In mid-October 2018, an unnamed hacker contacted Rogers pretending to be Felix Kimelman, a technology consultant who lives in the Toronto area. Though they failed Rogers’s voice-recognition test and gave wrong answers to the account’s security questions, Kimelman alleges in a lawsuit filed in an Ontario court, the hacker used Kimelman’s personal data to convince Rogers to reassign his phone number to a different SIM card. They then stole more than $200,000 worth of Bitcoin from an account Kimelman held with Coinsquare, a Toronto-based cryptocurrency exchange.

Rogers and Coinsquare are now involved in a legal battle over who bears responsibility for the hack. After Kimelman and his wife, Ella Zelikman, sued Rogers for damages in Ontario Superior Court in late 2019, the telco filed a lawsuit of its own against Coinsquare this May, alleging the exchange’s lax security protocols are to blame for the theft. Rogers is seeking to recover from Coinsquare any damages awarded to Kimelman and Zelikman, plus legal costs—an amount that could total $1 million, according to the court’s online registry.

“Rogers denies that the main action plaintiffs [Kimelman Zelikman] are entitled to any of the relief claimed,” states its lawsuit against Coinsquare. Coinsquare’s alleged negligence in security, Rogers wrote, included allowing the hacker to withdraw all of the funds in large amounts and for failing to implement any holding period for those withdrawals.

In a statement of defence filed in response to Kimelman and Zelikman’s original lawsuit, Rogers said the hacker was already in possession of some of the customer’s personal data, and used that information to make the SIM card request. 

Coinsquare, which hasn’t yet filed a defence to Rogers’s lawsuit, didn’t respond to The Logic’s request for comment. Rogers, Zelikman and Kimelman also didn’t respond to requests for comment.

SIM card fraud has emerged as a common way that hackers steal from cryptocurrency investors who have exchanges and other third parties hold their funds. Once a scammer has control of a target’s cellphone number, they can start resetting the target’s passwords on services that rely on text-message authentication—such as a crypto exchange.

The scam sometimes includes another layer called “port fraud,” when a fraudster calls one wireless provider and asks to transfer to a new account the phone number of an unwitting victim from another provider. The Globe and Mail reported last September that the Canadian Radio-television and Telecommunications Commission (CRTC) had been notified of 21,589 fraudulent number portings and 3,038 SIM swaps between August 2019 and May 2020. 

In 2020, as fraud reports surged, cellphone providers made changes to the identity-verification process, according to Nicholas Kyonka from the Canadian Wireless Telecommunications Association, an industry group. Providers “made some changes to the specifications and procedures to make it more difficult for unauthorized ports to be completed.” The new measures included “enhancements to the verification process,” he said in an email.

Those included a text alert sent to a customer’s phone from the company losing the account, a measure implemented in fall 2020. The Canadian Anti-Fraud Centre, a federal body run by law-enforcement agencies, told The Logic by email that since then, reports of SIM-swap frauds have declined—from 200 between November 2020 and May 2021 to 71 in the same period this past year.

Still, Rogers says it shouldn’t be held responsible for Kimelman and Zelikman’s loss. Cellphone numbers aren’t designed for use as two-factor authentication, digital security that uses multiple methods to verify a person’s identity, the company said in a response to their lawsuit.

“Rogers denies that it owed the plaintiffs a duty to prevent misuse of their cellular telephone number for the purpose of two-factor authentication,” Rogers wrote. “The services were not designed or intended for use as part of two-factor authentication.”

But John Lawford, a lawyer and the head of Ottawa’s Public Interest Advocacy Centre (PIAC), accuses telcos of not training customer-service reps adequately to detect and stop identity thieves, and the CRTC of not requiring them to crack down harder. The centre is a non-profit that fights for consumers’ interests in regulated industries such as telecom and finance.

“I would say if you use a cellphone, don’t buy crypto,” he said, “because you’re not going to be safe from this.”

Officials in other countries have taken steps to combat SIM card fraud in recent years. Australia’s telecommunications regulator has new rules that kicked in at the end of June mandating stricter identity checks for “high-risk transactions,” including SIM-swap requests. Companies will be fined for breaches, balancing telcos’ incentive to keep customers happy against the need to protect their accounts, Lawford said.

Last summer, following a PIAC campaign, the CRTC asked mobile carriers to give it information about cases of port fraud and SIM-swap scams, but rejected a PIAC request for them to disclose precisely what they were doing to fight the frauds. Revealing that publicly “would likely expose consumers to harm as a result of fraudsters being able to use this information to circumvent the [carriers’] initiatives,” the commission said in a public letter.

For similar reasons, the CRTC said the harms from a more detailed, public examination of the issue would outweigh the benefits.

“The commission is of the view … that the measures that the [wireless carriers] have put in place are currently effective and it is doubtful that a proceeding will lead to measures that are much different from what the mobile carriers have already implemented,” the CRTC said.

A few weeks later, the CRTC released the aggregate stats from the wireless companies, “disclosing that there was a 95% decline in the total number of unauthorized mobile telephone number transfers and SIM swaps from October 2020 to May 2021.”

But not to zero. Scammers’ tenacity, coupled with the amount of information people reveal about themselves online, can make it tough for wireless providers to defend against the fraud. A determined scammer might make multiple contacts with the same wireless provider, feigning confusion or ignorance or disorganization with a series of helpful workers, building up a profile on a target one tidbit of data at a time, Lawford said.

“There’s quite a bit of evidence that the scammers go on the internet and see who’s crypto bros, and then go backwards and get as much information [as possible] and target them because they know they can clean out their crypto and boom, it’s money,” Lawford said. “Or, well, at least it’s a bunch of ether.”

With files from Aaliyah Dasoo