:
Good morning, members of Parliament, staff and hearing participants.
My name is Matthew Gamble. I am a director of the Internet Society Canada Chapter and I am pleased to appear before you today to speak about fraudulent and nuisance calls in Canada.
First, I'll say a few words about who we are. The Internet Society Canada is a not-for-profit corporation that engages on Internet, legal and policy issues to advocate for an open, accessible and affordable Internet for all Canadians. An open Internet means one where ideas and expression can be communicated and received, except for where limits have been imposed by law. An accessible Internet is one where persons and all interests can freely access websites that span all legal forms of expression. An affordable Internet is one where all Canadians can access Internet services at a reasonable price. More information about our board, our activities and our publications can be found on our website.
The Internet Society is fully aware of the impact that fraudulent and nuisance calls have on Canadians. According to a study by Truecaller, Canadians receive an average of 12 spam calls per month. My personal experience tells me that number is far higher.
In the case of fraudulent calling and robocalling, such as the CRA scam calls, it's increasing for several reasons. It's inexpensive to do, has little to no consequence and sometimes, albeit rarely, is effective in defrauding innocent Canadians of their hard-earned money. Between the CRA scam calls and the endless calls for duct cleaning services, it has come to the point where people are hesitant to pick up for any unknown caller and have lost trust in their own telephones.
To give some background on my experience in this area, 13 years ago I was the chief developer and architect of Primus Canada's telemarketing guard service, which at the time was a major step forward in the fight against unwanted calls. Based on a community-driven list of known nuisance callers, it was very effective in stopping millions of telemarketing calls from reaching Canadians.
In the years since its development, however, the landscape has changed dramatically and systems that filter based solely on calling line ID are no longer effective. Bad actors now routinely spoof valid numbers or generate random numbers similar to that of the person they are calling, commonly known as neighbour spoofing.
This new wave of bad actors are exploiting principles wired into the DNA of telecommunications networks. They were built based on explicit trust between carriers and set up to make sure that calls get through no matter what. Carriers don't look at the content of calls before connecting them and multiple companies can touch each call, making identifying the source of calls a daunting, if not impossible, task.
On the surface, the solution to the current robocalling crisis may sound simple. Just forbid calling line ID spoofing. The solution, sadly, is never that simple. There are good feature-related, business-related and privacy-related reasons to allow call spoofing.
For example, imagine a women's shelter is trying to contact a domestic abuse victim at home, without the abuser knowing. They may spoof the client line ID to mask the source of the call so that it's not known to be coming from the shelter.
Other even more basic phone features, such as call forwarding or a business having multiple telephony providers, rely on the ability to set calling line ID dynamically. It's an integral feature of how the PSTN operates and something that cannot easily be disabled without significant collateral damage.
As you heard earlier this week, the CRTC is working with the Canadian telecommunications industry to attempt to fight this problem on several fronts, including requiring calls to have valid calling line ID, directing the CRTC interconnection steering committee to develop a traceback process and directing carriers to implement the STIR/SHAKEN framework for the authentication and identification of calls.
Of all of these initiatives, the Internet Society is most interested in the deployment of STIR/SHAKEN for the identification of calls. Born out of technologies borrowed from the Internet standards working groups, STIR/SHAKEN promises to restore consumers' faith in calling line ID through the use of digital signatures placed in call metadata. When implemented fully, it promises to allow carriers to identify the source of calls in real time and could easily filter parties that are spoofing known numbers such as the CRA, RCMP and others.
The major challenge with implementing STIR/SHAKEN in Canada, and why we have been intervening in these respective CRTC processes, is that there are serious policy, technology and privacy issues that have not been addressed yet with this technology.
First, on the policy issues, STIR/SHAKEN standards were developed by the Internet Engineering Task Force and then adopted by several large U.S. providers for use within their own networks. Since this adaptation was done by large carriers, several early policy and design decisions were made that benefit large carriers at the expense of smaller ones.
The largest of these decisions was to limit the ability to fully attest to the identity of the call to the phone company that owns the number. While this seems logical, ownership of phone numbers is not as simple as it sounds. There are over 1,200 entities registered with the CRTC as resellers of telecommunications services. These are generally telephone service providers, or TSPs, that operate without owning any of their own phone numbers. Instead, they rely on wholesale access agreements with larger providers. These providers deliver valuable telecommunications services to Canadians, including services such as business-hosted PBX platforms, residential over-the-top services and other innovative voice products.
