Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

T-Mobile's Latest Data Breach Linked to SIM Swap Attacks

JM said:
Has anyone ever tried to get a new phone number? With all the two factors now, and institutions that require phone number for identification, who would go through that rigamarole?!
Click to expand...

I just went through this process after having had the same number for 15 years. The process was mildly frustrating but manageable -- it did need to be managed, however. The whole thing was made smoother by having access to both numbers while the info was updated in my various accounts.
 
  • Like
Reactions: JM
I used to have a USBank account setup where the only way to access the account was to go to a local branch and show my drivers license. It took me a while working with the local branch manager to set this up with her talking with corporate IT. But in the end it was possible, and gave me a lot of peace of mind having one bank account that I knew would be really hard to hack. Eventually, though, USBank got rid of this option because.... online access is always better. I cannot understand why TMobile (I am a long-time customer) does not setup a flag where one can mark an account as to not allowing changes unless one goes into a store and shows a drivers license. (I always go to their stores to set up a SIM card in a new phone -- a "once every couple of years" thing as we do not buy the "new and shiny" too often.) Exposure once you have been SIM-swapped is SO HUGE. I guess it is like USBank where they pretty much want to put their customers at risk to avoid a minor complication on the IT side. Re: USBank... I was fortunate that another bank I work with decided to provide a hardware device for 2FA. Strangely few banks offer this. So I continue to have one account that will be pretty hard for hackers to access as I keep my hware key in a fireproof safe in a secure location.
 
What infuriates me here is the inability to turn off 2FA mechanisms that I don't want to use (SMS, email -- I'm looking at you!)

Using SMS for 2FA is so archaic and flawed, in light of articles like this. 🙄

1640817272185.png
 
  • Like
Reactions: icwhatudidthere and nvmls
I follow security and privacy issues closely. Here are some things to know about SIM swapping, since there seems to be some confusion:
  • There are two ways to be the victim of SIM swapping. The first can happen if your phone is lost or stolen. A criminal removes the physical SIM card from your phone and inserts it into another phone. Setting a SIM card password can make this takeover difficult. An e-SIM makes it impossible. The second is the result of mobile phone company call center or store workers assigning your phone number to a SIM card controlled by a criminal. This attack does not require access to your current SIM card or phone. It all takes place on your mobile company's computer systems. A non-tech analogue is filing a permanent change-of-address form with the post office. If a criminal is able to convince a post office employee to accept a change order without checking ID ("Oops! I forgot my wallet at home, sorry!"), all of your mail will be delivered to the criminal's address.
  • SIM swapping is different from identity theft. Taking control of your phone number doesn't inherently give a criminal usable information. For example, if you lost control of the number assigned to an old-school Nokia flip phone, a criminal wouldn't be able to do too much without knowledge of more of your personal information. Or in the post office analogue above, a fraudulent change-of-address wouldn't matter much if you use e-delivery for all your bills and financial statements. All the criminal would get is a bunch of junk mail.
  • There isn't much customers can do to directly defend against SIM swapping done by mobile phone company employees. Either eagerness to be helpful (the social engineering pathway) or actual collusion with criminals (the corruption pathway) makes back-end system SIM swaps happen.
All this means protecting yourself against back-end SIM swapping involves three things, in my opinion:
  1. Be careful about sharing information online that would make you a target for SIM swapping (say, bragging about massive cryptocurrency holdings).
  2. Avoid using text messages as much as possible for two-factor authentication. Authentication apps or, even better, physical security keys are not affected by SIM swapping.
  3. Use either a landline number or a Google Voice number with websites that allow only voice or text-based 2FA. Both of these types of phone number are a lot more difficult to take over.
----------
Some useful links for anybody interested:


www.nytimes.com

The Best Security Key for Multi-Factor Authentication

A physical security key helps you protect your online accounts, and Yubico still makes the best one.
www.nytimes.com www.nytimes.com
 
Last edited:
  • Like
Reactions: MacNeb and icwhatudidthere
So I don't get it. *someone* walks up to people and asks for their SIM out of their cell phone? They want to 'swap' it, like out of the blue?

I feel like I'm missing something in the description, but also realize that people will do the strangest things if people in authority tell them to. I keep all of my old SIMs if they are replaced. One 'youngling' at AT&T told me I didn't need it anymore, and I had to almost break his arm to get it. Just in case. It was in MY iPhone. I don't know what's on it. I had a Windows Phone that could store the contact list on it. Yeah, great idea. That OS kept deleting my contact list. But, back to this.

Would an eSIM actually help? You are swapping something hardware for something software. Hmm... Call me old fashioned, but...
 
coolfactor said:
You're not wrong, but be very careful about saying this outside of a Mac forum. ? You'll be slaughtered.

And you know that Macs are UNIX, right?
Click to expand...

They are Mach/BSD kernel. Better in some ways, and not others. I don't pretend to know. My limited excursions into BSD/Mach land have been disappointing. So much of what happens 'down there' has been disabled, or tweaked. Some, back 10 years ago, seemed to work, but the levers, buttons, and lights weren't connected to anything. Weird...
 
PinkyMacGodess said:
So I don't get it. *someone* walks up to people and asks for their SIM out of their cell phone? They want to 'swap' it, like out of the blue?

I feel like I'm missing something in the description, but also realize that people will do the strangest things if people in authority tell them to. I keep all of my old SIMs if they are replaced. One 'youngling' at AT&T told me I didn't need it anymore, and I had to almost break his arm to get it. Just in case. It was in MY iPhone. I don't know what's on it. I had a Windows Phone that could store the contact list on it. Yeah, great idea. That OS kept deleting my contact list. But, back to this.

Would an eSIM actually help? You are swapping something hardware for something software. Hmm... Call me old fashioned, but...
Click to expand...

Sim swapping has nothing to do with physically swapping sim cards. Sim swapping is when your number is “swapped” onto a new sim card which is controlled by a bad actor. eSIM does not help. Best thing to do would be to type in “sim swapping” in Google and read some articles - that should give you more information about this attack vector.
 
Freeangel1 said:
The internet is becoming dangerous to be online.

My Bet is that T Mobile is using Windows Servers connected to the internet. Windows servers are very hard to keep secure.

Unix and Linux servers are the best Internet servers.

I'm even going Linux on any computer Connected to the internet

Keep my Mac network offline. All the NSA snooping too.

TAILS.... Live Linux Boot CD with TOR.

Tails - Home

tails.boum.org tails.boum.org
Click to expand...
BS. Linux can be hacked as easily as Windows. My Linux NAS was hacked into and became a bot attacking a server in Europe. This was 10 years ago. The NAS was behind a firewall. How did they get into my NAS and hijacked it is anyone’s guess. I had no cloud access configured on it. I ended up having to wipe the OS partition completely on it because Time Warner cable turned my Internet access off due to my IP attacking a company in Europe and the company lodging complaint with Time Warner. The guy whom my NAS was attacking sent me a log from his servers. My NAS was doing a dictionary attack against admin credentials on his server. It was definitely a bot script run on my NAS by hackers.
 
  • Like
  • Disagree
Reactions: PinkyMacGodess and triptolemus
sirozha said:
BS. Linux can be hacked as easily as Windows. My Linux NAS was hacked into and became a bot attacking a server in Europe. This was 10 years ago. The NAS was behind a firewall. How did they get into my NAS and hijacked it is anyone’s guess. I had no cloud access configured on it. I ended up having to wipe the OS partition completely on it because Time Warner cable turned my Internet access off due to my IP attacking a company in Europe and the company lodging complaint with Time Warner. The guy whom my NAS was attacking sent me a log from his servers. My NAS was doing a dictionary attack against admin credentials on his server. It was definitely a bot script run on my NAS by hackers.
Click to expand...
My brother is a CS engineer/programmer who exclusively uses linux only. (all day every day, every machine he owns)

This is his explanation to a computer novice (me)

While linux is LESS likely to get hacked, its easier to manage and see what's going on and control the system in linux. NO SYSTEM that is connected to the outside world (internet etc.) is 100% safe, period. Even if its not connected to the internet it can be gamed, and broken into.

Linux is the "cleanest dirty shirt in the dirty pile of laundry"

"Hackers only attack where the majority of opportunity is....$$$ = big business, which the majority of the time, use Windows."

"hackers don't want to spend time hacking 'Mom & Pop' when they can go after millions/billions with the same time and effort already being used"
 
Last edited:
  • Like
Reactions: TheYayAreaLiving 🎗️
macduke said:
This is why authentication apps are the way to go nowadays. Unfortunately a lot of companies still don't support using them. Hopefully in 2022 we will see widespread adoption. I've started using the new one built into Apple devices and it works well.
Click to expand...
You can correct me if I’m wrong but if Apple wants to be useful then maybe they should be useful. They have been touting so much about passwords and authenticators yet to retrieve a password you have to go digging into settings. Need a two factor code dig into settings. Want to use passwords on your windows pc? Install iCloud and hope the browser is supported and your company doesn’t block iCloud.

