T-Mobile's Latest Data Breach Linked to SIM Swap Attacks

[sirozha]

The average user is easy prey for hackers, like minnows in the ocean. They snack on them on their journey for larger prey. You were a minnow in their attempt to attack a larger prey (a EU company AKA business with $$$).

I agree that running linux doesn't mean "it's all figured out". You can own a maximum security prison but leave the front gates open.

it was a move in the game of chess, and you're thinking checkers.

Yes, your linux server got hacked, but it was only hacked as a stepping stone towards the larger goal.

Yes, my brother explained to me and I read/watched articles on linux. Essentially today, the majority of the internet and mobile devices "run on linux".

Majority of mobile devices (which is Android and iOS) don’t run on Linux. Android is not a Linux distro because it doesn’t use the Linux kernel. Android uses a modified Linux kernel. iOS is not Linux either. macOS could have been a Linux distro, but the Linux kernel wasn’t ready when Steve Jobs was shopping around for a kernel for NeXT, so he went with the Mach kernel and the rest of history. You can consider Android a sibling of Linux and iOS a cousin of Linux, but neither is Linux.

In fact, a tiny minority of mobile devices run on Linux. I’m happy your brother is educating you on all things IT. Keep learning.

 

[BreakYurAnkles]

Majority of mobile devices (which is Android and iOS) don’t run on Linux. In fact, a tiny minority of mobile devices run on Linux. I’m happy your brother is educating you on all things IT. Keep learning.

iOS is based on UNIX my bad, Android based on unix/linux. So yeah....

Unix/linux is the foundation in which they "run on" ?

 

[bozzykid]

It seems to be that you're the only other soul on this forum that understands this concept.

Prepaid services don't require any personal information (at all, you can be Jon doe for all they care).

So if they get hacked, they can't steal your identity.

This isn't about hacking T-Mobile. This is about using SIM card swap vulnerabilities in T-Mobile's processes. In most of these situations, hackers are using personal information from outside sources to take control of your phone number which they can then use to hack your online accounts.

 

[You are the One]

No wonder Apple wants to transition into eSim. T-Mobile is just attracting data breaches at all times now.

View attachment 1935860

Obviously T-Mobile are completely incompetent when it comes to security. One would think hiring "security experts" would make a difference. But no, evidently KPMG are also completely incompetent.

They have a breach, then send out a spoofable SMS with a link!!!!!! A malicious actor could easily hijack this type of communication and direct the customer to somewhere that installs whatever they like on the device.

It's actually hilarious from a security best practice perspective.

From a customer's perspective it doesn't make a difference if the provider spend money on security contractors or if regulators fine the company. What should be done is to legislate serious cash compensation by the company directly to the affected customers. Considering the value of PII and the risks associated that fee should minimally be in the 4-digits rage, per customer.

Unfortunately this will not happen since the legislators are owned by the corporations. Ever thought about why Big Pharma have no responsibility for the adverse effect their so-called cures create? Same reason.

Corporations own the world.

 

[BreakYurAnkles]

This isn't about hacking T-Mobile. This is about using SIM card swap vulnerabilities in T-Mobile's processes. In most of these situations, hackers are using personal information from outside sources to take control of your phone number which they can then use to hack your online accounts.

you're absolutely right,

But if your carrier (prepaid) has bogus information, how can the hacker confirm the bogus information?

Prepaid
My name is Vincent Van Gogh screw yourself

Birthday? random

address random.

pin choose.

How can they hack a fictitious you? when all they have is your real personal information? they can't swap the sim if they cannot confirm your alias.

when you sign up for postpaid service, good luck. They want everything under the sun, even your blood type and sexual orientation.

Maybe I'm not seeing the bigger picture, I just don't understand where others are coming from when they stick with major carriers postpaid plans (other than customer service, family plans, and financing their phones) and give those carriers most of their personal information which can be obtained online and/hacked.

PSA -
KYC (know your customer) is right around the corner for pretty much everything in the western world so it might be a good idea to get a "burner" number (if they allow grandfather clauses in the future). to keep as a spare on prepaid with an alias attached to it.

I'd rather have it and not need it, than to need it and not have it.

 

[MacCheetah3]

* sigh *

It's not just T-Mobile

A major telecom company that partners with AT&T and Verizon said hackers had access to its system for over 5 years, exposing billions of texts

Syniverse, which is used by companies like AT&T and Verizon, revealed that hackers had been inside its system for years, affecting millions of users.

www.businessinsider.com

Hackers in Cox Communications Data Breach Impersonated Company’s Support Agent to Access Customer Information - CPO Magazine

Cox communications data breach notification disclosed that unauthorized individual(s) accessed sensitive customer information after impersonating the company's support agent.

www.cpomagazine.com

Verizon’s Visible confirms accounts were breached – report

Some customer accounts for the Verizon-backed all-digital prepaid brand Visible were breached after bad actors obtained password and login information from “outside sourc | Some customer accounts for the Verizon-backed all-digital prepaid brand Visible were breached after bad actors obtained...

www.fiercewireless.com

Not sure why FTC is not doing anything about it. They should be fined. It's the personal data that is exposed out there. It's not fair to the public.

This kind of news is terrible.

Main point: *phone numbers need to be treated with the same respect that SS# do, and protected as such.*

Our phone numbers are just as important as SS#’s now, and if stolen just as potentially devastating.

Two factor is great until your phone number is stolen and paired with other PPI to access bank accounts, etc. (as the article points out).

Has anyone ever tried to get a new phone number? With all the two factors now, and institutions that require phone number for identification, who would go through that rigamarole?!

Exactly.

As much as companies need to be held more accountable, including pushed/forced to apply more resources into security, I think, there’s also more pressure needed on the actual wrongdoer. Companies/agencies need to put more effort into identifying and locating the scammers/“hackers”, then apply murder-level charges (i.e., massive fines and 25+ years imprisonment). And, yes, that includes the small time auto-dealer auto-dialer phone call scammer. I realize this may seem obvious and not an easy/complete fix. However, are there really a respectable amount of resources being applied? These types of attacks have the potential to do substantial damage. /RANT

 

[VulchR]

you're absolutely right,

But if your carrier (prepaid) has bogus information, how can the hacker confirm the bogus information?

Prepaid
My name is Vincent Van Gogh.

Birthday? random

address random.

pin choose.

How can they hack a fictitious you? when all they have is your real personal information? they can't swap the sim if they cannot confirm your alias.

when you sign up for postpaid service, good luck. They want everything under the sun, even your blood type and sexual orientation.

Maybe I'm not seeing the bigger picture, I just don't understand where others are coming from when they stick with major carriers postpaid plans (other than customer service, family plans, and financing their phones) and give those carriers most of their personal information which can be obtained online and/hacked.

PSA -
KYC (know your customer) is right around the corner for pretty much everything in the western world so it might be a good idea to get a "burner" number (if they allow grandfather clauses in the future). to keep as a spare on prepaid with an alias attached to it.

I'd rather have it and not need it, than to need it and not have it.

Using an alias can seriously dmaage your credit rating. Just sayin'.

 

[BreakYurAnkles]

Using an alias can seriously dmaage your credit rating. Just sayin'.

how is that?

Its Prepaid, NO personal information or social security number (SSN) required (at least here in the USA)

 

[usagora]

Will they reimburse the peoples bank accounts that got emptied?

Source for this claim?

 

[usagora]

This kind of news is terrible.

Main point: *phone numbers need to be treated with the same respect that SS# do, and protected as such.*

Our phone numbers are just as important as SS#’s now, and if stolen just as potentially devastating.

Two factor is great until your phone number is stolen and paired with other PPI to access bank accounts, etc. (as the article points out).

Has anyone ever tried to get a new phone number? With all the two factors now, and institutions that require phone number for identification, who would go through that rigamarole?!

Well they'd also need to know your passwords. Just a phone number isn't going to get them far. And if the site uses email or an authenticator app for 2FA, they'd need those passwords as well.

 

[usagora]

It seems to be that you're the only other soul on this forum that understands this concept.

Prepaid services don't require any personal information (at all, you can be Jon doe for all they care).

So if they get hacked, they can't steal your identity.

But for some reason other's can't see that their personal privacy and data are important enough to make that sacrifice.

maybe its the "embarrassment of riches" until they lose it all.

Yeah, all of us with traditional phone plans are just stupid while you two have it all figured out ? Look, do whatever you feel at peace with, but no need to belittle others who don't do what you do. And keep in mind a cell phone account isn't the only place your personal info can be accessed.

EDIT: Seriously, laughing reaction? Guess that's a coping mechanism instead of apologizing.

 

[GIZBUG]

This is why I play 6 bucks a month for Tello.

Play 6 bucks? This some sort of slot machine? Please explain

 

[KaliYoni]

Important note: the type of SIM swapping discussed in MR's article above is made possible by customer service workers alone. It doesn't matter if a customer has real or fake contact information, an account-changes PIN, a pre-paid or post-paid plan, or a physical SIM card or an eSIM. A criminal either persuades an eager-to-help worker to transfer a phone number to the criminal's phone or pays a corrupt worker to transfer control of a phone number to the criminal's phone.

 

[Scotty2Hotty]

Auth apps started on the wrong foot with the most famous one, Google Authenticator, being user-hostile. It was super unclear and difficult to transfer the auth codes to a new phone, and often the answer you found was "you're not supposed to do that." They gradually conceded and added ways to do that, but it's still unclear how to back them up, which has resulted in many users (even tech-savvy ones) being locked out of accounts. If people are relying heavily on account recovery mechanisms, that could actually make things worse.

They need to give up on the idea that people will naturally switch to the most "secure" thing and focus instead on usability first. Apple's built-in 2FA does it right, but it's single-platform.

Then you need to use Authy. I have since 2015. VERY easy to use with multiple devices, change devices, and kill old/unneeded devices. And if you completely loose access to all of your devices, they have a good secure mechanism to get you back up and running. Give it a try.

 

[sudo-sandwich]

Then you need to use Authy. I have since 2015. VERY easy to use with multiple devices, change devices, and kill old/unneeded devices. And if you completely loose access to all of your devices, they have a good secure mechanism to get you back up and running. Give it a try.

I've heard Authy works great, and thanks for the recommendation. But this is about widespread totp adoption, and the flag-bearing totp app is Google Authenticator. Search "authenticator app," and that's all you see. A big protocol like this needs a giant like Google pushing for it, and Google is messing it up.

 

[upandown]

Source for this claim?

None yet for this incident but if you’ve read previous events that’s exactly what happens. The criminals aren’t sim swapping to send you flowers.

 

[Tmobilelied]

I was a victim of the security breach in August and a SIM port in December. T-Mobile lied that they contacted customers, I was never reached about the August breach. I found out when my SIM was ported. The SIM port of my number happened on December 2nd. Within two hours of the port, they had bypassed protections to take over my email and then used 2FA codes sent to my email and phone number (which they controlled) to take over two crypto accounts. They liquidated my crypto to BTC and then transferred out to an UNVERIFIED wallet. I was in the T-Mobile store within 2 hours to have my number ported back to me but damage was already done. I had a sim change block put in my account requiring me to come in person to the store with ID to lift it yet the next day while I was talking to the T-Mobile fraud unit in the phone the call dropped and my number was ported again. I raced to the T mobile store again and found out that an employee in customer care had overridden the block. T-Mobile has done nothing to compensate me or correct the issue. I had just deposited my work bonus in my crypto account before it got cleaned out. I had no money for Christmas and. I timeline for resolution even though they knew this all tied to their employee. Their CEO is lying, it was not a disguised attack or malware but an intentional insider job.