The CRTC, as you know, has asked all telecommunications providers, including the non-facilities-based providers, to implement STIR/SHAKEN.
These smaller carriers will be placed at a major disadvantage when the standards and policies developed to date are implemented, if no changes are made. Without the ability to fully sign their own calls, they will be viewed as “lesser” than larger carriers. Over time, this may cause customers to move their business to larger carriers who can provide full attestation for all calls, thereby creating a two-tiered telecommunications system in Canada, of those who can sign and those who cannot. Were this to happen, it could destroy years of competitive gains and innovations made by smaller carriers.
On the technology issues, STIR/SHAKEN poses a challenge, as it requires carriers to interconnect with each other over IP-based interconnections using SIP. While the smaller providers I earlier referred to generally interconnect with their upstream carriers using the SIP technology, the interconnections among Canada's larger carriers are mostly based on legacy TDM-based interconnections. It's almost ironic that the smaller, SIP-based carriers who are best suited to deploy this technology are being left out of the process, but that's the reality of the Canadian market today.
Finally, the Internet Society has some very serious concerns around consumer privacy as it relates to STIR/SHAKEN. Once calls are digitally signed, terminating carriers will have rich, verified data on the source and destination of calls. The promise is that this will allow telecommunication service providers to develop solutions like Telemarketing Guard, but ones that don't just look at the calling number but look deeper, into such things as the source carrier. This is analogous to spam filtering in the Internet space. Analytics are built not just on the source address, but on the reputation of the networks that traffic has traversed.
While this all sounds wonderful, it poses several issues for the privacy of Canadians, as some carriers have opted to outsource this analytics function to third party commercial entities. With this data, these third party companies could easily augment existing commercial data sets to build even more detailed profiles of Canadian households. For example, you could infer from the data collected that a given household was calling for takeout every night, and that data would be valuable to a life insurance provider who might view that as an unhealthy lifestyle and an increased risk factor.
In conclusion, while this may sound as though we oppose the deployment of STIR/SHAKEN, the opposite is actually true. We firmly believe that the introduction of these technologies into the Canadian telecommunications networks is a much-needed step forward to restoring consumers' faith and protecting them from fraud. We just want participants to be mindful that we need to ensure that this technology is implemented correctly and in an open and transparent fashion. As with other Internet-based technologies, we must ensure that all players, including small telecommunications providers, can participate on an equal footing.
Finally, and above all else, we need to ensure that any technology deployed has strong privacy safeguards built into its DNA. As we have learned from the Internet, trying to augment a system for privacy after it's deployed is like trying to repair a plane in flight: It's an impossible task that should be avoided at all costs.
I thank you for your time and I welcome any questions.
:
Thank you, Madam Chair, and honourable members.
My name is John Lawford, and I am executive director and general counsel at the Public Interest Advocacy Centre here in Ottawa.
PIAC is a federally incorporated non-profit and a registered charity that provides legal and research services on behalf of vulnerable consumers' interests concerning important public services.
PIAC regularly participates in proceedings before the CRTC and represents consumer interests in retail banking and payment systems with the FCAC, the Department of Finance and the OBSI.
Consumer fraud is a hot potato. Companies avoid it because they do not want the risk of liability for the fraud. Police have insufficient resources to address its overwhelming size and daunting technical complexity, which changes with each vector. Regulators like the CRTC define their jurisdiction narrowly to avoid being responsible for the problem, viewing it as an operational black hole.
On an individual level, fraud is humiliating and often devastating. We naturally avoid this issue like we avoid discussing poverty because we recoil from the obvious injustice and pain that is inflicted on the victims. Avoiding a problem never makes it better, though, so we commend this committee for insisting that we take a look at one aspect of fraud in today's committee hearing, phone fraud.
The statistics we do have about the scope of the “fraud problem” are so fragmentary as to themselves pose a problem for dealing with the problem. There is no definitive and official source for them. We have recent data from the Canadian Anti-Fraud Centre that show about 46,000 reports were made in 2019, with 19,000 victims and a loss of around $100 million.
