Good morning. Last night I was hacked. I have been able to get everything under my control again. Or so I think. It might be a few days before I stamp out all the issues. But the major combat operations are over. Now it’s mopping up. Let me walk you through what happened.
At just after 11 pm last night, I got a text message from Rogers, my cellular provider. I didn’t see the message for 19 minutes. The message said my number was being transferred to another carrier and I should call them ASAP if this was bogus. I called them ASAP. Too late. +
The problem is that the hacker was smart. By “porting” my number to his/her control after 11 pm, they caught Rogers and Bell (where they number was ported) with their pants down. There wasn’t anything that could be done until 0700 eastern this morning. No defence for 8 hours. +
They also had an email addy for me. Old but valid. And with this email and my cell number, they were able to pull off two “password reset” frauds and take control of my uber and PayPal accounts. So I’m sitting in Toronto watching as my hacker goes shopping and orders McDonalds. +
They did not get control of my email or social. And my first call was to my bank to shut down all payments and activity. But it still took me hours to get all that shut down. All in, they got me for about $400 worth of various purchases.

Most of those are already reversed. +
Anyway. This was annoying but the damage seems contained. I have control of my main accounts again. And the ones I don’t control are frozen.

Now I just need to go unsubscribe from 47 newsletters. Which is the insult added to injury. +
However. This is obviously a ridiculous system. Once Rogers was able to get me someone to help, it only took 45 minutes to get my cell number back to me, and put added protection on my number and my wife’s so this can’t happen again. But for eight full hours, they were helpless.+
I understand why the carriers want it to be seamless to move your number from one company to another, and I was told the CRTC has actually made it difficult to impose any restrictions, including those for security. But this is obviously unacceptable.+
Why not have the various telecoms agree to some jointly operated center that is staffed 24/7 and has the necessary technical and regulatory ability to reverse, instantly, obvious instances of fraud?

Or why not just decline to port numbers at 11:07 in the fucking evening? +
In short: a system cannot be designed in a way that allows fraud to be committed at a time of day during which it is IMPOSSIBLE TO COMBAT IT.

It’s like NORAD only watching for incoming missiles M-F, 9-5.

They’d just bomb us at dinner time.

You can follow @mattgurney.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: