Industry committee  I would add that there's a company called EnStream, which is a joint venture of the major telcos. One of the services they offer is identity verification to prevent things like SIM swap fraud. This is a product that they sell to the banks. I've spoken to some folks on the cybersecurity teams in the banks, and they know SIM swap fraud well, because banks are the ones who ultimately pay for it.

Industry committee  I'm admittedly not familiar with Bill C-27.

Industry committee  That's in the case of a stolen phone. There's a bit of balance here, right? The CRTC wants to allow you to easily port your number. There is actually a rule that they have to execute it within two and a half hours. My bigger recommendation, which doesn't have to apply to just a stolen phone, is that when you have text notification that your number has been requested to be ported, you have to proactively consent by texting back “yes”—that yes, you are trying to execute that port.

Industry committee  Absolutely. You kind of wonder whose corner they're in. We've been consulting with PIAC quite a bit. We've been trying to get this data, for example. You'd think macro-level data is not too big of an ask or too much of a threat to security. We weren't even asking at the telco level what the data was in terms of the incidence of SIM swaps.

Industry committee  Well, I've consulted several lawyers. It's interesting, because unlike others who've had significant financial losses.... In the case of credit card fraud, let's say, the credit card company or the banks end up kind of compensating folks for that. Other folks who have crypto-thefts are still trying to recover their losses, and many of the people within our groups are trying to recoup between hundreds of thousands to millions of dollars.

Industry committee  No, I have not.

Industry committee  Yes, we're highly supportive of the idea. It doesn't matter really what form it takes. Again, it's all about being able to be heard. We've learned a lot from the different victim stories, because our group essentially is very grassroots. I identify them by scanning through articles and reaching out to them, or they come to us and they tell us the circumstances of these issues.

Industry committee  Thank you. When our group saw the recommendations from this report, we were actually quite appreciative, because I think they essentially reflected what we had asked for in terms of supporting a hearing. The response, I believe, from the ministry about the hearing was that they didn't feel it was appropriate to have a hearing because they didn't want to solicit views from the public on how to protect themselves—which I thought was somewhat silly, because where the telcos have gotten to now is based on a recommendation we made back in 2020.

Industry committee  I guess it's because it's equally personal, since I'm a victim myself. Since then, I have been able to hear the recording from the police of the customer service representative who impersonated a Rogers employee, called the Rogers store, and essentially got my information. It was surrendered very easily.

Industry committee  Yes. I'm more critical of SMS-based two-factor authentication because the vulnerability is that once the number is stolen from you, the SMS goes to the fraudster. However, there are other things out there like app-based two-factor authentication. You may have heard of Google Authenticator, which is very commonly used.

Industry committee  Oh, I'm sure they collect it, but they just don't want to share it. The only way this person—a Globe and Mail telco reporter, ironically—was able to access it was to file an access to information request to get that information. PIAC, the Public Interest Advocacy Centre, has requested it multiple times, and the CRTC has written letters saying that no, this is not in the public interest or that this would compromise, potentially, the security of individuals and security in the telcos.

Industry committee  Thank you.

Industry committee  I believe my third recommendation was around what the Australian communications commission did. What it did was introduce a process, which was very similar to what we proposed back in 2020, that essentially there had to be an authorization by the customer to execute the port. If the company did not comply with that, for every incidence of the company not doing that, there would be a fine of up to $250,000.

Industry committee  Good afternoon. My name is Randall Baran-Chong, co-founder of Canadian SIM-swap victims united. I'd like to thank the committee for inviting me to reappear because, the last time I was here, the lockdown was announced that afternoon, so I hope not to be the harbinger of another pandemic.

Industry committee  After that incident happened with my cellphone, I was able to reach Visa immediately. They have a 24-hour hotline to report fraud. Why is it not the same for the telco companies? I even tried calling the consumer line, which is 24 hours but they don't have access to my business information.