When Edward Letichever realized he had no cell service early one morning, he immediately feared his phone was being hacked.
A bitcoin trader, Letichever used his phone as a gateway to his digital vault, where he held hundreds of thousands of dollars’ worth of cryptocurrencies. It’s why, he says, he had previously asked his cellphone provider, Fido, for extra security measures that would prevent anyone from accessing his account.
By the time Letichever got through to a Fido representative on that December 2020 morning, it was too late.
“They took over my phone,” he said. “They stole everything.”
Letichever was a victim of SIM swapping, when fraudsters impersonate a target in order to commandeer their phone, transferring cell service to a SIM card in their control and allowing them to access bank accounts and other private information.
This form of cyber identity theft — distinct from unauthorized porting, where a fraudster transfers a wireless number to an account with another carrier — has surged across the globe in recent years. But the breadth of the problem in Canada remains unclear as the country's telecommunications regulator and telecom companies have resisted calls to publicly disclose incident rates.
Letichever is now suing Rogers, Fido's parent company, for punitive and other damages totalling $1.5 million, alleging the company failed to properly secure his information. He also alleges that Rogers failed to co-operate with Toronto police, which he says led to the criminal investigation being shelved.
You might be interested in
Rogers says it was duped by an "impostor" but denies any responsibility for the theft. In its statement of defence, the telecom alleges Letichever was too relaxed about his personal security, allowing a thief to collect his “personal information … from other sources, prior to executing the SIM swap.”
The lawsuit remains before the courts and none of the allegations have been proven. Central to the case is a question that is becoming important to all Canadians, as we increasingly rely on our phones to navigate our banking, investments and other money matters: Who ought to be held accountable when fraudsters take over a cellphone to steal from a mobile user?
In 2020, a federal government standing committee recommended the Canadian Radio-Television and Telecommunications Commission (CRTC) conduct a public inquiry into SIM swapping and other fraud, and if the CRTC failed to do so, the government should introduce legislation to protect Canadians. So far, neither has happened.
Instead, the CRTC took measures it says led to a 95-per-cent decrease in SIM swaps and fraudulent porting between October 2020 and May of the following year, a commission official said in 2021. But details on how the reduction was achieved were not provided. The CRTC and mobile carriers said they were concerned that more detailed disclosures could provide fraudsters with knowledge to circumvent the new measures, and the carriers said that an inquiry would be a “distraction” from ongoing anti-fraud work.
The scope of the problem in Canada today remains unknown to the public. The CRTC requires cellphone carriers to submit monthly data documenting unauthorized transfers. But when these reports are made public, they are scrubbed of any actual numbers. The commission told the Star that it receives the information from mobile carriers in confidence as is allowed under the Telecommunications Act.
“I don't see any overriding justification for hiding from the public, for something that costs people tons of money (and) is completely preventable and dealt with in other jurisdictions,” said John Lawford, executive director of the Public Interest Advocacy Centre.
In Australia, fines are issued on carriers who allow unauthorized porting. In 2020, the Australian Communications and Media Authority announced that if no changes were made at the regulator level, there would be “large costs to customers and businesses, posing an unacceptable level of customer harm.” Additional identity verification methods were implemented. In the summer of 2022, the Australian regulator issued a fine of nearly $200,000 against a company for failing to comply with the new methods, a violation that led to 15 alleged ports over a four-month span.
In his statement of claim, Letichever says he had already taken extraordinary measures starting in 2018, when he first asked Fido that no changes be made to his account unless he personally appeared in a Fido store, entered a PIN number and presented two forms of ID.
Then in August 2020, he says, he reasserted to Fido the need to better protect his account after an attempted theft. Letichever was in the Caribbean with his family when he received a text request to port his phone number from Fido to a different carrier. This was an attempted unauthorized port, not a SIM swap.
He had not made the request, but the transfer momentarily went through, he says. Letichever says he was able to quickly contact Fido to stop it, but it took several days for Fido to recover his number, he says. He says he told an adviser in the Rogers office of the president and the Rogers ombudsman that they were “lucky” there was no theft during the momentary transfer and that his cryptocurrencies remained a likely target of theft.
When Letichever was hacked later that year, Letichever received an email from Fido support the following day that said the company had determined his SIM card was “fraudulently updated” without his consent. After the SIM swap, the fraudsters stole 28.42 bitcoins from a digital wallet connected to Letichever's phone. According to the Star's calculations, on the day the bitcoin was stolen, it was worth roughly $785,000.
In its statement of defence, Rogers says it had followed all of its security measures, as well as the ones Letichever requested. Rogers does not say if the hackers completed the swap in a Fido store, over the phone or by some other method.
Rogers said in a statement to the Star that the company takes customers’ privacy and security seriously.
“As fraudsters use constantly evolving techniques to try and take advantage of consumers across the wireless industry, we continually strengthen our security measures to protect our customers against fraudulent activity,” said Cam Gordon, Rogers media relations director.
In the days following the theft, Letichever says he reported the theft to police. According to emails sent from a detective to Letichever, Rogers told investigators the company was not exactly sure how the SIM swap request was made.
Letichever alleges Rogers was “unwilling or unable” to provide Toronto police with the necessary information they would need to continue to investigate. A Toronto police detective constable said in an email to Letichever that police closed their investigation because Rogers and Fido did not provide them with further information, “therefore there are no investigative avenues for me to explore that could lead to the identification of the suspect/suspects.”
Rogers denies Letichever’s claim that it impeded a police investigation, or any claim the company “permitted and/or assisted the impostor to execute the SIM swap.” Rogers’ statement of defence says that under its terms of service the company is not liable for Letichever’s losses “even if Rogers was negligent or was advised of the possibility of such damages.”
Letichever says that Rogers, with its statement of defence, is “telling me they are not obligated to protect people’s phones.”
“Basically, they’re telling me, ‘your phone is not safe.’ ”