 

[usagora]

None yet for this incident but if you’ve read previous events that’s exactly what happens. The criminals aren’t sim swapping to send you flowers.

Do you seriously think I don't know that? But what their end goal is and whether they actually achieve (or fail to achieve as the case may be) are two separate topics.

 

[BreakYurAnkles]

I was a victim of the security breach in August and a SIM port in December. T-Mobile lied that they contacted customers, I was never reached about the August breach. I found out when my SIM was ported. The SIM port of my number happened on December 2nd. Within two hours of the port, they had bypassed protections to take over my email and then used 2FA codes sent to my email and phone number (which they controlled) to take over two crypto accounts. They liquidated my crypto to BTC and then transferred out to an UNVERIFIED wallet. I was in the T-Mobile store within 2 hours to have my number ported back to me but damage was already done. I had a sim change block put in my account requiring me to come in person to the store with ID to lift it yet the next day while I was talking to the T-Mobile fraud unit in the phone the call dropped and my number was ported again. I raced to the T mobile store again and found out that an employee in customer care had overridden the block. T-Mobile has done nothing to compensate me or correct the issue. I had just deposited my work bonus in my crypto account before it got cleaned out. I had no money for Christmas and. I timeline for resolution even though they knew this all tied to their employee. Their CEO is lying, it was not a disguised attack or malware but an intentional insider job.

You should grab a beer with Tyler Durden

 

[bozzykid]

you're absolutely right,

But if your carrier (prepaid) has bogus information, how can the hacker confirm the bogus information?

Ok, but most people aren't giving bogus information. I would argue the fact that prepaid carriers ask for less info likely makes it easier for SIM Swap hacks.

 

[Solomani]

Maybe it's time for Apple to start their own MVNO company. At least in the US.

And give the lawyers a reason to launch 6 more (anti-competitive) lawsuits against Apple, right?

Just imagine if Apple attempted this in Germany, just to one-up (T-Mobile parent company) Deutsch Telecom. The German government would go ******* crazy and launch a massive lawsuit against Apple.

 

[KindJamz]

* sigh *

It's not just T-Mobile

A major telecom company that partners with AT&T and Verizon said hackers had access to its system for over 5 years, exposing billions of texts

Syniverse, which is used by companies like AT&T and Verizon, revealed that hackers had been inside its system for years, affecting millions of users.

www.businessinsider.com

Hackers in Cox Communications Data Breach Impersonated Company’s Support Agent to Access Customer Information - CPO Magazine

Cox communications data breach notification disclosed that unauthorized individual(s) accessed sensitive customer information after impersonating the company's support agent.

www.cpomagazine.com

Verizon’s Visible confirms accounts were breached – report

Some customer accounts for the Verizon-backed all-digital prepaid brand Visible were breached after bad actors obtained password and login information from “outside sourc | Some customer accounts for the Verizon-backed all-digital prepaid brand Visible were breached after bad actors obtained...

www.fiercewireless.com

I know right no other company has ever had this issue. Scumbags will always be around to cause harm

 

[nia820]

Just curious, how does eSIM solve this? It’s not like they are actually swapping physical SIM cards…

I was thinking the same thing.

It's easy to get someone's esim if you have their account information. I had to call t mobile yesterday because I purchased another device.

All I had to give was my phone number and account pin. I got it sent to another email other than the one of file. They sent over qr code with no problem.

Physically sims are actually safer, in my opinion.

 

[Premium1]

Just curious, how does eSIM solve this? It’s not like they are actually swapping physical SIM cards…

Only thing I could see is with e-sim it would be on the device so if someone called in and got the #’s changed, it would still be on your device. Although based upon a poster above it seems like even T-mobile is weak on security with that in terms of sending it via email.

 

[tucupeis]

why banks dont issue copies of your credit card to unauthorized people but telcos provide copies of tour sim card to criminals. the telco is responsible and criminal charges should be pressed to the CEO