T-Mobile has had recurring data security deficiencies. I know because I served as CTO of the FCC's Enforcement Bureau, before returning to academia.
In 2017, the FCC determined that T-Mobile had violated federal law in a data breach involving customer credit information [1]. There was reportedly no fine because Congress has imposed a strict one-year statute of limitations on FCC enforcement actions.
In 2020, the FCC charged T-Mobile with again violating federal law in failing to protect customer ___location information [2]. The FCC proposed a $91.6M fine, widely criticized as insufficient at the time [3-4]. I don't believe the FCC has finalized or collected that penalty.
There have been several other incidents, including in 2018 [5], 2019 [6], early 2020 [7], and late 2020 [8].
I hope there has not been a new data breach. But if there has been, this is the latest in a pattern, and the incentives have to change.
Thank you for that context. It seems like breaches are happening every month now. What do you think needs to happen to ensure these gigantic companies secure data? I can imagine (a) new legislation enabling bigger, swifter fines or (b) anti-trust action. Do you think we should prioritize one over the other, do both, or something else?
I remember this happening in real time. People were losing their minds over it. I really hope that PR rep got fired, they have no business doing anything related to telecommunications.
Absolutely agree that the incentives have to change!
What does the FCC consider to be "reasonable measures to protect the confidentiality of its customers data"? Is there a document somewhere that outlines the best practices they expect you to follow?
I might be able to better convince my employer to prioritize security work if I had something like that to point to.
So the only fines that T-Mobile has paid are for the rural call call completion issues then?
Crazy that they can get away with regional and nationwide voice outages, SSNs and TINs repeatedly being leaked en masse, and the only fines they get are for rural call completion...
I feel like companies like this should have to register a data breach like this in a national register, and then should someone become a victim of identity theft, the companies on that register associated with that person should bear the costs associated with that theft (importantly without the victim having to show that it was a direct result of that breach). E.g. John Smith ss#123-45-6789 (T-mobile, Experian) has a false refund filed in his name, $10k in legal costs associated with clearing his name, t-mobile and experian each owe him $5k…
Until companies are held accountable for the negative externalities they are causing, this won’t end.
You shouldn't become a victim when a bank opens a fraudulent account.
The law shouldn't be that someone else has to pay the costs, the law should be that you tell them to prove it was you that acted to open an account and they go pound sand if they can't do that.
Yes - “identity theft” in common usage has been a phenomenally successful effort by financial companies to shift the cost of their negligence to the consumer.
Yes even the name itself implies the burden should be bourne by the individual. It's a fantastically successful disinformation campaign. We should refuse to call it "identity theft" and call it "identity fraud" instead.
This is the correct terminology. If someone opens an account with a bank using false credentials that’s just fraud. And the victim here is the bank, not the individual.
> Libel is a method of defamation expressed by print, writing ... that is injurious to a person's reputation, ... or injures a person in his/her business or profession.
Note, the person who "had their identity stolen" (that phrasing is an absurdity, twisted language designed to obscure and defraud the truth) was never a party to the deal. The only parties relevant here are the bank and the person that defrauded the bank. The only victim is the bank. Nobody here is arguing that this problem doesn't exist for real people, we're saying that it's insane that it even exists at all.
> ... no consumer may bring any action or proceeding in the nature of defamation, ... or negligence with respect to the reporting of information against any ... person who furnishes information to a consumer reporting agency ... except as to false information furnished with malice or willful intent to injure such consumer.
In order for it to be a willful intent to injure, they have to believe it's not you and report that is is in order to knowingly tarnish your reputation. Generally if they publish bad data about you it's because the data they have is bad. It's not because out of all the accounts at JP Morgan Chase or Wells Fargo or wherever some faceless drone decided your faceless account needs to be specifically and maliciously lied about.
Opening an account or the existence of one isn't "negative information."
Sure, but I meant if they're reporting you to a credit agency for owing money or whatever. That is them publishing false information about you that will have negative consequences for you.
It's false information though, if the person hasn't opened an account. It might or might not be negative based on what the recipient of that information deduces, but it's definitely false.