The calls to CAFC largely covered fraud committed over the phone and Internet. However, the FCAC, for example, cited 15 million fraud victims losing $450 million in 2007, likely including other types of fraud, including in person, but more reliable or current numbers are scarce. The CRTC, for example, only has numbers of complaints made in relation to the do-not-call list and not specific fraud numbers.
However, PIAC believes, based on its work in the sector, that the scope of fraud committed by telephone to be one to two orders of magnitude higher than CAFC numbers. That's voice and text fraud, in part using regular phone numbers, but leaving aside Internet-based scams you might get on your mobile phone.
It is also our belief, based on direct contact with consumers and with seniors and low-income groups such as the National Pensioners Federation and ACORN Canada, that phone fraud both specifically targets and inordinately affects seniors and low-income Canadians, some of whom may be newer Canadians. They can least afford to suffer a fraud.
I will not be addressing number porting or SIM swap fraud. It's a recent concern that requires urgent attention, though. Shortly you will hear from Randall Baran-Chong, who is both a victim of this fraud and an eloquent advocate for fixing this devastating hack. I will leave it to him to describe. However, I do note that PIAC has called for an open public hearing at the CRTC with consumer groups, wireless users, CWTA and major providers. However, so far the CRTC and CWTA have refused to have a public inquiry.
Instead, I want to talk today about good old phone fraud, getting a victim to answer their phone, home or mobile, and engage in a conversation with a fraudster which culminates ultimately in the victim transferring money to the fraudster or revealing so much personal information that the fraudster can then transfer money himself, without the victim's knowledge. This sort of fraud can be catalyzed by the spoofing of numbers or call display names to mislead consumers into thinking they are receiving a call from a legitimate agency such as a government department or a local police office number.
However, what makes for really good old phone fraud is volume and automation. The more calls made, and the more efficiently made from the scammer's viewpoint, the more likely it is to ensnare a victim.
I can tell you that billions of calls are made a year to Canadian numbers, and at least tens of millions of those calls are stage one fraud robocalls. Here's how it works. A program written by a fraudster calls thousands of phones in an hour usually with a spoofed originating phone number. No people are involved. Now multiply this by many programs, computers and other scammers doing the same thing and targeting multiple area codes and you get the idea.
In stage two, however, the potential victim answers and does not hang up but listens to the recorded message, possibly because they trust the source, fear the source or are simply lonely and looking for some human contact. If the victim presses “1” to hear the message, a live fraudster walks the victim through the fraud to the point of money transfer.
Robocalls are just fishing lines flung out to the sea of phone-owning humanity. The secondary calls with a live agent are vastly smaller in number. This smaller number is still very large; we just don’t know how large. That is where the fraud takes place.
What's new? What's changed in this area lately to give you the impression that we have a phone fraud epidemic? “Epidemic” is a bad word today. Why are more and more Canadians, especially seniors and low-income Canadians, falling victim to phone fraud?
The answer is that the phone system has been technologically democratized. In the past, to dial multiple numbers, a knowledge of the phone company’s network software was required. This software allowed only a certain throughput of dialed numbers. Now almost the entire phone system runs on Internet protocol. This allows many millions of calls to be made to many millions of numbers and transmitted by a small number of computer operators.
While IP-based telephony has allowed new competitors and services, it has allowed fraud to balloon, in part due to the possibility of spoofing numbers with IP, which is harder than with the old software. The bottom line, so to speak, is that with more fishing lines come more hooked fish.
The phone industry, especially legacy carriers such as Bell Canada and Telus, know this reality all too well, as does the CRTC, which at least views nuisance robocalls as within its telemarketing jurisdiction. It deals, at least in part, with numbers on the do-not-call list. They are all working together on the spoofing part. The CRTC already requires them to block obviously spoofed numbers such as 000-000-0000. They are all working on implementing the STIR/SHAKEN protocol you just heard about, which really works only on entirely IP-based calls. All it really does is provide a confidence rating for each call. That is, it allows the recipient software to automatically block these likely robocalls. Both of these measures will help, but they will not totally stem the tide.
