Our new data cycle had started less then two weeks ago when I recieved a text message saying that for our protection our data had been disabled as we had gone way over our plan. Wanting to see what what was going on I immediately signed into my account at Rogers to find out a new phone had been added to our account 3 days prior to that message.
Clearly someone was able to add themselves to our account. After talking extensively with a manager we found out the first time that they called they were unable to answer the security question the FIRST time they called. The NEXT time they called, approximately 10 minutes later, they had an answer to the security question (my wifes date of birth).
This person with only having information on my wifes date of birth was able to:
-ADD A NEW PHONE.
-change the email on the account so we would not be notified of changes.
-CHANGE OUR PLAN
None of this was a red flag? Adding a new phone, changing data plan, changing the email address associated to the account minutes after failing the first security screening and they clearly were not calling with any number associated to the account.
Furthermore, since the changed our plan and that our plan is no longer available Rogers said they were unable to put us back on our previous plan. Seriously?
Rogers please take account security seriously, this is a huge failing on your part. The screening questions need to be far more in depth and complex with changes of this magnitude. They were literally able to change everything with our account with such limited information. We are now are unable to get our plan back because of this failing its really unfair to us and really unfair to you as well. Ask more questions during the security screening especially when it comes to adding new phones and changing contact information.
If they didnt exceed the data portion of the plan who knows how long it may have taken for us to even find out changes had been made.
Further reading: Rogers passes your information to YAHOO to setup an email through YAHOO. Information such as: your D.O.B... YAHOO was exploited in 2014 for this information on only a very small amount of people (500 Million) with such a small amount of people affected it is understandable now why the security question asked to make all these changes to our account was my wife's DOB - it's so secure.
'Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, DATES OF BIRTH, and encrypted passwords.'
^ they have your name and date of birth forever now. This is now a horrible security question... This is a huge pool of information to pull from please adjust accordingly.
Thank you for posting on the Community Forums.
We take our customers’ privacy seriously and understand your concern. We do recommend that you change your information and add the extra option of a security question and PIN for your account.
We'd like to take a closer look into this for you, please send us a private message to @CommunityHelps the next time you are online to look into your account.
I agree in light of the breach, the security/authentications process needs to be changed. If a CSR changes an email when speaking on the phone, the previous address should be notified, as well as by text.
All those saying - "just change your passord", or "if you've changed your password since 2014 you're fine" - you are delusional. They got encrypted passwords. The bigger issue is they got your personal information attached to the account. DOB was never secure for a lot of people anyway due to Facebook and other social networking sites and member forums - even Yahoo user profiles from way back when - plastering birthdays all over the internet.
If they didnt exceed the data portion of the plan who knows how long it may have taken for us to even find out changes had been made"
Presumably, you'd have seen it on your next invoice...
Except they changed my contact email so the next invoice would have gone to their email and not mine, as I'm paperless its my only point of contact. My bill payment is automatic. So it may have been a couple months since I would have to rely on a credit card statement with a huge change in billing.
This is one reason why i never enter in more information that is actually required.. i never enter in the DoB or anything like that, unless its 100% necessary. In case that site is breached.. then only the bare minimum is taken.
Its the one problem with those security questions too...
You want to pick one that you will remember... but often then those are the ones that are more likely that someone else is going to be able to find it out/figure it out.
I try to pick the more obscure ones.. but then I am more likely to forget.