The IT Nerd

Earlier this week I told you about an email scam that was using the name of Canadian telco Rogers to make you more likely to fall for it. That scam was pretty bad. But on Friday, I came across an even worse scam that uses the Rogers name.

I got a phone call that had a caller ID of “Rogers” with an area code that started with “888” which is likely spoofed. Now my wife and I haven’t been with Rogers for just over a year, but I decided to pick up the call anyway. When I did a woman asked for my wife. That made sense because the Rogers account was under her name. I told the woman that I was her husband and she could speak to me. That’s when things got interesting. The woman told me that she was calling from “Rogers Customer Loyalty” and our Rogers account was selected as part of a promotion.

This is when I started to get suspicious. Like I said earlier, we haven’t been with Rogers for just over a year. So while I can see a scenario where Rogers might call us to try and get us back, there’s no department within Rogers called “Rogers Customer Loyalty” that would do that. Thus I was starting to think that this was a scam. Normally, this is where I would suggest that you hang up. But I wanted to confirm my suspicions, so I played along.

The woman then said that the promotion in question was that Rogers wanted to give us a free iPhone 14 Pro Max with a 35GB data plan for $50 a month. That really started the alarm bells ringing because Rogers to my knowledge never gives away free phones. Not only that, they don’t as far as I know have a 35GB data plan for $50 a month. Thus I was really thinking that this was a scam. Again, instead of hanging up, I played along.

First they wanted to confirm some information. And the information that they offered up was my wife’s email address and name. Then they wanted me to confirm the order by sending me a six digit verification code.

Ding! This confirms that this is a scam.

What the threat actors are up to are getting access to your Rogers account using your email address so that they can order an iPhone of some description, ship it to some location where this phone and every other phone from anyone who fell for this scam is then shipped to some other country for resale. Likely India given the fact that the person who called me had an Indian accent. The other possibility is that you do get the phone, but they they will call you on the day that you get it and say that they messed up and you need to send the phone back. They’ll email you a “return label” that simply sends the phone to a location from where they can forward the phone overseas. In either case, you get stiffed with the bill for the phone. The threat actors need the six digit verification code to get into your account because Rogers has moved to using using two factor authentication in order to stop threat actors from brute forcing their way into your account.

At this point I hung up, but here’s what concerned me. The threat actors clearly have acquired some accurate information that allows them to perpetrate the scam. It makes me wonder if Rogers had some sort of data breach where this information ended up in the hands of threat actors, or did they use a third party call centre who has a copy of this data and are now using this information for evil purposes? I don’t know for sure. But given that they called me with some very accurate information, the question has to be asked.

So if you get a call like this, what should you do? This is what I suggest:

1. Hang up and call into Rogers using one of the phone numbers on the Rogers website. The person that you speak to will instantly be able to tell you if you have any offers on your account. Chances are that you don’t have any offers, or not ones that fit this description. Thus validating that this is a scam They may also put a fraud alert on your account for your protection. At the same time, you should also confirm that no changes have been made to your account.
2. Never, ever give the threat actor the six digit verification code. They may say things to convince you that it’s okay to give them the verification code, but they are lying. No Rogers employee would ever ask for this code. Ever.

A suggestion that I have is that if you get a call like this, you should change the email address that your Rogers account uses. That way you can spot scams like this easier.

In my research for writing this story, I have not heard of a similar scam that targets Bell or TELUS customers. Nor any other telco in Canada. But a Reddit thread that I found seems to validate that I am not the only person who got a call like this. Thus this seems to be strictly targeted towards Rogers customers which adds some weight to the fact that the threat actors clearly have some information to allow them to target Rogers customers. Thus I have to wonder what Rogers is doing to investigate this and address this as this is clearly a threat aimed at former and current Rogers customers. Given the scale of this issue, Rogers needs to say something. And the sooner the better. In the meantime, watch out for this scam.