However, there are also new network-level blocking technologies, like those developed by Bell Canada, which has now applied to the CRTC to allow this. They claim to use AI-based algorithms to identify likely robocall sources, along with some confidential extra fail-safes that they have promised, and then to block all such suspicious calls that are transiting Bell’s network. Bell's network is vast in Canada.
While this does raise concerns from other carriers that must use Bell’s network to connect calls and it concerns legitimate customers who may have their calls illegitimately blocked, it does attempt to address the volume aspect of our problem. It attempts to use automation against automation. We believe it is likely, on balance, a positive development, but will it be sold to us or offered for free?
Last, what is missing to combat the actual content of fraud calls is more authority in this area for the CRTC. We suggest looking at the U.S. Telephone Consumer Protection Act, and a dedicated anti-phone fraud act, for example, one more akin to the Telemarketing Consumer Fraud and Abuse Prevention Act in the United States. In this regard, we also noticed that the broadcasting and telecommunications legislative review report seems to have missed a chance to recommend amending the Telecommunications Act to give the CRTC more authority to deal with fraud calls or to recommend a dedicated anti-phone fraud act, whether administered by the CRTC or perhaps by the new data commissioner.
We also need a better, more centralized, comprehensive and reliable set of phone fraud and Internet fraud-related statistics and reports to be gathered and publicly released at regular intervals. Finally, we need continual oversight and democratic encouragement by Parliament of work on phone fraud. It is too important to allow this game of hot potato to be played between regulators, companies and the police.
Thank you very much.
The baseline is, let's block calls that come from an obviously wrong number. Everybody accepts that. That's done.
The second level is this STIR/SHAKEN stuff. What the big companies don't like is that this is a protocol that you just run on any third party app or on your phone. It will block calls. The calls get tagged as suspicious. Then it's up to you whether you want to block them or not with your software and how you set it.
Phone companies don't necessarily make that much money on that, but it works fairly effectively. There may be problems with how it's implemented transparently and equally. But we'll leave that aside for now. STIR/SHAKEN is what should fix things. It doesn't—they're quite right—catch calls that go outside IP and go through the phone legacy networks. But let's leave that aside, too.
What Bell and Telus are both doing at the network level is...systems that have a sort of different approach. Telus will require a caller to punch in extra numbers in an effort to put a speed bump there. I believe you can get around that if you're a good programmer. It may or may not work. They may or may not be selling that to other providers or to other people who have an involvement with the phone system. They may be selling it directly to customers. The end game, I think, is that they probably want to sell it to customers.
Bell has a different approach, which is network-level blocking which comes with more concerns about how it's being blocked, why it's being blocked, what the system is. That's the secret proceeding going on at the CRTC right now. I think Bell would also like to sell it to consumers at the end. But I don't know. They have the control, as was mentioned, unlike some other carriers because most stuff transits their networks.
My name is Kate Schroeder. I am a board member for the Canadian Network for the Prevention of Elder Abuse, which is also referred to as the CNPEA.
The CNPEA is a pan-Canadian network supported by leaders in the field of aging, research, health care, and elder abuse prevention and response, among other matters. The CNPEA connects people and organizations, fosters the exchange of reliable information and advances programs and policy development on issues related to preventing the abuse of older adults. We do this at local, regional, provincial-territorial and national levels through our knowledge-sharing hub at cnpea.ca.
We are pleased to have this opportunity to bring to light the challenges and impacts of fraud calls on older adults in Canada. The CNPEA's work focuses on gathering and disseminating adaptable resources, best practices and current research and policy development by Canadian expert stakeholders in order to increase our collective capacity to address and prevent the abuse of older adults. The following comments and recommendations are based on the extensive work of some of these experts.
Fraud calls are an attempt to deceive an individual to gain control over some aspect of that individual's life, whether financial or related to identity or some other aspect. These types of criminal attempts have an impact upon all Canadians, regardless of age, race, education or background. Vulnerable health, fledgling finances and a rarefied social network, among other factors, can heighten the risk of falling victim to potential scams, and this risk only increases as individuals age.
