Archive for Canada

Freedom Mobile Suffers Data Leak….Credit Cards, Email Addresses, And More Exposed

Posted in Commentary with tags , on May 7, 2019 by itnerd

If you are a Freedom Mobile customer, you might have a very good reason to be concerned about the security of your personal information. According to Tech Crunch, a server belonging to Canada’s fourth largest telco is leaking data:

Security researchers Noam Rotem and Ran Locar found an Elasticsearch server leaking five million logs containing customer data. The server wasn’t protected with a password, allowing anyone to access the data.

Rotem and Locar, who shared their findings exclusively with TechCrunch and published his report at vpnMentor, said it took the cell giant a week to secure the leaking database after first reaching out.

The database is believed to be part of a logging system used by the company to determine errors and glitches in the company’s systems. The database recorded any errors and the plaintext data associated with it, including customer data.

Data seen by TechCrunch reveals customer names, email addresses, phone numbers, postal addresses, dates of birth, customer types, and Freedom Mobile account numbers.

The logs also answers to credit checks filed through Equifax, including details if an application was accepted or rejected — along with the reason why.

We also found full credit card numbers, expiry dates and verification numbers stored in plaintext.

None of the data was encrypted.

This is a #EpicFail on the part of Freedom Mobile. Partially because the server was leaking data, and partially because someone else had to tell Freedom Mobile about it which implies that the company wasn’t on the ball. Now 15000 customers were affected and the server was secured after the researchers told them about it. Though Freedom Mobile all but tossed a company called Apptium who managed the server under the bus for this. No matter. It’s being investigated by the Office of the Privacy Commissioner and I hope they dole out the right level of punishment as this sort of thing simply cannot go unpunished.

Advertisements

#PSA: Your Devices Can Be Searched And Seized By CBSA Without A Warrant

Posted in Commentary with tags , on May 6, 2019 by itnerd

I’ve written about the fact that CBSA or the Canada Border Services Agency can search and seize electronic devices such as cell phones and laptops. Often without a warrant or even a reason. This was highlighted when this CBC News story came to light where a lawyer returning to Canada from South America had his laptop and phone seized because he wouldn’t hand over the password so that they could troll them for reason unknown.

I’m not going to debate whether this is right or not. Though I will say that perhaps it would be wise for these laws need to be reviewed. but what can you do to protect yourself from this. I’d take the advice that I gave in this article that I wrote about crossing the US border with your devices. The fact is that CBSA can search of your devices for no reason whatsoever. That means that you need to protect yourself and your data from loss. The fact is that while you can replace your phone/computer, as well as complain about this, you can’t replace your data.

 

The Big Three Carriers Don’t Remove “Device Subsidy” Charges From Your Bill Once Your Phone Is Paid For… Here’s How To Avoid This Trap

Posted in Commentary with tags , on May 5, 2019 by itnerd

If you’re a customer of Bell, Rogers, and Telus, and you get a phone from them directly, You are almost certainly paying them what is called a “device subsidy”. In short. you are paying off the cost of the phone via monthly payments that may be combined with a nominal up front cost. That way you don’t have to shell out $1500 up front for the latest iPhone or Galaxy Phone.

Now as soon as the phone is paid off, that “device subsidy” should come off your bill. Except that it doesn’t come off your bill. Global News has a story that shows that these “device subsidies” are remaining on their bills long after their phones have been paid for. In other words, if you got your phone in this manner, you’re being ripped off by the big thee telcos. And if you call them on it, you may find it is easier to switch carriers rather than to fight. Which is not how things should work. On top of that there is nothing in the wireless code that stops the big three telcos from doing this, which is also not how things should work.

So, how can you avoid being a victim of this? It’s simple really. Never, ever buy a phone at a subsidized price from a big three telco or an authorized agent of a big three telco. That way you never fall into this trap. I will freely admit that you are going to pay way more than a cell phone than you might be used to because you are paying for the full value of the phone up front. But by biting that bullet, you get the following in return:

  • You get to pick the carrier that you want and get a plan, usually called a BYOD or “bring your own device” plan at a lower rate, often with no contract.
  • If the carrier in question does something to make you mad, you can switch carriers easily.
  • You can take the phone overseas and use a local SIM card and avoid the insane roaming fees that the big three telcos charge. Sure you lose your Canadian number while you are overseas, but you will save a ton of cash so it is totally worth it.

The fact is that this illustrates that the big three telcos in Canada really do not have your best interests in mind. If they did, they wouldn’t be doing this. But since they don’t, and the CRTC nor the federal government show no interest in fixing this, consumers have to protect themselves from becoming victims of this trap that the big three telcos have set for their customers.

CRTC Says Canadian Telcos Use “Misleading Or Aggressive Sales Practices”…. Shock, Not

Posted in Commentary with tags , on February 20, 2019 by itnerd

Well this is not going to come as a surprise to any Canadian that gets some form of telecommunication services. The CRTC who has spent the last few months investigating aggressive and misleading sales behavior like this example or this example. The result was that the CRTC confirmed what Canadians already know, which is that Canadian telcos engage in this sort of behavior. Here’s what the CRTC said in the press release that they put out regarding this:

The Report on misleading or aggressive communications retail sales practices finds that, even with the existing measures put in place by service providers and governments, misleading or aggressive sales practices occur to an unacceptable degree.

