Yeah I really don't like the SSN setup going on. Not sure why that became the ONE NUMBER to identify you and a lot of places asks for it.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
T-Mobile Confirms Data Breach, Unclear If Personal Customer Data Was Accessed
- Thread starter MacRumors
- Start date
- Sort by reaction score
At rest encryption and what it protects you from is often misunderstood, and it seems to be here as well.
That's fine for a small database that probably lives on the same computer you access it from, and is offline except when being accessed by a small number of people. It probably protects you from a great deal of scenarios so long as the key to decrypt it is only entered while the database is opened, like File Vault encryption on your Mac.
However, most large companies and apps databases are rarely *at rest*. If I wanted to compromise Mac Rumors for example, odds are good I wouldn't go directly for their database. I'd attack the web app, and if I could inject a shell into the web app, I could use the web app's credentials to the online, not at rest database, and dump every piece of data the always online forum app had access to. It is very likely this is much closer to how this data was accessed than someone simply copying all the at rest files off a database server.
Because of this fundamental problem, I think the real lesson from this hack is simple: *why* do we think it's acceptable for phone companies to even *have* this much info about their customers? They don't need my SSN, my driver's license, or my birthday to give me a phone number.
This question is impossible to answer without veering off-topic into politics. The unfortunate truth is that our society is f***** in ways that are both known and completely avoidable. A 9 digit non-random, immutable number being a primary form of identification being one of them. On a technical level, encryption could be used for secure identity verification with minimal risk of leaking credentials.
Isn't it needed for a credit check? I had to provide one a while ago when I first got the iPhone 3GS from AT&T and they needed my SSN for a credit check.
Prolly because they don’t want to implement an actually safe system to identity people because, MURICA AND FREEDOM. /s
One can only hope they are not hacker’s target of choice since SSN can’t be changed.
I am sure he means well but he doesn't have a clue. lol
Last edited:
This is actually 5th time in 4 years for T-mobile. But this one at 100 million people is their biggest yet.
When someone tells me "rest assured", I am in fact quite the opposite.
Krebs has some more info on his blog
T-Mobile Investigating Claims of Massive Data Breach – Krebs on Security
krebsonsecurity.com
They probably are doing that, but it's not enough. If you own a dealership and only have one person (yourself) accessing the customer info with the key, that's pretty easy to secure. He's only guarding against one particular kind of attack, the database disks themselves being stolen or otherwise accessed.
A big company needs much more sophisticated access than that. Someone or some spyware gets on the inside with the right creds, and they get stuff.
Last edited:
The plans are less nominal $, and you pay later, so they're cheaper in both ways.
GPRS! I remember setting one of those up for research.
Yeah uh you don't want to let strangers into that.
This isn't the case though, it's just that some big companies, like T Mobile, do not want to spend the money to protect their data. They calculate how much it would cost to protect it, and the damage to their reputation and lawsuits if it's stolen. And they find a balance that favours saving money.
Amazon and Google haven't been hacked. And neither have many other big companies. But the key thing is how your data is stored, if it's stolen can a hacker get your data etc.
Well see, this is what happens when T-Mobile USA's Primary Data Servers use the simple, hackable, and non-encrypted password of "VerizonSucks"
Not saying companies shouldn’t be held responsible — they should.
But it’s long past due that we moved past the antiquated SSN system in the US, whereby anyone who gets your SSN immediately has a vast ocean of information and resources at their disposal, including the ability to file false tax returns. Every other modern country I’ve been to has managed to establish a National ID number system that doesn’t automatically unlock troves just by a stranger knowing your ID#.
But it’s long past due that we moved past the antiquated SSN system in the US, whereby anyone who gets your SSN immediately has a vast ocean of information and resources at their disposal, including the ability to file false tax returns. Every other modern country I’ve been to has managed to establish a National ID number system that doesn’t automatically unlock troves just by a stranger knowing your ID#.
I was a Sprint customer too up until June and was worried just the same until I read the report on it from Brian Krebs
“All T-Mobile USA prepaid and postpaid customers are affected; Sprint and the other telecoms that T-Mobile owns are unaffected.”
T-Mobile Investigating Claims of Massive Data Breach – Krebs on Security
krebsonsecurity.com
At this point though, F*** T-Mobile..........they deserve to either go under, get sued into the ground or get bought out for this.
There have been some great tips posted already on how to safeguard info - think I might preemptively act on them here.
Perhaps I missed it when reading the article, where did it state the data wasn't encrypted at rest?
The trouble comes when the remote hacker also captures the credentials / key to decrypt the data or breaks into applications with access to the data. Something you're susceptible to as well.
Last edited: