Sim Scam and Identity Theft

Recently, a friend of a friend fell victim to SIM Swap Fraud. This type of fraud occurs when the perpetrator uses social engineering techniques to convince your phone company, the mobile provider, to re-provision your SIM or replace it and send the new one to the perpetrator. This renders your current SIM inoperable on the cellular network, and it may take time for you to discover this, since we spend most of our time connected via Wi-Fi.

Once the SIM is under the attacker’s control, that person can then scour popular social media, mail, and banking services and initiate a “password reset” or “forget password” process. Since they have your number, they can act as if they were you by intercepting SMS-based two-factor authentication, effectively stealing your online identity.

With the stolen identity, they can scan your emails to discover other sensitive items that may assist in further solidifying their access. For financial services, they can now log in as you and begin transferring your hard-earned funds out of your accounts, effectively stealing your money and assets.

We have all heard horror stories, such as those featured in TD Stories. However when someone that you know either directly or indirectly is affected, it really hits home, and you start asking how you can be further protected.

I have done some things in the past, such as giving out a secondary phone number managed by VOIP.ms, which was forwarded to my primary (hidden) cell phone number. However this ultimately proved ineffective, because there is just too much additional friction for services that really do require your actual mobile phone number, such as most financial services.

I have also created an account PIN with Koodo, my mobile network provider. This is a six-digit PIN that the service representative will authenticate before performing any account changes including a SIM re-provisioning or port to a different carrier. Note that this is different from the SIM PIN which just protects information on your SIM card.

After some research, I found that Koodo is now offering Port Fraud Protection. This morning I called Koodo and after about thirty minutes, I now have this protection on all of our phone numbers provided through Koodo. Your mobile provider may have a similar plan, and I highly encourage you to check it out and enrol if possible.

I also inquired about policies to prevent certain social engineering techniques while I was on the phone with the Koodo service rep. After our discussion, I can now summarize the current protection I have in place with Koodo.

I have a six-digit PIN on my service account. This means if anyone tries to impersonate me to change my account in any way, they will need to use my PIN. If they claim to have forgotten the PIN, they will need to provide a driver’s license or credit card information to validate. I am not comfortable with this, so I requested a special instruction to be added to my account. If a valid PIN is not provided, the service rep should instruct the caller (myself included) to visit the Koodo store to have the PIN reissue. This will ensure a face to face validation is performed with a proper photo ID check.

I also added the Koodo Port Fraud Protection, which essentially prevents anyone including the account owner (me) to “automatically and seamlessly” port my numbers. This will add some inconvenience if I want to port to another carrier in the future. I will have to call into Koodo and remove this protection first. It is just another step and barrier to anyone unauthorized trying to cause me harm, but for the sake of safety, I am willing to take on this minor inconvenience.

Even with all of this, the threat persists. We still rely on proper behaviour of Koodo employees who have the power to perform a SIM swap or provision. Unfortunately this is not within my control. Therefore, we still have to be diligent in reducing our threat surface. I would recommend the following:

  • Use a two-factor authentication scheme that is not tied to your phone number. It can be tied to your phone such as Passcodes or One-Time Passwords generated through a security application on your phone;
  • Reduce your withdraw limits and credit limits of your credit cards so that they are manageable in case they are lost;
  • If you are in a position to develop a personal relationship with your banker, then you should do so. They can alert you if they notice something strange is going on. They also add a personal touch by recognizing your voice and your behaviour in addition to the institutional security policies;

Good luck in reviewing your own circumstances and I hope you learn something here to strengthen your own SIM security and reduce the SIM Swap Fraud threat.

Note: Since my parents are on Virgin Plus, I thought I link to their policies as well.

Ontario and Quebec Road Trip

Carol’s nephew and niece is visiting us from China. We thought it would be good to take them on a road trip across the HWY 401 stretch and a bit of Quebec.

Attached is our final itinerary, and a video to summarize each day’s events. To play the video, just click on the video link in the Day title. For example:

Click the video tag in the PDF document to play each day’s video.