Yesterday I posted that there seemed to be some hope in terms of Rogers finally fixing their email issues that have plagued users of Rogers email offering for months. I also asked for some help in validating this and as usual, the readers of this blog responded. And that response has helped me to construct this update so you have all the information that you need to use Rogers email offering if you wish to do so. Which I wouldn’t if I were you. More on that later.

First of all, Rogers or more accurately Yahoo! who Rogers gets its email services from have apparently implemented OAuth which is defined as follows:

OAuth (short for “Open Authorization“) is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites.

I suspect that Yahoo! has implemented OAuth because their security when it comes to their email offering has been at best suspect for years as evidenced by numerous people getting their Yahoo! email accounts hacked over the years along with the company suffering some really bad security breaches. Thus going this route mitigates a lot of those issues. Maybe. That’s the cynical side of me saying that. But to be fair, Gmail has used OAuth for years and they don’t have the sort of security issues that Yahoo! has. Thus perhaps Yahoo! will get the same result.

Now the catch with OAuth is that your email client needs to have support for it. Microsoft who makes the Outlook email client appears to be rolling out support for OAuth on Yahoo! as per this document. However this support hasn’t appeared on Microsoft Office 365 product as of yet (Unless you want to run beta software, which I would not recommend). It however has started to appear on Microsoft’s one time purchase version of Office (where you pay once and you get the software forever unlike Office 365) as I have had reports of Rogers email all of a sudden starting to work or needing to be reconfigured before it starts working again, along with the fact that I have personally witnessed this working. I have also confirmed that the Mozilla email client Thunderbird seems to work as well.

So in short, to make this work you need the following:

• Your rogers email address which ends in @Rogers.com
• The password that you use for either the Rogers Member Center or Rogers Webmail
• Your Outlook email client updated to the latest version possible of Outlook or Mozilla Thunderbird

I will keep you updated as to developments on this front as I know that this is a top of mind issue for many Rogers customers.

Now, here’s why I wouldn’t bother doing any of this and instead encourage you to abandon Rogers email offering and use something else. The majority of my reasons can be found in this article. But my main reason for not recommending that you use Rogers email offering is that Rogers has really dropped the ball here. They have not communicated with their clients who pay them money for this. Which makes this issue, as bad is it is, much worse. Clearly Rogers hasn’t learned the lessons from last year’s massive outage about how to communicate to customers. Thus as a result, I would not trust them with your email.

Here’s a quick update to the Rogers email issues which have been ongoing for months with seemingly no resolution. But before I get to that, here’s a quick refresher in case you’re new to this fiasco that Rogers has inflicted upon their customers:

• I first reported on issues with Rogers email, and the inability to generate app specific passwords to allow users of Rogers email to use email clients like Outlook and Thunderbird on March 7th.  
• This issue dragged on for months. There is a workaround, but that workaround is sub optimal to say the least. And as this issue dragged on into April, I was left with no other option than to recommend to my many clients who are affected by this to dump Rogers as their email provider.
• Rogers has sort of admitted that there is an issue. But it took them a very long time to do that.

That last update was in the middle May. We’re now in July and I still have a number of clients who have been suffering from this issue. Some of them just got fed up and stopped using Rogers email. Or they got fed up and stopped using Rogers entirely. But some have hung on using Rogers Webmail which is the only way they can get email from Rogers.

However this might be changing. At this point I have only tested this once so I need a bigger sample size to confirm the this is a workable and reliable solution. But here’s what I did with a client yesterday.

Using Microsoft Outlook, I walked through the wizard to create a new email account. Instructions for using that wizard can be found here. As part of that process, this popped up:

Now the credentials that they are asking for are your email address (yournamehere@rogers.com for example), and your password. Specifically the same password that you would use for Rogers webmail. If you enter those credentials, it will do some work in the background and set up an IMAP email account that works perfectly. Though I will note that I had to try this three times before I got to that point, which implies that this does not work perfectly. But based on the sample size of one, it did work.