The CRTC is taking action to introduce new measures to ensure Canadians’ interactions with their service providers are carried out in a fair and respectful way, such as considering the creation of a new, mandatory Internet Code of Conduct and the creation of a secret shopper program to monitor sales practices.

The CRTC also found that misleading or aggressive sales practices have a harmful impact on Canadians, particularly on vulnerable Canadians, that the services providers’ internal measures are not always effective and that there are gaps in the awareness and effectiveness of existing consumer protections.

While the CRTC is considering taking additional steps to curb this behavior, they didn’t name and shame the telcos who are responsible for said behavior. That can be taken two ways. Either they didn’t have the guts to name and shame which is disappointing, or most if not all telcos in Canada do some form of this behavior. Perhaps both. In an ideal world, the CRTC drops the hammer on Canadian telcos to make sure this stops right the hell now. But somehow I don’t see that happening. Which means that Canadian consumers will continue to be the victims of this behavior regardless of the steps the CRTC will take.

Canada Post Pwned…. 4500 Cannabis Customers Had Their Data Swiped

Posted in Commentary with tags , on November 8, 2018 by itnerd

Cannabis has been legal in Canada for the last few weeks. And if you live in Ontario, the only way to buy Cannabis legally is online via a government run store who will deliver your stash to you via Canada Post. Too bad Canada Post had to announce that they got pwned:

The postal service said in a statement that someone had used its delivery tracking tool to gain access to personal information of 4,500 customers of the Ontario Cannabis Store but declined to identify the information.

And it seems that the Ontario Cannabis Store is accusing Canada Post of being slow to act:

In a statement on Wednesday, the Ontario Cannabis Store said it referred the matter to the province’s privacy commissioner. The statement also said the store had “encouraged” Canada Post to take immediate action to notify its customers.

“To date, Canada Post has not taken action in this regard,” the store said in its statement. “Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers.

So if you bought some weed from the Ontario Cannabis Store, you might have someone reaching out to you.

Now my first thought upon reading this, beyond my usual reaction of “I hope that someone slaps the relevant parties silly for this data breach”, is that this is a huge problem. For example, one could be barred from traveling to the US or to other companies if it became known that you smoked the stuff. Thus there needs some serious questions answered by both Canada Post and the Ontario Cannabis Store.

Toronto Needs To Say No To Sidewalk Labs

Posted in Commentary with tags , on November 2, 2018 by itnerd

Two years ago Alphabet via its Sidewalk Labs arm was given planning permission to develop 800 acres of Toronto waterfront into a car-free, data-driven neighborhood called Quayside. The vision was as follows:

By combining people-centered urban design with cutting-edge technology, we can achieve new standards of sustainability, affordability, mobility, and economic opportunity.

That sounds great right? Well, some say not so much. Former BlackBerry co-CEO Jim Balsillie called it “a colonizing experiment in surveillance capitalism” and pretty much said that Toronto should deep six the idea. Then Saadia Muzaffar and John Ruffalo who were volunteer members of an advisory committee quit the project. Both indicated that their departures had to do with a lack of public trust. To top it all off Ann Cavoukian who was Ontario’s privacy commissioner and a leading privacy expert quit citing privacy concerns.

Clearly all is not well with Quayside.

When one of the leading privacy experts in the country, as well as two others with very strong business and tech backgrounds, along with the former CEO of a company that has security at the forefront of everything they do all say that this project is a bad idea, perhaps the City Of Toronto should listen and pull the plug on this. Now Sidewalk Labs put out a really pretty blog post that says that everything is fine and people in Toronto have nothing to worry about because they take privacy seriously. But consider this. We are talking about Alphabet which is also known as Google. A company known for slurping up massive amounts of data and using it to make piles of cash. Can the be trusted?

I’m going to go with no.

If I were the City of Toronto, I would run away from this project. It’s not worth it. Seriously. It’s time to say no to Sidewalk Labs and Quayside.

 

New Rules Will Force Canadian Companies To Disclose Data Breaches

Posted in Commentary with tags on November 1, 2018 by itnerd

From the “it’s about time” department comes news that new rules kick in today that force Canadian companies to disclose data breaches:

Under the new regulations for organizations subject to the Personal Information Protection and Electronic Documents Act, which come into force November 1, organizations must:

  • Report to the Privacy Commissioner’s office any breach of security safeguards where it creates a “real risk of significant harm;”
  • Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
  • Keep records of all breaches of security safeguards that affect the personal information under their control; and
  • Keep those records for two years.

The Office of the Privacy Commissioner of Canada has published guidance to help businesses comply with the new requirements as well as a new reporting form.

Now by no means is this perfect and even the Privacy Commissioner admits that, but it is a step in the right direction as companies need to be fully transparent and held fully accountable for any data breaches that may take place. It may also force them to take steps to avoid being on the wrong side of a data breach headline as well.