Unprotected T-Mobile API Let Anyone Get Customer Data With Just a Phone Number

[Amazing Iceman]

I love T-Mobile, but this kind of stupidity needs to be punished, so they learn their lesson. Apparently this is not their first offense.

 

[jdsingle]

I'd be concerned with this being a T-Mobile customer, but thankfully Equifax already gave all of my personal information to the dark web. So, this seems like a butterfly kiss in comparison.

 

[adib]

Pro tip from someone that works in Information Assurance, and has been involved in cleaning up several companies’ similar messes: anytime you see “we have no evidence that any customer information was accessed”, you can assume that they have zero logging. They ‘have no evidence’ because they have no logs; they aren’t saying it didn’t happen, it’s just a nice way to make it seem like nothing bad happened. Ask for evidence proving nothing bad happened, and you’ll be met with a horrified stare.

Pro tip from someone that works in Information Assurance, and has been involved in cleaning up several companies’ similar messes: anytime you see “we have no evidence that any customer information was accessed”, you can assume that they have zero logging. They ‘have no evidence’ because they have no logs; they aren’t saying it didn’t happen, it’s just a nice way to make it seem like nothing bad happened. Ask for evidence proving nothing bad happened, and you’ll be met with a horrified stare.

Which is what the GDPR is aiming — companies need to prove that there was no breach of personal data, by having read logging enabled by default. Otherwise presumed guilty.

 

[doctor-don]

For all the "uncarrier" stuff that T-Mobile has been pushing for the past few years (which they've already rolled back a lot of), they sure seem to ignore their security.

They screwed a lot of their customers over in the past when they used Experian to run credit checks, knowing full well that their servers might not be secure, but still went along with it. The result? Experian gets hacked, and customers' personal info gets stolen. Then they started asking people to set support line passwords like a month or two ago after scammers were hijjacking people's lines in order to get into bank accounts, and now this.

In the end, they quickly sweep this stuff under the rug, and carry on with business as usual.

Did you read that this was corrected in April?

ALL carriers were subject to the porting scam (which would allow criminals the ability to move YOUR phone number to another carrier AND steal your financial info). T-Mobile did notify / warn its customers to strengthen their account security.

Damn. Glad I switched to AT&T recently

I'll gladly stick with Verizon.

Because ATT (formerly Bell South) and Verizon (formerly MCI) are without dirt on their hands? Hahahahaha.

 

[Westside guy]

The other big ones have their own "issues".

While true, that would be a stupid argument for not holding T-Mobile accountable for this egregious failure.

 

[justperry]

While true, that would be a stupid argument for not holding T-Mobile accountable for this egregious failure.

I agree it's just plain stupid what "they" did, they as in the stupid site programmer(s) and a few others, I bet the management knew nothing about it, no reason for them to know.
Doesn't mean the management is not accountable.

 

[Turnpike]

$1,000....? If anything would make a white hat go dark, this would be it. That's insulting. He should have been paid $25,000 for helping them avoid a $20 million fine. But since there's no $20mil penalty, I guess why would they care about their security. The system is broken.

 

[fairuz]

The most ghetto cell service in the US, not surprised

 

[brinary001]

Because ATT (formerly Bell South) and Verizon (formerly MCI) are without dirt on their hands? Hahahahaha.

No one said anything of the sort. I certainly didn’t. At least those carriers didn’t get hacked, bud.

 

[smashcutt]

Did you read that this was corrected in April?

ALL carriers were subject to the porting scam (which would allow criminals the ability to move YOUR phone number to another carrier AND steal your financial info). T-Mobile did notify / warn its customers to strengthen their account security.

This is both true and misleading. Yes, technically, any phone (irrespective of carrier) is susceptible to the scam, if the scammer has the port-out pin on your account. However, T-Mobile was the only one of the four major carriers that did not have its customers set a port-out pin upon account creation. So claiming that all carriers were subject to the scam is a bit like saying all cars are susceptible to theft, and neglecting to mention that only one major car manufacturer doesn't install locks on their car doors. Technically a true statement, but ultimately misleading.

T-Mobile did send out a text notification to its customers (myself included) but the wording was abstract, perhaps deliberately so. It said, "We have identified an industry-wide phone number port out scam and encourage you to add account security." "Phone number port-out scam" -- meaningless jargon to the average user. "Add account security" -- what kind of security? What can happen if you don't add that security? They don't say.

Of course, they are sure to mention that the problem is "industry-wide". Misleading, as I pointed out above, but also insidious in that it might lead the user to think that this is a widespread problem that the "industry" was handling, when in fact immediate and specific action by the user was needed. At the end of the day, one can't help feeling that this notice was more about protecting T-Mobile from lawsuits and bad PR than it was about protecting its customers from harm.

I used to be a big supporter of the company, extolling others to switch. Used to be. Now I will be switching to another carrier as soon as my equipment plan is paid in full. They have proven themselves untrustworthy, deceptive and utterly careless when it comes to users' security.