I arrived home after my family vacation to Disneyland in October. I noticed my cellphone bill was quite large, and assumed it was all the awful roaming charges Rogers (and other Canadian cellphone carriers) charge you when you go the U.S. I grumbled (particularly because we tried so hard not to use our phones when we were there), and forgot about it.
I noticed another large invoice on my cellphone in November, and decided to check my bill. I couldn’t find it, so I went on to other things and forgot about it.
In December, right before Christmas, I got a call from the cellphone company that my payment to my account had been declined on my credit card. I told them to try again in a few days, after my payment processed, and went about doing Christmas things.
In early January, they called again – they were trying to process over $800 in charges on my card, after putting through a similar amount in December. I still hadn’t received my bill since September.
Something was terribly wrong!
The Rogers operator asked me who in my family makes all the calls to Australia. Nobody in my family calls Australia.
Then she asked me how many phones I have on my account. I told her I had 2 phones, and she told me I had 5. The “fraud department” would call me back.
Somebody had “hacked” my cellphone account. I immediately freaked out. Was I in for a full-blown identity theft? I started checking and double-checking everything.
When I got a call back from Rogers’ fraud department, I put a secret passcode on my account – an optional feature I was never made aware of. I asked how on earth this could have happened.
This was when the lightning bolt hit.
Without a passcode, all somebody needs to pretend to be you is your full name, phone number and date of birth.
My response: Are you serious?!? (I would have felt OK about a colourful adjective at this point, if I was more inclined to that sort of thing, but my mother taught me better.)
Now for those who don’t know me very well, you’ll know I’m something of a social media evangelist. I give presentations about it, helped found the local chapter of Social Media Club, and otherwise help people understand the technology. Naturally, I’m also an avid user, and use Facebook daily.
Absolutely everything the hacker needed was on my Facebook profile.
But that doesn’t even mean they got it from Facebook. The fact is, it’s pretty easy to find out somebody’s name, phone number and date of birth without Facebook. Perhaps I should have been smarter about it, but I think I can be forgiven for assuming a company like Rogers Wireless would have higher standards of identification.
It turns out that the crook(s) changed my address on the account (twice, apparently, and to invalid addresses), discontinued paper invoices, ordered 3 new phones, and charged up a tonne of long distance on them. This despite Rogers’ fraud department indicating that they very likely just wanted the phones.
The good news is that the Rogers’ fraud department person was very helpful, and ensured me that I will get all the money back, and receive a full account of the phone service charges (and refunded charges) very soon. (Of course, I had over $1,000 “in limbo” for several months, while I awaited the paper invoice that was never to come.)
The bad news is that these punks probably won’t get caught, and probably won’t go to jail. Rogers will report the crime to police, but apparently they are rarely caught.
The moral of the story, if you haven’t already done so, is:
CALL YOUR WIRELESS COMPANY TODAY AND ADD A PASSCODE TO YOUR ACCOUNT.