The problem would be intent: my understanding is that in the U.S. at least you would have to show that they knew it was false when they published it or refused to correct it. If they simply say “technical error, we fixed it” I think your odds of reaching that bar would be quite daunting.
My identity was stolen after the equifax breach. The only cost to me was the gas it took to drive to the police station. Verizon and AT&T had automated systems where I input some information and the key part was having a police report number from the local PD. Once I had the police report everything was removed including the credit reporting. I had to call enterprise rent a car to get some stuff cleared but they even removed an overdue parking ticket from Santa Clara (never been to California).
Nordstrom was the only proactive party they called me immediately when they noticed someone filing out a credit card application in another state.
My (limited) understanding is that this is the financial companies problem in every case except for when your payment information is stolen. In which case it becomes a hot potato of whoever is out the money is the one who is liable.
If a bank extends credit to someone without doing their due diligence, they’ve definitely been defrauded but that’s between them and the crook, not the person the crook was claiming to be.
The Fair Credit Reporting Act of 1970 was/is promoted as a great milestone in helping people to get protection from secret databases that companies were creating on the whole populous. That part was true and it did prevent this problem that was arising of mass secret corporate dossiers on everyone (but secret government dossiers on everyone, of course still fine). On the other-hand, it gave the credit bureaus legal protection in creating these databases and people could only recover actual or statutory damages, attorney's fee, court costs and punitive damages if the violation was willful.[1]
Since all those false reports ("identity thefts") are never willful on the part of banks and other lenders, there is almost no penalties that can be brought. The consumer bringing the most reasonable charge of libel against a credit bureau is specifically prohibited by this law, if the credit bureaus follow all of the rules (allowing people to see their reports, removing false info (good luck with that), etc.). If not a case of regulatory capture at the time, then at least this law needs to be updated given how important credit reports have become, how easy fraudsters can get your report tarnished, and how hard it is to get your reports corrected.
I agree. Surely there are cases where people have sued the bank or whatever provider for opening an account in their name. It seems like I should just be able to send them a certified letter that says no, i didn't open that account, please close and correct your credit reporting unless you have proof otherwise. If you don't comply I'll see you in my nearest small claim court. Seems like it would be an open and shut case.
Alternative: Banks are incentivized to better authenticate people, rather than relying on faulty KBA and public IDs like SSNs—information that is often leaked and can be phished.
That being said, none of the compromises described in the comment chain thus far required action on the part of the consumer; they all involved compromises of third-party companies. Like T-Mobile.
Bank has to prove its you if there are debts. Just knowing your personal info isn’t enough. End of the day bank is eating the loss. The challenger banks lose millions in fraud per year with fake accounts.
Recently a lot of EU/UK banks allow you to open an account simply by shooting one or two videos from your phone. You usually have to say something specific (to prove it wasn't a pre-recorded video) and also show your ID card / passport as identification, but that's it!
that's weird... you can do some stuff here over the phone, but it's a videocall, and you have to record your documents from all angles, but that's for existing customers with a registered phonenumber and banking app.
This is one example (another one is allowing people who cannot read or write to create legally-binding video statements) where it would be handy to be able to prove that a particular video came straight from a camera.
This falls under the general heading of "remote attestation" technology (as the person I am replying to probably already knows).
The US has passports.
The states do. They're called a driver's license. IDs are also issued to those that don't drive.
It's a great idea to have for financial security. It's an even better idea to require them for election security.
In the U.S., I've opened all of my checking accounts and credit card accounts online. The only thing I've ever had to do in person was sign for a home mortgage.
...at first blush, I like this line of thinking, but I wonder what the side effects would be. If banks make it much harder to open accounts, that might hurt poorer folks the most, and perpetuate inequality.
Not the person you’re replying to, but every well-intentioned regulation has a negative impact on someone. It’s always worth asking who, and whether there’s some way to mitigate the impact on people who are already struggling to make ends meet.
Being poor is incredibly expensive and exhausting.
It seems a bit weird to try to fight inequality by reducing regulations on banks and make it easier for them to blame consumers for the banks mistakes.
I consider myself a liberal, I'm broadly in favor of more regulation, and I might even be in favor of this regulation given something to assuage my initial concerns (because as I said, I like the idea).