The rapidly shifting demographic in Canada is having impacts upon all aspects of our country and its economy. By 2031, some 23% of Canadians will be over the age of 65. By 2061 there could be 33% more seniors than children living in Canada. This shift is already presenting us with troubling new statistics in relation to fraud, and we expect these statistics to continue to increase as our population ages, since seniors are often identified as easier targets.
As of February 29, 2020, available statistics from the Canadian Anti-Fraud Centre indicate that so far this year there have been 7,804 reports of fraud or attempted fraud, and year to date over 4,119 Canadians have been confirmed victims of fraud, with more than $9.2 million lost.
According to the Canadian Anti-Fraud Centre, phone scams defrauded Canadians of an estimated $24 million between January 1 and October 31, 2019. Available statistics indicate that losses experienced by older adults account for as much as 25% of the total losses related to reported fraud and that this number is rising considerably.
The troubling aspect of these numbers is that they only reflect the fraud that's been reported. From available studies we know that the rate of fraud reported may be as low as 13%, often because older victims are afraid or ashamed to be deemed incompetent or otherwise deficient for falling prey to these calls.
Fraudulent calls are running rampant across Canada. Current scams include but are not limited to phone spoofing scams—numbers that imitate legitimate phone numbers—Canada Revenue Agency scams, grandparent scams, warrant calls, free reward calls offering trips and cruises, natural disaster scams, technology scams.
The grandparent scam, technology scam and the Canada Revenue Agency scam may be more likely to affect older adults. One major factor contributing to this is social isolation, which is considered a heightened risk factor for elder abuse in general. Isolated adults craving human connection, missing their family or lacking a support network may be more likely to fall for these scams and be more easily preyed upon.
The reasons that older individuals fall for these scams are often complex and interconnected. Potential risk factors that put individuals at greater risk may include the recent loss of a loved one; the lack of a support network; social isolation; economic insecurity; poverty; potential cognitive impairment; lack of awareness or understanding or the nature of these calls; and sophisticated, ever-changing technology.
Falling for these scams often leads to individuals feeling stigmatized. The complicated process of reporting and investigating these types of fraud lessens the chance of individuals completing the reporting process.
Some of the issues we've noticed that impede the reporting process are the fear of appearing incompetent; the fear of having their autonomy or decision-making abilities questioned; the fear of admitting to their children or loved ones that they made a mistake, as talking about money and technology often can be a fraught experience in families between parents and children; the potential lack of awareness of where to report; and, the potential to encounter ageism when trying to explain their situation.
What we are certain of is that these types of fraud calls are on the rise and are impacting all Canadians. Solutions must be unique and intergenerational in approach as well as collaboratively arrived at between private and public sectors, consumer groups, financial agencies and law enforcement. Some of the biggest keys to prevention and detection are awareness, education and easy access to reporting, as well as a respectful and informed approach to communicating with and supporting older victims.
Our overall recommendations from the CNPEA include the following: to develop awareness campaigns in all forms—social media, web based, print, TV—to help people, regardless of age, to understand the different scams and forms of fraud currently circulating; to support and promote bystander intervention training programs at financial institutions, law firms and other consumer groups; to support the development of programs not only to help Canadians navigate the complexities of reporting fraud but to markedly improve the access to support after reporting to prevent revictimization; to encourage the development of awareness and support programs that are accessible from home or other living arrangements; to improve access to regular and affordable transportation in rural areas to prevent social isolation and to facilitate access to necessary resources; and, ongoing proactive communication from various stakeholders—CRA, banks, telecommunication companies, senior service providers—to provide updates on current scams impacting older adults.
Thank you.
:
Good afternoon. My name is Randall Baran-Chong. I’m an entrepreneur from Toronto, hence why I wanted to articulate myself through a PowerPoint.
I'm here to represent Canadian SIM-swap Victims United, a grassroots organization of victim advocates from across Canada and across all walks of life, formed as a result of what’s described as one of the phone frauds that experts fear most. As victim advocates, we take our harrowing experience into hope for greater awareness, combine that with expert advice, and engage industry and leadership like you to promote action, with the sole objective of not adding another name to our roster.
Though my story starts back at the end of October 2019, this really begins back in 2007, with one of your former colleagues, Maxime Bernier, minister of industry at the time, announcing wireless network portability. In essence, what that was all about was to provide consumers the power to essentially vote with their dollars in terms of moving from carrier to carrier without being encumbered by losing their number.
It was all about empowering consumers and their choice to go to the carrier they wanted, but while well intended—like the road to hell, it was paved with good intentions—it led to the hell that many of us victims know as the SIM swap scam, also known as the unauthorized customer transfer or unauthorized porting. What that essentially describes is the transfer of someone's phone number from their own SIM to another SIM without the authorization of the account holder.
Let's dissect generally how SIM swapping works. The vast majority of SIM swaps are financially motivated. These fraudsters begin by doing their homework to gather the goods. What I'm referring to is the fraudsters getting a real understanding of who these victims are at a personal level and trying to find some identifiers about them, but really, if they're trying to do it through an unauthorized porting, they want to get the key pieces of information that are required to execute the port. These are, first, the phone number itself, and then one of the following, as described by the Wireless Network Portability Council, which has defined these rules: the account number of the holder, the device ID or a PIN. If you think about it, you only need the phone number plus one of those identifiers, and the phone number is highly accessible for most of us, so you already have half the job done.
How do you get the rest of it? This is where the methods of these fraudsters take place.
One of the major methods they use is social engineering, which means taking advantage of the human fallibility of the customer service reps. Oftentimes, they'll pretend: “I'm the customer, I lost my phone, I desperately need to get a phone back.” They'll play the system. They might even say that they forgot their PIN and will provide other types of information that are even more accessible, such as postal code or maiden name and things like that, to get around it and get access to the porting information.
They'll use phishing, fake phone numbers or fake emails purporting to be from Rogers and saying to enter your account number, but it's really the hacker who is getting your information. They can also use social media to find personal information about the person and, recently, even through data leaks. Telus and its flanker brand Koodo announced that their customers from 2017 and prior had their account information compromised by an unauthorized user, and they all had to get port protection put on their accounts.
Finally, and most nefariously, they have inside employees. This is something that we've seen in the United States, where employees at companies like AT&T and T-Mobile actually sold account information for $20 or less to these fraudsters.
That is how they execute the port.
Now that they have the information, what they'll often do is get a prepaid phone account. There's no identification required to get a prepaid phone because of PIPEDA; it's essentially untraceable to these people. Now that they have the information, they'll call and execute the port with that carrier and, under the CRTC decision from 2005, this has to be executed within 2.5 hours or less.
I saw on Tuesday that one of you got a CRA scam text, and I hope you never see on your phone that your SIM is no longer in service. That's how the victim finds out that they've been ported over. The victim has not really been involved. When I had mine happen, it was at 11:40 at night, and I suddenly saw that my phone was no longer working. I thought it was technical, but it turns out that I was being ported.
From that point forward, any calls that are outbound or inbound—texts, anything like that—are in the possession of the fraudsters themselves. For this next stage, which we call “forget it and reset it”, I'm sure many of you have text-based factor authentication with your social media accounts, bank accounts and things like that. If you forget your password, you click on “I forgot my password”, and it will send you a text for a one-time password to reset your password. Then, essentially, they can redefine the password.
Now that the fraudster has your phone number, they are receiving those texts or calls, and they are going in and locking you out of your very own account. It then comes to the plundering. Oftentimes, these fraudsters will work in teams to create this havoc. It manifests itself when you see emails flooding into your inbox saying that your account password has been changed and a new contact has been added to your account, and all you can do is watch.
In my particular case, which happened at night, as I've mentioned, I called my carrier and was told, “Thank you for calling customer service. Our hours are from 8 a.m. to 8 p.m., Monday to Friday.” They put up a 12-hour defence for an enemy that fights a 24-hour war. To get the phone number back, it oftentimes takes several hours or, in some of the cases we've seen, up to a few days.
How is the damage done? There are three key ways in which they try to take advantage of this. One is the direct theft. In particular, crypto is a flavour they prefer, because it's very hard to trace them afterwards, but there are average victims, such as the Johnson family of Peebles, Saskatchewan, who lost hundreds of thousands of dollars from their farm account. Others take advantage of the apps that have credit cards linked to them, as in the case of nurse Sheila O'Reilly from Oakville.
