What does Lum do to prevent SIM swap attacks?

ryan29
ryan29 Posts: 3 Lüm Member
edited February 7 in Community Help

I'm wondering what kind of policies / procedures Lum has to prevent fraudulent SIM swaps and if there's anything I can do to eliminate (or minimize) the risk of being the victim of a SIM swap attack.

Best Answer

  • H-Man
    H-Man Posts: 302 Lüm Super User
    edited January 2023 Answer ✓

    Sim swap attack would require someone to obtain another Lum Mobile sim card and transfer your service over, or port your number over to another carrier.

    Lum does not have any physical stores where one can walk in and buy a sim card, so that acts a strong deterrant to start. Also, there is not direct way of swapping the Lum sim card over to another sim, you would have to 'raise a ticket' in your Lum account. That is a second deterrant that works in your favor provided you have a strong password. Also, you should regularly check your email as you would get any notifications of any such activity.

    Secondly, to prevent unauthorized port outs Lum follows the same system all other carriers have adopted.

    "If you move your phone number to another provider, you are required to respond to a text message to authorize it."

    Alternatively, in your Lum Account Settings, you are given the option to bypass this:

    "If you don't have the mobile phone to receive the text - you can disable the text message here. It will be valid for 90 minutes."


    Since this setting is in your Lum account, you should always make sure you have a STRONG password for your Lum account and never share it with anyone.

Answers

  • Keith
    Keith Posts: 3 Lüm Member

    @ryan29,

    Securing your email account used with Lum is also crucial (IMHO). Should the email inbox associated with your Lum Account be compromised, the actor could request a "Forgot Password" on lum.ca. The password reset link sent to your inbox could then be completed by the bad actor. The bad actor now knowledgeable of the password they just set can login to your lum.ca account and update your profile email address (denying you access to your lum.ca account), "Enable Bypass SMS" allowing that person the ability to port the number to another provider without your explicit consent via a SMS message to authorize, or request a SIM swap via a ticket under your lum account.

    This is not a unique concern, any service relying on the associated email address alone to secure their "forgot password" is potentially at risk of this abuse (should the associate email inbox be compromised). Think about all the other services you may have that are just one “Forgot Password” away from being reset. Ensure the email address account/profile associate with critical services (such as Lum Mobility) is secure.

    This is just my humble opinion of one abuse scenario. If there are differing opinions, thoughts, suggestions, protection measure to "forgot password" abuses, be sure to contest/comment.

    As a Lum Mobile Member forms idea/suggestion, could Lum Mobile provided further account security measures, such as Two Factor Authentication (2FA), multifactor authentication (MFA), Universal Second Factor (U2F), etc. I think these would be welcome feature by Lum Mobile members wishing to further secure their lum.ca account, phone number, identity.

    And as H-Man said, "you should always make sure you have a STRONG" <UNIQUE> "password for your Lum account and never share it with anyone."

Categories