But I believe there are also lots of well-intentioned but bad regulations, and so they need to be considered carefully!
Well, if you were a bank, and you knew you would be on the hook for a zillion dollars per fraudulent account, wouldn’t you respond by being way mire rigorous about who can open accounts? The potential profit no longer outweighs the potential liability, so you’d certainly want more forms of ID—you might even want to start fingerprinting customers or some such.
Even well-intentioned regulators are pretty incompetent given the fact they work for the government and all the nonsense that entails. Add in the fact that most regulators are just shills for whatever companies they're supposed to be regulating and "striking a sensible balance" between any two ideals seems pretty unlikely.
Why would adding an identity check or additional process harm poor people the most?
It may harm the rich the most, in my opinion, since retailers wouldn’t as easily be able to trick you into a new credit card as part of the checkout process.
People with stable living situations can more easily keep track of all their official paperwork and spend the time needed to understand the application process. They also have more access to the internet to do things remotely.
Poor people are more often in less stable living situations and it's easier to lose track of documentation. Not to mention unhoused people who don't have a safe place to keep track of things either and often don't have up to date identification in the first place. Also, with less access to the internet to do things remotely it's more common to need to take time off work to go to a physical branch which may be very far away, requiring taking multiple busses just to prove their identity.
Of course adding more security is important, but it has tradeoffs like this that harm the poor that need to be considered.
That is the law. But your legal rights are worthless if you can't afford a lawyer, and only in very specific circumstances does the law say the losing party has to pay the winner's fees.
Unfortunately, the US government doesn't take identity theft seriously from a criminal prosecution perspective. At least not when it's affecting regular Americans.
On the bright side, identity theft insurance is very inexpensive because costly claims are rare. Most homeowners insurance policies include identity theft coverage.
THe cost of identity theft is only partially monetary. A huge component is the ongling (sometimes lifetime) fight to reclaim your person, reputation and wel... identity. My homeowner policy may cover the cost of a fraudulently issued credit card, but no one at my insurance company will spend days, weeks and years trying to straighten out my credit issues and chasing down the many knock-on effects the fraud is going to cause.
Agreed. I was the victim of identity theft when I was 11 or 12. Someone opened up a bunch of accounts in my name and went wild. My mom spent countless hours on the phone with the credit agencies back then (which is more than most people would have done), got in touch with lawyers, etc., but it didn’t actually solve anything because when I was 18, there was still stuff on my credit report, which took another year and another period of resubmitting the same paperwork, affidavits, and other information to say that no, when I was 12 years old, I did not open an account with X credit card company or rent an apartment with X place, which delayed my own ability to get credit as an adult.
More than 20 years later, I still have to pay for credit monitoring services because sometimes I’ll see stuff from the 1990s resurface and I have a backlog of documents that I have to deal with to get stuff straightened out.
When I moved to Seattle a few years ago, suddenly my credit report was empty. As in totally blank. I didn’t have any open credit cards at the time (personal choice; I’ve sense had a change of heart and have embraced trying to use credit cards to my advantage, always paying them off each month), but it showed nothing. Which was weird for a person in her 30s. This made renting an apartment difficult, despite having nearly double the required income. It turns out, when removing false claims off the report for the umpteenth time, everything was erased. I eventually got that sorted out but I still have no idea if my credit report is actually accurate, except that my score is in the 800s now thanks to said credit cards.
The only upside is that I’ve become so desensitized to the entire process that every time Equifax or some big database is hacked, I’m almost blasé about it. I’ve gone through this so many times, I know the drill. I know the time sink. I know the process. Whatever.
But insurance doesn’t solve that. It’ll cover the cost of the monitoring services and maybe some legal costs in the event you have to actually take something to court, but it won’t recover the time you have to deal with the insurer or the agencies themselves. In fact, I’d gladly pay a fee if it meant that not only would my shit be monitored, but someone would sit on the phone and submit all the paperwork on my behalf. Because that’s the part that is the most infuriating.
There are lots of reasons for insurance. One kind of insurance (liability) is to protect you in case you screw up. Other kinds of insurance (e.g., uninsured motorist, fire, etc.) are to protect you in case other people screw up.
Absolutely—AFLAK for identity insurance. The free attach plans are pretty thin, most retail contracts will include their man hours to waste away with the credit card companies and fair Isaac / credit bureaus — but it’s obviously more $ than “free with purchase”
Plus money for the wasted time and stress this causes. Often people won’t be responsible for huge financial outlays once these issues are resolved, but it can take countless hours and an unmeasurable about of stress to get there.
> should someone become a victim of identity theft
The only reason identity theft is a thing is because federal law[1] doesn't allow consumers to sue creditors or credit bureaus for inaccurate information about the consumer unless they were doing it out of malice.
If the law was changed to allow consumers to sue them for damages, you can bet that they will be far more diligent in verifying the identity of the person they're entering into a contract with.
Sure, but the problem stems from a malicious actor fraudulently saying they're someone else and having the same info to back that up as the person themselves would, kind of like credential stuffing attacks on websites. Short of doing some sort of facial recognition (like id.me's selfies[0] perhaps), if someone knows your SSN and where you lived as a child, how do credit bureaus verify identity?
This is the point of national IDs, trust anchors, identity proofing, etc.
Credit reporting agencies and financial service providers should be required to use a government provided identity provider (Login.gov is getting there; it’s currently only offering identity services to federal agencies and select state and local governments) or in person proofing with government IDs to verify identity. If they don’t, they are entirely liable for the transaction(s) and related losses, instead of rolling the dice with security question voodoo and foisting the liability on consumers.
Solve digital identity and you solve identity fraud.
It's hard and there is a lot of weird pushback against national ID cards. E.g. In the UK they had it and then abolished it after public backlash. To me it's utterly backwards to not have one and then point the finger at banks as if they can have a magical investigation and "due diligence" department that can solve fraud and figure out who is who.
Retail stores in the US are required to verify the age of those purchasing tobacco products and alcoholic beverages. They typically limit the types of identification they accept and they could lose their license to sell those products if they sell to those who are under age.
There's absolutely no reason why banks can't do something similar (actually more stringent) when extending a line of credit. The PATRIOT act in the US requires banks to verify the identity of those trying to open an account or secure a mortgage loan, so requiring something similar for lines of credit shouldn't be out of the question.
The root cause of the issue is the law I referenced in the comment[1] that started this subthread. If consumers were able to sue banks and credit bureaus for false information, then banks would have much more incentive to be more diligent. Right now, they can offer "identify theft protection" service where the consumer has to pay them instead. That doesn't give them incentive to be more diligent, and, quite possibly, has the opposite effect.
>Right now, they can offer "identify theft protection" service where the consumer has to pay them instead. That doesn't give them incentive to be more diligent, and, quite possibly, has the opposite effect.
And then the identity thieves will just have to fake those. What's next, calling your landlord for a reference and asking them to send a photo of you to check that it matches the photo you submitted? The goal posts are guaranteed to move.
>And then the identity thieves will just have to fake those.
Are you really just handwaving being able to make fake passports or fake government issued identification cards, as if that is basically the same as just knowing someone’s SSN and a couple other pieces of information about them? What a ridiculous argument. ID cards are required to have multiple security features to prevent reproduction without highly specialized equipment, to prevent altering or tampering with existing cards, and to have multiple ways of detecting counterfeiting or altering of cards. There is no “what’s next” because identification cards are already incredibly secure.
No, I am a big advocate of offloading the security/verification to the government. I.e. National ID Cards, which are definitely hard to fake and I agree with you fully.
The person I was responding to mentioned "multiple forms of identification". At the moment (and I could be wrong) some of these valid forms of identification are things that can be bootstrapped, faked or social-engineered into getting relatively easily. E.g. municipal bills, driver's licenses, birth certificates issued from hospitals, etc. (e.g. look at here for UK https://www.hsbc.co.uk/help/banking-made-easy/help-us-identi... ). Once you get one of those, you can with effort start acquiring more and more of those other ones. And they would all be 100% legitimate and not fake, which is the crux of the "identity theft" problem, as you can't prove who you are even with real documents as the other person has real ones too! I guess I used the term "fake" in my original response a bit loosely.
Point is, we're skirting around the real issue. We have no "chain of proof" or "evidence" from the time you were born to the point in time that you have to start using your identity for formal things. It's all based on layers and layers of multiple people, possibly incorrectly, "vouching" for you by saying you are who you say you are.
This doesn’t really feel like a real problem in first world countries. While it is possible to get a drivers license or birth certificate fraudulently, it is definitely not easy. And each step of the way, you are taking a huge risk of being found out and facing severe punishment, especially since many of these forms of ID require to see you in person, and take/verify your picture or other biometrics (passports, driver’s license, biometric residence permit, national identity card, etc). It is a huge amount of time and effort, where you are exposing a significant amount of your own biometric information, in order to commit some sort of financial crime using that identity. That is orders of magnitude more risky and more difficult than using some pieces of information you stole off the internet to commit a financial crime, also over the internet, without exposing any biometric information about yourself.
Then, when the “real” person asserted the falsehood of your identity, regardless of your real ID cards, it would still be easily provable that you were not the real person. For instance the real person could have their parents verify their identities and certify that the birth certificate you both have a copy of is legitimately tied to the real person and not you. Unlike now, where you can just walk away from some fake accounts and internet information, there is biometric data linking you to multiple serious crimes.
Is it something that could happen, and probably does? Sure. Is it something that would happen even 1% as often as identity theft related financial crimes happen under the current system? Absolutely not. It feels like the current problem is banks being robbed because they are storing their money in a cabinet next to the glass front door, and you are arguing that if banks build vaults and security systems that bank robbers will just bring huge industrial drills with diamond coted bits to break into the vault over multiple hours while bypassing the security system. Sure, they could do that, but bank robberies will still drop to almost nothing compared to before.
With passports and real id standard driver's licenses along with other photo ID, I imagine it would be a lot more difficult for a fraudster to open a line of credit in someone else's name in person as easily as they could do now.
Running with this idea, then as a customer, John Smith shouldn't have to even think about 10k worth of legal costs to clear his name. It should be cleared for him.
Basically multiple layers of regulation in the form of consumer protection laws that put the onus on businesses to be accountable for what they do. You can't blame the victim for having their identity stolen just because they chose T-Mobile over a competitor, or expect them to fight the case in court (which most people won't do because it's too expensive).
A lot of incidents get reported to the state attorney general offices that the customers reside in, as well, but that is less convenient to keep an eye on since there are 50 of them.
These don't really make the news because there are just too many of them to keep up with. One of my clients recently had to send breach notifications to all their customers and it did not even make the local papers. This is a town of 20k people where nothing ever happens and apparently that wasn't enough to waste ink on.
The takeaway here is that there is infinite work available for security incident responders, if you are looking for a change of pace.
You could get your identity stolen from many different places. Just because your ___location data was leaked, doesn't mean T-Mobile should be on the hook carte blanche for any identify theft you face in the future.
Can you really not see this leading to massive fraud?
It seems like a great incentive to not have leaks, share information, or hold onto information they don't actually need.
Cell phone companies ask for social security numbers (SSNs) to do a credit check when opening post-paid accounts. Most people don't know any better, so the give out their SSNs. The companies can just delete the SSN after they use it once, but they don't. That should be on them. If I was a company, I would not want to take on any more responsibility than necessary. These companies decided to take on the responsibility, so it is on them.
There already is massive fraud. It is just committed by huge corporations that use their size and money to shield themselves from accountability. Which is the better scenario? The current one where companies, that are already proven to have negligently allowed someone’s data to be leaked, drag out and exhaust legitimate claimants against them, allowing them to profit off their negligent activities and leave countless regular people as victims with little to no compensation. Or one where legitimate claimants are able to quickly get compensation, but also claimants that were victims of a company’s negligence, but their identity theft did not come directly from that negligence.
The “fraud” you imagine would require both that a company is negligent with someone’s data, exposing them to the risk of identity theft, and that the same person is the victim of identity theft in a totally unrelated way or unrelated reason. That isn’t guilty until proven innocent, because it is proven that the company was negligent and did allow data to be leaked. If it makes you feel better, we could just fine them $10,000 for each person’s data that was leaked right off the bat, and then hold that for all future claims where those people end up having their identity stolen.
Wouldn't the register be metadata about the breach? Why would it include the actual breached data? This would be essentially "Have I been Pwned" with some legislative teeth and funding - perhaps from the penalities imposed on the offenders!
A couple of weeks ago I was receiving someone else's T-Systems internet contract and personal data via email. The customer was from Munich. I live in The Netherlands. I was more than 10 years ago customer of T-Mobile Austria.
I immediately informed T-Systrms via their crappy contact form on their crappy website. After a couple of days I received an e-mail which I could not reply to, asking me to provide more proof that I was receiving someone else's emails through. It also said I can't reply directly to the email and I had to provide this info via their crappy contact form on their crappy website.
I refused to do so, since I had already given them the name, address, and customer id of their new customer and it seemed that the procedure is going to be unnecesarily time consuming.
After that I received emails about tracking of a package containing the hardware for the internet connection. Then I received an email that nobody was home to pick up the delivery and when the next attempt will be. UAnd utimately that the package was going to ve returned. After that I guess the customer got in touch with T-Systems and fixed the email error.
Nobody from T-Systems contacted me asking to destroy the documents and emails containing someone else's personal data.
Knowing how Deutsche Telekom operates, I find it unlikely that the German branch and the Austrian branch share enough systems to make accidental data sharing possible. Deutsche Telekom is a labyrinth of branches, departments and companies, each with their own systems and processes.
It's more likely that the person gave the wrong email.
This happens to me all the time, as have my lastname @gmail.com, and my name is not as unique as I thought. I typically contact the real person via some other information leaked in the email.
I once had a lady accuse me of cyber-stalking her, since I texted her when I started getting her Verizon internet information (bills, shipping info for equipment, etc). I finally managed to explain to her that she'd given them the wrong email.
My wife worked selling cell phones for a while. Apparently there are a huge number of older people who don’t understand that just because they put the email on the form that doesn’t mean they own the email address.
It's not just old people, many people who aren't techies think that entering an email address into a Telco form means they're ASKING for that email address. I get multiple emails per day for all sorts of services from all over the world because I was an early Gmail user with a short account name. Most are people signing up to new phone/internet/etc services and they have my name as their first or last name.
Got my t-mobile SIM hijacked and the hackers changed my email, then tried to get access to my Coinbase account. Thank god I was using a 2FA app for the latter.
To this day I don't know how the hackers did it. Thru social engineering on phone? In person at an agency with fake id? Or a corrupt insider working at T-mobile.
This happened after the Ledger hack. My SSN was also leaked in the Equifax hack. This experience made me realize how much of a joke the concept of "identity" is in our society. It can be bought and stolen like any asset.
Google Fi is resistant against SIM swapping[1]. They would have to hijack the google account associated with the Google Fi number in order to transfer the phone number.
I wonder if Google Fi customers PI is apart of this data dump. Since Google Fi uses T-Mobile networks[2].
Now you're just vulnerable to Google shutting down your account with no recourse. It's rumored that can be triggered by a credit card decline due to fraud.
I presume that can also happen with T-Mobile, Verizon etc. As long as you follow the Terms of Service then you should be ok. I've read the stories on HN about people's Google account being supposedly arbitrary closed. But in the comments someone from Google usually replies that they investigated the incident and the account closure was valid.
I would hope that Google would cancel the service and release the phone number if an account is closed. T-Mobile and Verizon has actual retail stores. But I doubt retail staff could actually help a customers account that was closed due to fraud etc. I chatted with a Google customer rep and they said that they could recover a phone number from a deleted Google account if the person still had the original sim card + a new Google account.
Yes, you should be ok. But if you aren’t, there is no mechanism for you to fix it or recourse to contest it. You are simply at the mercy of Google and what they decide to tell you and decide to provide to you. Maybe consumers should not have important services they rely on dropped arbitrarily. Maybe consumers deserve more than “Google said they investigated and said it was valid, so case closed”. Maybe rights and protections should not default to the massive powerful company, but to the individual with no a fraction of the resources. Maybe we should recognize that those two entities are not on equal footing and that maybe the burden should be on the entity with an army of lawyers and not the entity with no legal training.