I would like to hear from others who have issues Rogers email. Does the above instructions work for you? Or has your email just “magically” started to work again? I encourage you to leave a comment below with your feedback as I would like to enhance the above instructions and get a better idea of how well this works for users of Rogers Email.

I’ve gotten a couple of calls from clients of mine who are having issues sending MMS messages on the Rogers. I did a search of Twitter and found this:

Rogers appears to know about the issue based on this. But there’s no ETA to resolution as of yet.

So if you’re having this issue, you’re not alone it seems. This really makes Rogers look bad given what happened to some of their customers yesterday, and their ongoing email issues. UPDATE: This is now fixed.

Speaking of Rogers email issues, here’s a quick refresher in case you’re new to the issues with Rogers email service that have been going on for months:

• I first reported on issues with Rogers email, and the inability to generate app specific passwords to allow users of Rogers email to use email clients like Outlook and Thunderbird on March 7th.  
• This issue dragged on for months. There is a workaround, but that workaround is sub optimal to say the least. And as this issue dragged on into April, I was left with no other option than to recommend to my many clients who are affected by this to dump Rogers as their email provider.
• Rogers has sort of admitted that there is an issue. But it took them a very long time to do that and there is currently no ETA to resolution. Even though we’re now into mid-May which makes it over two months since this issue first surfaced.

Now that you’re up to speed, while researching this MMS issue I came across this on Twitter :

Interestingly enough, Rogers replied. And they did so in detail and without using their usual canned responses that people hate:

I have to ask, what does “update this feature” mean? Does it mean that they are trying to find a way to go back to using a singular password like every other email service on the planet is capable of? Does it mean that they’re trying to fix the app specific password system that has been broken for months? Or are they working on something new? For example using OAuth instead of app specific passwords? Who knows what Rogers is or isn’t working on because they have not said much of anything. That leaves their customers who are affected by this issue in the dark and fuming. And I can’t say that I blame them as Rogers really have screwed up the handling of this issue.

I’ve said this before and I will say it again, because Rogers isn’t communicating if or when this issue will be fixed, your best course of action is to dump Rogers as your email provider. Clearly Rogers can’t help you to use your email using the tools you want to use, be it Outlook or some other email client as they can’t resolve this issue. And they won’t communicate to affected customers what they are going to do to get this issue resolved. Thus your only option is to dump them. In my opinion you don’t have any other choice as Rogers simply cannot be relied upon when it comes to email. And perhaps more based on their recent track record.

From the “we don’t need the bad press department” comes news that Rogers had a major outage in central Ontario that took out all their services. This was the view from Down Detector:

As you can see, Rogers had major issues between noon and 4PM yesterday where Internet, phone, TV, and landline phone were not working. It’s not clear what caused the outage. But I am sure that we’ll never find out as Rogers doesn’t communicate that info. But I can say that this latest outage with one of Canada’s largest telcos doesn’t make them look good.

Right off the top, I’m going to say that I believe that Rogers must be feeling the heat from Bell and the fact that Bell is rolling out fibre to the home anywhere and everywhere it can. And the fact is that as I said years ago, and when I got Bell’s fibre product in my home, Bell’s fibre optic Internet products destroy anything that Rogers has to offer as Rogers customers for the most part are stuck with cable. Now here’s why I say that. A reader pinged me with this:

Hello IT Nerd. I got an advertisement in my mailbox today where Rogers is offering “fibre-powered Internet” at my address. Does that mean that Rogers is about to roll out fibre to my address? Would you be able to answer this question? Thanks!

The first thing that I did was to reach out to him and ask him to check what speeds are offered at his address and send me the screenshot. I got this back in reply:

All of these options are Rogers cable based Internet offerings. Which I have said previously work like this:

They deliver Internet access by using a system they call “Hybrid Fibre” which means that the Rogers network is largely fibre optic cable. But the so-called “last mile” to your home is copper cable. The problem with that scheme is that copper cable can only handle so much bandwidth. Since Rogers is in the process of rolling out DOCSIS 3.1 across their network (at present they have DOCSIS 3.1 enabled on the downstream part of their Internet connections, but not on the upstream part of their Internet connections), that means that they’re capped at 10 Gbit/s downstream and 1 Gbit/s upstream as per this Wikipedia page.

The problem is that Rogers advertises their Internet offering like this:

You’ll note that it says “Good news! Fibre-powered Ignite Internet  is available at” followed by the address which I have redacted. Rogers isn’t being quite truthful as they are only providing fibre to the node and not the home. This is further backed up by the flyer that this person got in the mail:

Both of these pictures have references to “fibre-powered Internet”. The problem with that is consumers think that this is fibre from end to end like Bell. But it is not fibre from end to end. And that leaves consumers with a bad taste in their mouths. Take this post on Reddit as an example:

And the thing is, I’ve called out Rogers for this type of marketing before. Last year, Rogers was advertising “pure fibre to the home” when that wasn’t what they were delivering. But they quickly changed that about a week later. Presumably because of blowback from customers who thought that they were getting something other than what Rogers was actually delivering. I can only conclude that they are now doing this again because Bell is really putting the heat on them and they need to do something to acquire and retain customers on their Internet product. Which has a knock on effect for home phone and TV as well.

Rogers isn’t doing itself any favours by the way they are advertising their Internet offering. It confuses consumers who then are left with a bad taste in their mouths when it comes to Rogers when they find out that they’re not getting the service that they think that they should be getting. Honestly if I were Rogers, I would stop this immediately. And instead I would clearly explain to consumers how their technology works. Sure their technology in most places that Rogers operates isn’t as sexy as fibre to the home. But at least they would be completely honest. And that would be an improvement over what they are doing currently which is playing fast and loose with the facts.

I first reported on issues with Rogers email, and the inability to generate app specific passwords to allow users of Rogers email to use email clients like Outlook and Thunderbird on March 7th.  However this issue dragged on for days. There is a workaround, but that workaround is sub optimal to say the least. And as this issue dragged on into April, I was left with no other option than to recommend to my many clients who are affected by this to dump Rogers as an email provider. Now Rogers has sort of admitted to the fact that there is an issue, but there is no ETA as to when it will be resolved. Other than that rather tepid admission, there has been silence from the telco.

Today is April 25th which is 49 days since this episode started. And Rogers users are reaching the end of their limit with the telco. There are two threads on the Rogers Community Forums that I’ve been tracking which illustrate how frustrated Rogers had made their own users. Here’s some examples:

This is what happens when you as a business do not provide a public comment about an issue that has been ongoing for a long time. Your customers get frustrated. Your customers do not believe that you care. And most importantly, your customers look for other options with your competitors. You have to wonder if Rogers is even checking their own Community Forum as this sort of feedback isn’t hard to find, and illustrates that they have not only a technology problem on their hands, but a public relations problem as well.

And as one person in the examples above has mentioned, you have to wonder why Rogers doesn’t simply disable the need for an app specific password until they figure this whole thing out as that would lower the temperature of this situation? Perhaps they’re at the mercy of Yahoo who provides Rogers email service? Or perhaps Rogers can’t figure out how to do that? Either way, it is curious that they have not tried doing that.

Rogers has really dropped themselves in it this time. While this isn’t as bad as taking down the entire country for a couple of days like they did last summer, this isn’t going to help them win hearts and minds. Rogers really, REALLY needs to start upping their game here. Starting with giving a coherent explanation of why this issue has been ongoing for 49 days and counting. Along with what they are doing to fix this issue and when they hope that this will be fully resolved. This is the only way that they can start regaining the trust of their customers and stop customers from leaving for other telcos. I really question at this point if Rogers has the ability to do any or all of that. But now would be a really good time for them to prove me wrong.