Ontario Services – Complicated

Approximately three years ago we created a holding a company in Ontario, Canada for the purpose of managing certain real estate investments. After some considerations, we have determined that this holding company is no longer required, so about a month ago, we decided to dissolve this company.

When we sent out an email requesting the dissolution of the company, we received the following response:

The above is the email response from Ontario.ca

On the surface we thought this is excellent news, because we will be able to do this all online. However upon visiting Ontario.ca/BusinessRegistry we were immediately lost after the initial login.

It took many tries to discovered this successful navigation path, so I wanted to document this for other users and for myself in the future.

The menu options on the left is not very helpful (see below). The obvious one is Ontario business registry under Account help, but this only provides a false, old guide to a PDF form that you can download and fill-out but is discouraged and rarely used now. The correct selection is the mysterious Add a service item.

Once you are in the Add a service page, you can then select the Start now of the Ontario business registry process.

This will bring you to a different site, which you can use to select Make Changes, and then further down File Articles of Dissolution.

The entire experience feels like the website was put together by multiple contractors, and totally user unfriendly. Yet another government service experience.

Sunroom Breaking Ground

Last year we engaged with Four Seasons Sunrooms to add a sunroom at the back of our house. It took about a year for us to finalize the engineering drawings, pass the Community of Adjust process with the city of Richmond Hill, and finally obtaining the permit.

Today we finally broke ground!

Below is a short video to remember this event.

Our backyard security video captured the event nicely.

Zhou Shen 周深 Concert

On Friday, Carol and I, along with our neighbours, attended the Zhou Shen concert at the Coca Cola Coliseum in downtown Toronto inside the Exhibition Place.

It was really exciting to see Zhou Shen in person. We all enjoyed his heavenly vocals. The three-hour concerts started at 8 pm without any intermissions. Time flew by really fast.

Below is a video of our experience.

Click on image to play the video

I would go to another Zhou Zhen concert again.

Linux Boot with No Networking

GLOTRENDS PA09-HS M.2 NVMe to PCIe 4.0 X4 Adapter

I recently wanted to install an M.2 NVMe to PCIe 4.0 X4 Adapter on an existing server. The idea was to install a new NVMe SSD drive, and the motherboard had no more M.2 sockets available.

The server is running Proxmox with Linux Kernel 6.8.12. I thought this should be a 15-minute exercise. How wrong I was. After installing all the hardware, the system booted up but there was no networking access. This was especially painful because I could no longer remote into the server. I had to go pull out an old monitor and keyboard and perform diagnostics.

I used the journalctl command to diagnose the issue, and found the following entry:

Feb 01 13:36:21 pvproxmox networking[1338]: error: vmbr0: bridge port enp6s0 does not exist
Feb 01 13:36:21 pvproxmox networking[1338]: warning: vmbr0: apply bridge ports settings: bridge configuration failed (missing ports)
Feb 01 13:36:21 pvproxmox /usr/sbin/ifup[1338]: error: vmbr0: bridge port enp6s0 does not exist
Feb 01 13:36:21 pvproxmox /usr/sbin/ifup[1338]: warning: vmbr0: apply bridge ports settings: bridge configuration failed (missing ports)

The above error message indicates that enp6s0 no longer exists. When I looked at earlier messages, I noticed this one:

Feb 01 13:36:15 pvproxmox kernel: r8169 0000:07:00.0 enp7s0: renamed from eth0

It looks like the interface name has been changed from enp6s0 to enp7s0. Therefore the correct remedy is to edit the /etc/network/interfaces to reflect the name change. Below is the new content of the file.

# cat /etc/network/interfaces
auto lo
iface lo inet loopback

iface enp7s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.188.2/24
        gateway 192.168.188.1
        bridge-ports enp7s0
        bridge-stp off
        bridge-fd 0

iface wlp5s0 inet manual

This would be very annoying if the old interface name was used in many other configuration files. There is one other reference that I found on the Internet (https://www.baeldung.com/linux/rename-network-interface) detailing a way to change the network interface name using the udev rules. I did not try this, but something to keep in mind in the future.

In a previous post and on another home server, I did fix the name using netplan, but Proxmox is not using it.