It has been a bit over a year now but my T-mobile SIM was hijacked twice in one weekend. After the first time I reset the PIN to a six or eight digit PIN expecting that to be good enough. After the second time I made it even longer. That said, I believe that it was some sort of inside job and the PIN was never actually needed. I vaguely recall some story in the following months regarding prosecution of T-Mobile staff for related activity.
I don't know where you are, but in America you can request SIM replacements with the same number. These should be only in cases where you lose or damaged the original SIM, but either some staff got a bit lenient or the impostor have forged the necessary documents to prove ownership. Oh, and you can request it on-phone too (plus mailbox interception!)
It seems that in this case, the poster alleges that some staff might be actually involved in this process (which in this case, it's game over).
Like, contact the customer service hotline, and since they're sending the SIM card through the registered address, someone must get it in delivery. Alternatively, just literally ask the customer service to change the address. They should checked these kinds of requests, but considering that currently the T-mobile data leak is on the front page, you shouldn't be really shocked on how lax American security standards (except for their military) are.
Yes, as zinekeller said, they (T-Mobile support presumably) simply changed what SIM card was assigned to my account. Luckily, I received a disconnection notice on my phone as soon as this happened and was able to call T-Mobile (with my computer and Google Voice) to get it changed back.
I was told that this was no longer a thing at T-Mobile. However, reps can still add notes to your file indicating to not port unless you're physically present with a valid ID.
That doesn't cover ports conducted online via unauthorized account access, though. Adding a similar note prohibiting account recovery assistance unless physically present is a good idea as well.
I can't figure out how to get these enabled for prepaid accounts (t-mobile and verizon). And I'm not going to switch to post paid for 2-3x the cost just for this. I'm already paying extra to use carrier prepaid instead of an MVNO.
All of them practically. I think at the beginning the feature was mostly used for celebrities and public figures. But I think it should become the default.
The main reason it's not, in my understanding, is because of a federal telecom law that states it should be easy to transfer phone numbers across providers.
>To this day I don't know how the hackers did it. Thru social engineering on phone? In person at an agency with fake id? Or a corrupt insider working at T-mobile.
Usually these SIM swaps are from an outside person socially engineering over the phone or in a store. It's not unheard of to have an insider though.
In case you're wondering, "investigating" means "s#*t, we got hacked!"
100M customers. That's roughly one customer per US household.
At this point, we should assume that our names, birth dates, home addresses, social security numbers, phone numbers, and account numbers are public information. We should probably also assume that many if not most of our passwords have been widely disseminated too.
2FA was probably the most important improvement to security in a long time. It seems to be the only thing that kept attackers out when everything else has been exposed.
This only helps for credential stuffing attacks that use passwords from other database leaks, though - chances are the 2fa shared secrets are on the same row as the user's (maybe clear text[0]) password and can be easily used to get in despite 2fa.
If the attacker has direct access to the system, there is not a lot you can do to stop them getting in to that particular system. The main problem imo is that people would use the same password on secure and non secure services so some random forum login ends up with their icloud details exposed. Which 2FA solved.
I ran into a security breach there once. I reported it. It didn't get taken seriously. I did access the bills of several random T-Mobile customers, by accident, through what appeared to be a half-dozen related gaping holes.
On the other hand, they have super-friendly customer service and they don't cheat.
I once encountered the infamous JWT alg: none bug in a series of codebases I worked on at T-Mobile. I built a PoC exploit that demonstrated complete bypass of all JWT user authN, publicized it to my team, and escalated it to my manager and later my skip level. The bug was never fixed and my attempts to ship a fix were never prioritized.
I am only comfortable stating this now because the affected codebases are no longer in use.
The data from the Equifax breach, as bad as that breach was (and as criminally derelict in its duties our government was in extracting meaningful accountability from them) does not seem to have made it onto the black market.
If they're already selling the data, this one could be a lot worse in practice.
If you're a T-Mobile customer, chances are you data was already "leaked" because they recently changed their ToS and are selling customer information anyway.
