Winnipeg police investigated at least 20 cases where hackers got access to accounts through MyMTS emails
A Winnipeg senior warns everyone who has a MyMTS email address that they should increase their security after thieves hacked into his account and stole nearly $11,000 last year.
Winnipeg police say MyMTS email accounts have fewer security features, making them easier to compromise, according to court documents obtained by CBC News.
Dennis Popkes, 76, was heading to a funeral in December 2022 when he realized his cellphone wasn’t working.
He went into his email to try to figure out what was wrong with the account, but when he entered the answer to a security question, it wasn’t accepted. So he called Bell MTS technical support.
“He says, ‘Someone has gotten into your account ahead of you and changed your answers.’ And I said, ‘What?'” Popkes said
WATCH | How hackers got into Dennis Popkes’s Bell MTS email account:
Popkes later learned he was a victim of SIM swapping. That’s when someone claims to have lost their phone or gives another excuse to get a phone company to provide a new SIM card.
In Popkes’s case, someone in Edmonton logged into his account and ordered a new SIM card online while pretending to be him.
This is the second time someone has gotten into his email. The last time was in August 2021, and Bell assured him that would be the end of it.
“They said, ‘Sorry, sorry, sorry, this will never happen again, we’ve marked your file,’ and a year and four months later … they got the motherlode. They got the SIM card changed,” Popkes said.
Once hackers got into Popkes’s email, they were able to access his bank accounts, credit cards and other accounts, like Costco, Amazon and Paypal, he said.
They went into those accounts and changed the billing address to one in Edmonton and changed the contact number to the phone number associated with the new SIM card.
By the time they were done, they had spent $10,770.67 of Popkes’s money. Luckily for him, he eventually recovered the money from his banks and credit card companies.
“As a senior, you got no way to make that up,” he said. “As you get older, losing $11,000 on a fixed income is hard.”
Weaker security: police
A Winnipeg police detective got judicial authorization to try to find out who hacked into Popkes’s accounts. The officer filed a sworn affidavit called an Information to Obtain, which CBC News got a copy of through the courts.
In the affidavit, the detective said he is involved in several investigations of SIM swaps/email and bank account compromises in which the suspects are in Edmonton.
“All of the victims had an MTS email account,” he said.
“MTS email accounts have weaker security features allowing suspects to easily compromise them which leads to compromising bank accounts, cellphone accounts and can lead to numerous other accounts people may hold.”
The detective also wrote that he is currently investigating more than 20 fraud files in which the victim’s MyMTS email was the point of compromise.
In the past five years, the Winnipeg Police Service’s financial crimes unit investigated more than 5,000 fraud and cyber-fraud cases
They wouldn’t say how many of those cases involved victims whose financial accounts were accessed through their MyMTS email accounts.
Popkes said he thinks the security question, which can be as simple as “What was my mother’s maiden name?” is a flaw in the MTS system.
“If you can Google an answer to that — that detective said to me, he says, I had the answer to that question in 30 seconds. Why are, why is that question being even thrown into the mix as being asked as a security question?” Popkes asked.
Canadian Anti-Fraud Centre says $283.5 million was lost to fraud in 2022. The centre received more than 92,000 reports of fraud that year.
A spokesperson for Bell MTS said the company improved its security features after being alerted to the suspected fraud by Winnipeg police last December.
“As a result of the investigation, Bell MTS improved a number of threat detection defences like password reset and email filtering protocols to help make our customer and business email accounts more secure,” senior communications manager Morgan Shipley wrote in an email.
Bell MTS wouldn’t say how many cases they are aware of where a customer’s MyMTS email account was compromised.
“Email services regardless of provider can be hacked in a variety of ways such as phishing campaigns, social engineering, password reuse across accounts or other methods, which often have no bearing on the email platform itself,” Shipley wrote.
Cyber-security expert Adam Krieger says the best piece of advice he can offer consumers, whether they use MyMTS, Gmail or any other email account, is to pick a strong password that includes letters, numbers and symbols. Avoid personal details like your birthday, initials or any facts about you.
“In today’s world of social media and social websites, those kinds of details are really prevalent and easy to get. So if you use any of those things in your passwords, that can be a sense of weakness and a way to get in,” Krieger said.
Just because a security question asks for your mother’s maiden name or which high school you attended doesn’t mean you have to answer it honestly, he said.
“The answer [to] those security questions should actually not be the answer for you. They should be a complex passphrase. They should have the same characteristics — be very long and have special characters and numbers in them as well.”
Kreiger had not heard that MyMTS emails were more vulnerable to hackers but said in general, cyber-security is everyone’s responsibility.
“Organizations are responsible for implementing secure standards, for checking their own services, for vulnerabilities and patches, patching those vulnerabilities, and for making secure, secure features available to their customers,” he said
It’s been nearly a year since hackers got into Popkes’s accounts. It took months to clear everything up and change his passwords and contact information, he said.
He wants seniors to know if something isn’t right, don’t wait till your grandkids or kids come over to ask for help. Call Bell MTS tech support right away.
“We just say ‘Oh, I must have done something wrong. I probably didn’t put it in right, that’s why I can’t get into my email.’ And the longer they have hackers who have been there, the worse it is,” he said.