IT executive Erynn Tomlinson has recently lost the equivalent of $30,000 in cryptocurrency after hackers targeted her Rogers account by using something known as “social engineering fraud”.
According to CBC News, the hackers used her personal details during interactions with Rogers customer service to gain access to her account.
Tomlinson, who was planning on using her savings for a mortgage, said “I don’t know how to describe it. I was sort of in shock at the whole thing.”
The hackers apparently used what is called a SIM swap, together with social engineering, to target Tomlinson through online chat windows. They basically used charm and persuasion to convince the Rogers customer service representative that they were the actual owners of the account.
“The attackers are very sophisticated. In this case, Rogers didn’t provide any friction for them and made it far too easy,” Tomlinson said of her experience.
The hacker convinced a Rogers rep to activate a new SIM card linked to Tomlinson’s account, which could then be placed into a phone in their possession. A SIM card is a chip used to identify and authenticate a subscriber to a service provider.
Once the hackers had executed the SIM swap, they were able to use their own phone to gain access to a number of Tomlinson’s sensitive accounts, including those tied to her finances.
According to Tomlinson, hackers were even able to bypass two-factor authentication on her accounts by using the SIM swap technique which allowed them to divert incoming text verification messages to a new device.
CBC Marketplace tested the security of Rogers phone reps with their own social engineering experiment and was able to bypass and gain access to a staffer’s account, only using information found online.
When told of the results of the CBC experiment, Rogers admitted the company’s authentication steps weren’t properly followed, noting the agent involved would be re-trained to stick to proper protocols.
Rogers responded Tomlinson’s case by telling CBC News “it takes its customers’ privacy and security very seriously and the company is continually strengthening its security measures and verification processes.” The company says it has “ongoing training in authentication best practices for front-line team members.”
“I hope this is a bit more of an extreme case,” Tomlinson said. “But I think … every Canadian is at risk right now.” Tomlinson says she is now going after Rogers with legal action.