Actually they are the parent of the company which used to employ the Matrix team, before that team created their own company "New Vector Limited" in 2017 (after the money from Amdocs ran out).
In the US, yes, and it depends on what company you use. Like a lot of things in the US, people live by rules that are created by multinationals. It really doesn't matter which entity requires identity documents for a phone number, it is a bad idea in general.
Lots of these comments are pointing out the lack of security at T-Mobile. For somebody looking to change from T-Mobile because of that reason, which, if any, of the US carriers are known to take security seriously?
Requiring a license to run LTE base stations is a disaster. Zero of the carriers are managing their infrastructure in any way resembling competence and responsibility and most of them probably couldn't even tell you how bad it is because they don't know and don't even have shells on their own equipment.
That's going to be a lot of cloned mobiles and SMS 2FA account takeovers.
It's going to be very difficult rotating out that information. That treasure trove of data is worth a lot and somebody is going to pay for it.
This KYC and handing over personal information should be replaced with zero knowledge proofs and everything encrypted.
Companies should be data audited and fined for not encrypting and logging and minimising data access and minimising data and only keeping relevant data.
In fact the state requiring companies to keep data long term also puts you at risk, data should be minimsed not only in content but in time.
Shit like this is why I go to extraordinary links to keep my cell phone unlinked from my identity. This is honestly harder on people who complain about having to change my contact once every 6 months or so (I travel a lot, and a prepaid won't make it from one country to another) but if that's the only suffering that has to happen in order to completely avoid scenarios like this, or someone doing a SIM swapping attack on me, then so be it.
More evidence to support my belief that everyone should just opt out of providing their identities whenever possible. Some people might call it fraud but things that occur on the internet isn't real life anyways. Why should I blend the two?
Though to be fair, whenever If I think I might get into trouble for not providing my real name I just use my initials.
That, and companies shouldn't hold on to information they don't need.
I never give doctor offices my SSN or other extra information, and they never batt an eye. People are just conditioned that if they're asked for something, they have to give it.
why is t-mobile storing social security numbers? this should only be necessary for new accounts and then immediately purged from their databases. Absolutely no reason for a telco to have this stored.
I agree. However a comment in another thread explained they would need the SSN to make a report with the credit bureau if you missed payments. That's an easy fix in my opinion: The SSN should be used for read-only. Once the credit report is read/accessed, the credit bureau issues a write-only code. The company then deletes the SSN and only retains the write-only code. If the write-only code is leaked later in a hack, it is useless to criminals trying to open new accounts.
If they don't pay the bill/pay off the financed phone then TMobile will attempt to collect, sell the account off to collections, and report the account as delinquent to the credit bureaus. Having the customers SSN is basically required for those activities.
A post paid phone plan is a revolving line of credit - just like a credit card.
In 2017, the FCC determined that T-Mobile had violated federal law in a data breach involving customer credit information [1]. There was reportedly no fine because Congress has imposed a strict one-year statute of limitations on FCC enforcement actions.
In 2020, the FCC charged T-Mobile with again violating federal law in failing to protect customer ___location information [2]. The FCC proposed a $91.6M fine, widely criticized as insufficient at the time [3-4]. I don't believe the FCC has finalized or collected that penalty.
There have been several other incidents, including in 2018 [5], 2019 [6], early 2020 [7], and late 2020 [8].
I hope there has not been a new data breach. But if there has been, this is the latest in a pattern, and the incentives have to change.
[1] https://www.nexttv.com/news/fcc-admonishes-t-mobile-breach-1...
[2] https://www.fcc.gov/document/fcc-proposes-916m-fine-against-...
[3] https://docs.fcc.gov/public/attachments/FCC-20-27A4.pdf
[4] https://docs.fcc.gov/public/attachments/FCC-20-27A5.pdf
[5] https://www.theverge.com/2018/8/24/17776836/tmobile-hack-dat...
[6] https://www.bleepingcomputer.com/news/security/t-mobile-disc...
[7] https://www.bleepingcomputer.com/news/security/t-mobile-data...
[8] https://www.bleepingcomputer.com/news/security/t-mobile-data...