In my case, they tried to extort and blackmail me. They got access to my cloud drive. Essentially, as a small business person, with my small business account and my personal account all being on this cloud drive, five years of my life are now in someone else's hands. I told this story to someone in the United States who lost a million dollars—90% of his life savings—and he said, “Your offence that you had against you was much worse.” He feels bad for me.
Oftentimes what they'll do is take this data and monetize it on the dark web for the low low low price for log-in credentials of $20 to $120 and to $3,000 for full identification. In other cases, they will take over accounts. Jack Dorsey, for example, the founder of Twitter...if the founder of Twitter can be a victim of a crime like this, who amongst us is safe? Even celebrities such as Mariah Carey and Adam Sandler have been victims of this. In other cases, they target accounts that have desirable user names. There's a man in Toronto named Jack Hathaway, who lost his Instagram handle “cosplay”, which is a highly valued target.
Unlike things like phone spoofing or these other frauds that you heard about earlier, these aren't necessarily done from call centres overseas that we feel we're helpless to take action on. As recently as November an arrest was made of an 18-year-old from Montreal who has participated in the theft of $300,000 from Canadians and over $50 million from Americans.
What this really demonstrates is that these aren't sophisticated programmers, hackers and coders who are doing this. These are the people who know how to play the game. These are commonly done—in the arrests that have been made in the United States, for example—by people under the age of 25.
We came to the realization that our phone numbers are our new form of identity. Our SIM is like our new SIN, and security is as strong as the weakest link, whether it's technical or human. Finally, when it comes to unauthorized porting, it can have lifetime impacts, so we need to change the way we think about these things.
How is it being dealt with elsewhere? In the United States, they're treating it as a national security risk. In places such as Africa, they're using co-operation between the banks and the telcos to identify fraud risk. In Australia, they have actually taken regulatory action to introduce pre-porting processes to identify whether or not you have actually validated the requests. They've even introduced buy-ins for telcos that don't comply with the authorized porting process.
In terms of what we think, from the Canadian perspective, first, there need to be changes to the regulations and something similar to what Australia has done with pre-porting authorization needs to be introduced. It's as simple as getting a text from the new carrier that says, “Did you request this porting over?” With what Australia introduced, essentially you have to get either a call or a text from the new carrier. Let's say your phone is actually legitimately stolen. Then you have to go into a store to actually provide government ID to validate that it's you and that you are executing the port. But as John Lawford from PIAC kind of alley-ooped me there in setting things up, there needs to be more transparency as well around the process.
The CWTA has requested that a lot of the information about processes be redacted or not shared, but it's widely known within cybersecurity that security through obscurity doesn't work. As an example of that, one of the things that Rogers did was to text people to say, “We received a request that you wanted to port your phone number. If it wasn't you, call us.” This fails on three different levels.
First, there are instances when people, because of the distrust that's been caused by all these frauds, think that it's a fake text in itself, so they just ignore it. Then the port still gets executed within that two and a half hours. In the second case, there have been instances of people trying to reach them through the hotline and they are never able to get through. One port was executed within 12 minutes of receiving the text. In the third case, if a really smart fraudster looks at it, they'll look at your social media, find out when you're on vacation, and then execute the port so you don't even have your phone on you.
There are obvious ways in which we can at least temporarily get rid of this, and then we need to move away from SMS-based two-factor authentication entirely.
First of all, Ms. Schroeder, from listening to the testimony that you presented, I think one of the things is that once a senior has been duped, no matter what the situation is, there's always that fear that the kids are going to say, “Well, you can't handle your money so we're going to have to look after it for you.” I really think there has to be more of a campaign, a “you are not to blame” campaign, because we can see this happening all around.
I think that's one of the things you were alluding to, but I'll just try to say it a little more bluntly. I really think that's something we should think about in our discussions.
Mr. Baran-Chong, you talked about various things that we can do, and as I mentioned before, with the seniors, I think investing in public education is worthwhile, so that those folks understand that.
You did have a section on this, the Canadian call to action. You've talked about how the CRTC doesn't seem to be interested, and you just mentioned how the telcos seem to be hiding their heads in the sand as well.
What would you suggest, in the next minute and 10 seconds, that would help us in that regard?