifts. What's the satisfaction of that? Their incentives are more to.... If someone wants to try to port their number, let them do it. They don't want to put up resistance. They don't want to challenge whether this is the right person or things like that. If the incentives continue to essentially enable them to focus more on throughput, business outcomes and things like that, versus protecting customers' privacy and information, then I think this problem will persist.

The second thing in terms of awareness is that there is, of course, the broader awareness of good hygiene. Let's move away from SMS-based 2FA. This is something that the Federal Communications Commission in the United States has been promoting, as they consider SMS-based 2FA and SIM swapping a national security threat, but there's also the corporate awareness. For example, when Rogers introduced its text notification form in its first failed attempt at 2FA, customers thought the text notifications were frauds. They thought they were spam as well, but it's because of Rogers' practices being so obscure and their not sharing these practices that customers weren't aware that this was trying to protect them.

There are many different opportunities, and a lot of them emanate from the telcos themselves.

Yes. I'm more critical of SMS-based two-factor authentication because the vulnerability is that once the number is stolen from you, the SMS goes to the fraudster. However, there are other things out there like app-based two-factor authentication. You may have heard of Google Authenticator, which is very commonly used.

The problem is that there was a Princeton study of 140 of the most popular websites. With regard to many of these websites, the first factor of authentication they promote is an SMS-based two-factor authentication. We need to move away from that, especially for these critical industries.

I can tell you that some of these banks within Canada still use SMS-based 2FA, and that's their only form of two-factor authentication. We need to really look at moving away from this if that vulnerability and that distrust of telcos persists.