If Apple was serious about passwords they would have a dedicated app with Apple Watch support. They would also have a much simpler multi-browser extension. Most importantly…. an export function. I refuse to migrate everything to a platform that is a one way trip and the excuse is protection. I would be all for it if I wasn’t having do dig out a 20 character password because I’m not on a Apple device.
 
centauratlas said:
It would be great if you could lock your sim like a credit lock.

Anything less just seems open to social engineering attacks.
Click to expand...
You can lock your SIM so that no changes can be made without the code. I did that when I used a physical SIM.

The problem here is several employees not following proper procedure and customers not properly securing their accounts. Both parties are at fault.

T-Mobile should fire the employees in question.
 
BreakYurAnkles said:
My brother is a CS engineer/programmer who exclusively uses linux only. (all day every day, every machine he owns)

This is his explanation to a computer novice (me)

While linux is LESS likely to get hacked, its easier to manage and see what's going on and control the system in linux. NO SYSTEM that is connected to the outside world (internet etc.) is 100% safe, period. Even if its not connected to the internet it can be gamed, and broken into.

Linux is the "cleanest dirty shirt in the dirty pile of laundry"

"Hackers only attack where the majority of opportunity is....$$$ = big business, which the majority of the time, use Windows."

"hackers don't want to spend time hacking 'Mom & Pop' when they can go after millions/billions with the same time and effort already being used"
Click to expand...
Hackers don’t want to attack “Mom and Pop? Heard of botnets? What are botnets? They are thousands, tens of thousands, hundreds of thousands of “Mom and Pop” devices. Also, the majority of servers used by the majority of companies are no longer Windows servers. The majority of servers out there are Linux and Unix servers running in the cloud.

I’m not saying Windows is more secure than Linux. I’m saying running Linux, especially without any protection, is no guarantee you won’t be hacked - even on a desktop.

I was under the delusion Linux couldn’t be hacked until my own Linux NAS was hacked, which in the beginning I didn’t even accept as reality because of the “Linux couldn’t be hacked” mantra.
 
Last edited:
sirozha said:
Hackers don’t want to attack “Mom and Pop? Heard of botnets? What are botnets? They are thousands, tens of thousands, hundreds of thousands of “Mom and Pop” devices. Also, the majority of servers used by the majority of companies are no longer Windows servers. The majority of servers out there are Linux and Unix servers running in the cloud.

I’m not saying Windows is more secure than Linux. I’m saying running Linux, especially without any protection, is no guarantee you won’t be hacked - even on a desktop.

I was under the delusion Linux couldn’t be hacked until my own Linux NAS was hacked, which in the beginning I didn’t even accept as reality because of the “Linux couldn’t be hacked” mantra.
Click to expand...

The average user is easy prey for hackers, like minnows in the ocean. They snack on them on their journey for larger prey. You were a minnow in their attempt to attack a larger prey (a EU company AKA business with $$$).

I agree that running linux doesn't mean "it's all figured out". You can own a maximum security prison but leave the front gates open.

it was a move in the game of chess, and you're thinking checkers.

Yes, your linux server got hacked, but it was only hacked as a stepping stone towards the larger goal.

Yes, my brother explained to me and I read/watched articles on linux. Essentially today, the majority of the internet and mobile devices "run on linux".
 
Last edited:
hn333 said:
This is why I play 6 bucks a month for Tello.
Click to expand...
It seems to be that you're the only other soul on this forum that understands this concept.

Prepaid services don't require any personal information (at all, you can be Jon doe for all they care).

So if they get hacked, they can't steal your identity.

But for some reason other's can't see that their personal privacy and data are important enough to make that sacrifice.

maybe its the "embarrassment of riches" until they lose it all.
 
Last edited:
4jasontv said:
When I was younger my dog knocked over a lamp breaking three bulbs that cost about $50 each. I didn't personally cause the damage, but because I failed to watch the dog I assumed responsibility for the replacement cost. This wasn't a 'bad actor' but a company that didn't properly manage access. It doesn't matter if this is T-Mobiles fault or not, they are responsible for protecting their customer's privacy. Being sorry isn't sufficient. They should have to contact each customer that was affected and ask them 'what is your private data worth to you?' Then pay them that plus a 20% markup for not getting permission to distribute data before allowing it to be accessed.
Click to expand...
This. People and companies try to use I’m sorry as a liability waiver and often they aren’t sincere.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back