I have T-Mobile. 6 weeks ago my phone could no longer access the cell network. The support agent told me that someone went into a store, claimed to be me, and was able to change the SIM card. The history showed the employee in the store verified me by my driver's license. We changed the SIM back and supposedly locked the account.
I use Google Auth OTP for all the accounts that I can, and as far as I can tell nothing was breached or stolen, but I wouldn't rely on your cell phone or number for anything whatsoever, it's way too easy to socially engineer, or have some easily corruptible retail employee steal from you.
T-mobile is horrible with security. They have this service called Digits, which lets users access their phone number from other devices. The problem is, this subverts the security model a lot of the American internet ecosystem is built on, i.e. your phone number will be secure online. Someone got into my t-mobile account and enabled Digits, then had free-reign on my gmail, texts, paypal, etc (I don't use the strongest passwords, but always keep 2-factor authentication on important services like these). Every time I got hacked I'd spend a couple hours of trying to figure out how, and the T-mobile agents would always claim no one accessed my number. Finally, the third time, I escalated up the security chain within T-mobile and they figured out the issue.
My wife used this for her business since it was free at the time. It cost her literally thousands of dollars of missed/unconnected calls and dozens of hours of customer service.
Similar thing happened to me about a year ago. The creepiest part was - it happened while I was in the international flight and my gmail WAS on sms "two factory" authentication... Since then everywhere i can I used OTP, but some sites fallback to use your phone number if you can't provide OTP password... So I have to enter some completely invalid phone number there to make it impossible.
That's bad but at least they checked. Apple recently swapped out a phone for me at the store. The genius called Sprint and they activated the new phone on my Dad's line without asking me for ID or my account code.
Imagine if this were to happen to a journalist or politician. The stakes are quite high.
Honestly, I think one of the best things to happen for the rest of us is for a prominent Senator to have this happen to them. Then hopefully we'd get some legislation holding these companies responsible when they do that.
My favorite part about all of this is that, as a T-Mobile customer, this is how I find out about the leak. There's not even an alert when I log into my account. Why can't companies be more responsible about these situations?
I still think making customers aware would go a long way. And we only have to go back to the Equifax breach to learn that companies are hardly forthcoming about who is and isn't compromised.
I get your conclusion but that doesn't excuse T-Mobile from notifying customers that their data has potentially been breached. I would much rather be aware that there is a distinct possibility my cell carrier's data on me because I can take some small actions to mitigate any potential damage (change password, update pin, etc). Being aware is half the battle with online security.
I'm not sure that the lack of repercussions is a reasonable excuse. I know companies will use it. I know we might throw our hands in the air and just say its a fact of life. But it doesn't have to be.
I found out about this breach Friday via The Verge. At that point in time, I didn't receive an email/text. So for a while, I figure I'm not part of the subset of users. Then, at 9:11pm that day, I received the text message.
A while back, I ran into a security hole in T-Mobile. Confidential customer data was quite literally available on the Internet via a Google search. This was due to a half-dozen missing very basic security precautions (forms using GET instead of POST, no CSRF, etc., etc., etc.).
I emailed the CEO. It got moved to a team who assured him there were no problems. The pages got taken down, but the underlying issues were, as far as I know, ignored (the communication to the CEO was essentially that there were no issues, and he believed his team over me).
I still trust T-Mobile more than Spring/AT&T/Verizon as a company, but data security is non-existent.
> But a T-Mobile spokeswoman later told news site Motherboard that "encrypted" passwords were in the batch of data.
T-mobile stores plaintext passwords. They recently invalidated a password I had been using with them for some time because they changed their rules and disallowed special characters (tons of stupid there). They wouldn't have known to do that if the passwords were properly hashed.
This isn't necessarily true (and is very dependent on what your password was) - they could have iterated through lists of common passwords w/ special characters, hashed them, and compared them to their DB, forcing a pw reset for everyone that had a match.
edit - just want to state that if they disallow special characters it really is a terrible policy, my point is just that resetting your password isn't proof they are stored in plaintext
I doubt they did this, but I was just thinking about this problem--
Maybe they could have analyzed the plaintext password and stored information about the types of characters it contained and number of characters. Then they salt+hash the plaintext password and store the resulting hash. Now they know a little about the characters and length of the password without knowing the password itself.
He might have been referring to user specific salts? It would certainly be a lot more challenging for them to test every common password with every user's salt.
I had same reaction over weekend when I reset my password. I tried to use 20 char length with some special characters and their "validation" blocks it. Poor password management irritates me to no end.
Did you get an email saying this, or did this happen when you logged in? At login they could examine the password you sent, check if it matched their hash, and then prompt you to change it.
That was T-Mobile Austria and at the time T-Mobile USA (and iirc a couple other T-Mobile subsidiaries) said they used a different customer account system than T-Mobile Austria and handle account passwords differently.
(T-Mobile Austria has since figured out that storing this is a bad idea and promised to change how they do it. Dunno what they have done as I'm not a customer of them nor live in Austria, I just remember the the shitstorm on twitter about it.)
And it was only 3 years ago that T-mobile that affected 15 million, which they largely blamed on Experian at the time.
"On Sept. 15, 2015 Experian discovered an unauthorized party accessed T-Mobile data housed in an Experian server. Records containing a name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T-Mobile's own credit assessment were accessed."
T-Mobiles response to that incident was to offer customers 2 years of free credit monitoring service from Experian. That free service would have ended a year ago, just in time for the T-Mobile's next breach.
> Ceraolo, who says he was not involved in the breach, says he was able to confirm that the hacker accessed T-Mobile via a vulnerable API.
I want some details here. Just the other day we had a blog post lauding fairly open API approaches for client UIs (in GraphQL, but I see similar arguments elsewhere). Lock your shit down, don't give the frontend more than it needs, and if you're in a company with some type of ridiculous team separation where the backend has to treat the frontend as a customer that doesn't work for the company it's just a matter of time.
Not saying this was a frontend API, just saying it's a frequent vector due to the lax auth requirements and "internal" query-like approach they often take.
I think its about time US passes laws that any company that suffers a data breach is mandated to give a identity theft protection for 1 year to people who's information was compromised.
Identity theft protection doesn't do anything, it isn't even "protection" just notification after the fact and some agent will hold your hand.
Instead how about companies have complete financial liability? That way they'll need insurance, and their premiums will skyrocket if they get breached.
If the market would bare a higher cost they would have already charged it. This can only hurt them, through competition, or just that people won't pay a higher price.
Or they'll move their business to providers that can operate at lower cost because they have more secure operations. They point is to expose the insecurity as a cost.
Screw identity theft protection. It's at best pointless and at worst a scam to get you to pay to continue the "protection" after the initial period expires.
They should instead have a minimum fine per-user that gets paid in cash directly to the impacted individuals. Paying $10 x 1M accounts would make businesses wake up to this problem much faster. Maybe even have the fine be tiered based on the level of data that was compromised:
Agreed. If one wants to change the business's behavior there has to be financial penalty to incentive them to get their act together. Currently, there's zero regulatory compliance required with little to no impact to the company other than momentary bad PR that is not withstanding.
I'm not sure that would do anything other than spur the companies to have an identity theft protection department.
I'd rather them give basic compensation to anyone with breached data (even if it is $10) in addition to covering the costs of anyone who had problems after the breach. The first year, I'd think it would be best if the consumer didn't have to prove it was their fault as that could be too much of a burden for folks.
I'd give an exception for companies that went over and above on their own security and still got breached. After all, security doesn't make one completely safe (much like places can still get robbed), simply less likely.
I doubt that it would stack, though. It'd simply mean that the data protection companies got lots of money since more than one company would pay for protection for a single customer. If data breaches somehow stopped today, we'd all be without "protection" within a year.
I'll take laws just requiring transparency. I want to know exactly what happened, exactly what was taken, how much, exactly how the passwords were hashed, etc.
> T-Mobile declined to comment. "We don't discuss publicly how we encrypt passwords,"
While I agree with the sentiment, everyone should have basic identify theft protection for free. SSN should not be so insecure or should not be used and the stuff the credit bureaus offer seems like a protection racket.
Make it life. The reason identity theft protection exists is because we have inadequate laws to sue these companies in the first place. If someone's identity gets stolen, the breached company should be fully responsible without the user having to file a lawsuit and pay a ton of money / spend a lot of time trying to fix things. Just to be clear, the breached company is typically the credit issuer or any party that allows unauthorized access to the wrong person. It's preposterous that the user has to pay for a mistake by the bank who gave a loan or other type of credit to an impostor. Make these institutions pay and fine then a percentage of their annual revenue up to a hundred percent. You'll see how quickly security practices change.
In looking at T-mobile's home page there is no mention of the breach. Wouldn't the responsible thing for them to do is post it somewhere high profile that their customer's might see it?
Instead the notice is buried here which doesn't even appear to be a linked to on their home page.
After being a Tmobile customer for 6 years(and leaving this year), I do not trust a word they say.
Here is a list of unethical things they've done-
>Claim UNLIMITED when restricting people at 10gb hotspot and 50gb data. Their depriortization is unusable, but they claim otherwise.
>They sent their social media marketing team to astroturf in an /r/frugal thread critical of tmobile.
>Their customer service person canceled a plan and added a plan when moving around numbers. I dont know if this was intended or an accident, but after 2 months of paying extra, I asked for a refund, the store wouldnt do it. I had to call. This was a 2 hour process.
Like someone else mentioned, they throttle after the first 50 GB/month, or immediately when tethering. That said, I also moved over recently because it costs about 1/3 as much as my old Sprint (actually) unlimited plan.
Another for the list: a single stray tap on some ad got me (silently) enrolled in some useless service, charged directly to my T-mobile bill.
Workaround: Pay monthly, resist their pressure to sign up for auto-pay. Shift bill payment chore day to third week of each month, to deal with T-mo's 17-day window between billing and overdue dates.
All that said, from what I've seen, the competing providers are worse still.
I've had their customer support and in-store employees straight up lie to me about terms and conditions to get me to buy things. I'll never use T-Mobile again after crap like that.
Sounds like a regular computer but small and with an LTE modem. That should be the future, but, barring making cell networks a free, national utility, I don't understand how there still aren't carriers (ISPs) that map customers to a device (unless they charge a flat, global fee for general access) and possess at least some of their data.
(In general, though, SMS 2FA is a bad idea; device, not SIM-based, things like Google Authenticator are much better and render SIM hijacks toothless as far as 2FA is concerned. You're still hosed with respect to your payment method, address, carrier credentials, etc. of course.)
I use Google Auth OTP for all the accounts that I can, and as far as I can tell nothing was breached or stolen, but I wouldn't rely on your cell phone or number for anything whatsoever, it's way too easy to socially engineer, or have some easily corruptible retail employee steal from you.