cancel
Showing results for 
Search instead for 
Did you mean: 

Rogers HUGE Security Flaw

tehnatural
I Plan to Stick Around

Our new data cycle had started less then two weeks ago when I recieved a text message saying that for our protection our data had been disabled as we had gone way over our plan. Wanting to see what what was going on I immediately signed into my account at Rogers to find out a new phone had been added to our account 3 days prior to that message.

 

Clearly someone was able to add themselves to our account. After talking extensively with a manager we found out the first time that they called they were unable to answer the security question the FIRST time they called. The NEXT time they called, approximately 10 minutes later, they had an answer to the security question (my wifes date of birth).

 

This person with only having information on my wifes date of birth was able to:

-ADD A NEW PHONE.

-change the email on the account so we would not be notified of changes.

-CHANGE OUR PLAN

 

None of this was a red flag? Adding a new phone, changing data plan, changing the email address associated to the account minutes after failing the first security screening and they clearly were not calling with any number associated to the account.

 

Furthermore, since the changed our plan and that our plan is no longer available Rogers said they were unable to put us back on our previous plan. Seriously?

 

Rogers please take account security seriously, this is a huge failing on your part. The screening questions need to be far more in depth and complex with changes of this magnitude. They were literally able to change everything with our account with such limited information. We are now are unable to get our plan back because of this failing its really unfair to us and really unfair to you as well. Ask more questions during the security screening especially when it comes to adding new phones and changing contact information.

 

CONSIDER THIS:

If they didnt exceed the data portion of the plan who knows how long it may have taken for us to even find out changes had been made.

 

Further reading: Rogers passes your information to YAHOO to setup an email through YAHOO. Information such as: your D.O.B... YAHOO was exploited in 2014 for this information on only a very small amount of people (500 Million)  with such a small amount of people affected it is understandable now why the security question asked to make all these changes to our account was my wife's DOB - it's so secure.

 

'Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, DATES OF BIRTH, and encrypted passwords.'

https://en.wikipedia.org/wiki/Yahoo!_data_breach

 

^ they have your name and date of birth forever now. This is now a horrible security question... This is a huge pool of information to pull from please adjust accordingly.

 

 

***Edited Labels***

7 REPLIES 7

Re: Rogers HUGE Security Flaw

RogersPrasana
Retired Moderator
Retired Moderator

Hi @tehnatural

 

Thank you for posting on the Community Forums.

 

We take our customers’ privacy seriously and understand your concern.  We do recommend that you change your information and add the extra option of a security question and PIN for your account.

 

We'd like to take a closer look into this for you, please send us a private message to @CommunityHelps the next time you are online to look into your account.

 

 

@RogersPrasana

 

Re: Rogers HUGE Security Flaw

Datalink
Resident Expert
Resident Expert

@tehnatural this sounds like a case where a complaint to the Privacy Commissioner of Canada would be appropriate:

 

https://www.priv.gc.ca/en/

 



Re: Rogers HUGE Security Flaw

jand_ottawa
I Plan to Stick Around

I agree in light of the breach, the security/authentications process needs to be changed. If a CSR changes an email when speaking on the phone, the previous address should be notified, as well as by text.

 

All those saying - "just change your passord", or "if you've changed your password since 2014 you're fine" - you are delusional. They got encrypted passwords. The bigger issue is they got your personal information attached to the account. DOB was never secure for a lot of people anyway due to Facebook and other social networking sites and member forums - even Yahoo user profiles from way back when - plastering birthdays all over the internet.

 

"CONSIDER THIS:

If they didnt exceed the data portion of the plan who knows how long it may have taken for us to even find out changes had been made"

Presumably, you'd have seen it on your next invoice...

Re: Rogers HUGE Security Flaw

jand_ottawa
I Plan to Stick Around

And don't forget any disgruntled co-worker or family member who has celebrated a birthday with you knows what your birthday is.

Re: Rogers HUGE Security Flaw

tehnatural
I Plan to Stick Around

Except they changed my contact email so the next invoice would have gone to their email and not mine, as I'm paperless its my only point of contact. My bill payment is automatic. So it may have been a couple months since I would have to rely on a credit card statement with a huge change in billing.

Re: Rogers HUGE Security Flaw

This is one reason why i never enter in more information that is actually required.. i never enter in the DoB or anything like that, unless its 100% necessary.  In case that site is breached.. then only the bare minimum is taken.

 

 

Its the one problem with those security questions too...
You want to pick one that you will remember... but often then those are the ones that are more likely that someone else is going to be able to find it out/figure it out.

I try to pick the more obscure ones.. but then I am more likely to forget.




Re: Rogers HUGE Security Flaw

Meowmix
I'm a Trusted Advisor
Hello @Gdkitty @tehnatural @jand_ottawa

The problem is that also that anyone could get your number and ur birthday from any mail u sent or receive and do not deposit properly ( shred it into millions of pieces). Also the fact that some reps are known to do internal theft is happened before to me. I'm 2011 the same thing happened but the person changed the name, address, date of birth and account type. Thankfully at the time I knew a few people within Rogers and they got into it and changed it for me and for the fraud department involved. Later on after 8 pressed chargers it was a internal rep which would collect customers information and do this with someone else calling in and changing everything thus they could get phones without paying.

It can happen with anything you have.