I’ve been covering a long standing issue with Rogers and their email offering which is powered by Yahoo for weeks now. If you’re new to this, here’s the TL:DR: Users of Rogers email service (in other words they have a @Rogers.com address) can’t get their email on any device or application that they choose. And this has dragged on for weeks. This is in part due to the fact that Rogers requires users to create  App Specific Passwords via Rogers Member Center on each program or device that an email address is used on. The creation of new app specific passwords doesn’t work and existing app specific passwords appear to have been deleted in many cases. That pretty much breaks your applications that rely on them. There is a workaround, but that workaround is sub optimal to say the least. And it’s led me to recommend to my many clients who are affected by this is to dump Rogers as an email provider.

Today, after weeks of official silence on this issue, Rogers has finally admitted that it has a problem. Sort of. As of this morning, if you try to generate a App Specific Password, you will now get this error message:

Why Rogers didn’t add this weeks ago is beyond me. It might have saved them a bunch of tech support calls as well as mitigated the frustration that their user base has at the moment. But even then, this isn’t a substitute for a proper announcement from the Canadian telco that they have an issue and that there’s a timeline to fix it. But I suspect that this is because Rogers has no clue when it will be fixed because they have no clue about how to fix it. So they’ve just pretended that the problem doesn’t exist unless someone calls into tech support. And when that didn’t work, they added this message.

#Fail.

The only thing that is perhaps new is the fact that the message points you to this document which details how to set up Rogers email on an iOS or Android device. I tested this with a client this morning on their Android phone and it does work. And I assume that it will work for iOS devices as well. But this does nothing to help people using Outlook, Thunderbird, or any other email program on their desktop or laptop computer. And as I have said many times before, using a web browser as the primary means to check your email is sub optimal. Thus this response from Rogers is still pretty bad. And doesn’t change the situation for any of their customers in any meaningful way.

This whole situation is going to bite Rogers as I can say that over the last few weeks, I have been working to transition people off of Rogers email using this method, and then when Rogers eventually figures out how to fix this issue I will be archiving that email for the clients in question so that they can dump Rogers as a telco. Though there seems to be a few clients who are so fed up with this that they are willing to sacrifice their email and just switch to another telco because they are so fed up with Rogers handling of this situation. And I have to say that I don’t blame them. Rogers has really mishandled this, and when their churn rates start to increase, they will only have themselves to blame.

For a very long time, a company called BAI Canada have had the ability to provide support for Canadian cell phone carriers to bring support for cell phone service to Toronto’s subway system. The only company to leverage that has been Freedom Mobile who is now owned by Videotron thanks to the Rogers / Shaw deal. The lack of the “big three” cell carriers participating in this deal has been a sore point for subway users in Toronto for years. And it has been highlighted in recent weeks due to the spike in violence on Toronto’s transit system. Today, Rogers has announced that it has bought BAI Canada to address part of that:

Rogers has entered into an agreement to acquire BAI Communications’ Canadian operations (BAI Canada), which held the exclusive rights to build the Toronto Transit Commission’s wireless network since 2012. With this acquisition, Rogers will now be able to undertake the investments required to build a comprehensive and reliable 5G network to the entire TTC subway system.

This commitment is particularly important to ensure access to 911 services across the entire subway system. Today, TTC users with any mobile provider can call 911 only where the cellular network exists – on station platforms, concourses, and approximately 25% of the tunnels. Rogers will work to quickly address gaps in the busiest and most critical sections of the subway system.

My question is, where does this leave TELUS and Bell? Are they shut out from having anything more than 911 service? Or will Rogers come to some sort of agreement with the other two telcos to give them broader access to the network that they plan on building? This is an important question as BAI had an exclusive agreement for this infrastructure. And I don’t see Rogers making a change in that area.

My view of this is that given the rise in violence on Toronto transit, all cell phone providers need to be part of this. And all cell phone services need to be provided to all cell phone providers. So I hope that Rogers opens this up to rest of the “big three” and others. And I hope if Rogers doesn’t do that on their own, they are forced to do so by the CRTC or by the government.