I have T-Mobile. 6 weeks ago my phone could no longer access the cell network. The support agent told me that someone went into a store, claimed to be me, and was able to change the SIM card. The history showed the employee in the store verified me by my driver's license. We changed the SIM back and supposedly locked the account.
I use Google Auth OTP for all the accounts that I can, and as far as I can tell nothing was breached or stolen, but I wouldn't rely on your cell phone or number for anything whatsoever, it's way too easy to socially engineer, or have some easily corruptible retail employee steal from you.
T-mobile is horrible with security. They have this service called Digits, which lets users access their phone number from other devices. The problem is, this subverts the security model a lot of the American internet ecosystem is built on, i.e. your phone number will be secure online. Someone got into my t-mobile account and enabled Digits, then had free-reign on my gmail, texts, paypal, etc (I don't use the strongest passwords, but always keep 2-factor authentication on important services like these). Every time I got hacked I'd spend a couple hours of trying to figure out how, and the T-mobile agents would always claim no one accessed my number. Finally, the third time, I escalated up the security chain within T-mobile and they figured out the issue.
Similar thing happened to me about a year ago. The creepiest part was - it happened while I was in the international flight and my gmail WAS on sms "two factory" authentication... Since then everywhere i can I used OTP, but some sites fallback to use your phone number if you can't provide OTP password... So I have to enter some completely invalid phone number there to make it impossible.
That's bad but at least they checked. Apple recently swapped out a phone for me at the store. The genius called Sprint and they activated the new phone on my Dad's line without asking me for ID or my account code.
Imagine if this were to happen to a journalist or politician. The stakes are quite high.
My favorite part about all of this is that, as a T-Mobile customer, this is how I find out about the leak. There's not even an alert when I log into my account. Why can't companies be more responsible about these situations?
A while back, I ran into a security hole in T-Mobile. Confidential customer data was quite literally available on the Internet via a Google search. This was due to a half-dozen missing very basic security precautions (forms using GET instead of POST, no CSRF, etc., etc., etc.).
I emailed the CEO. It got moved to a team who assured him there were no problems. The pages got taken down, but the underlying issues were, as far as I know, ignored (the communication to the CEO was essentially that there were no issues, and he believed his team over me).
I still trust T-Mobile more than Spring/AT&T/Verizon as a company, but data security is non-existent.
> But a T-Mobile spokeswoman later told news site Motherboard that "encrypted" passwords were in the batch of data.
T-mobile stores plaintext passwords. They recently invalidated a password I had been using with them for some time because they changed their rules and disallowed special characters (tons of stupid there). They wouldn't have known to do that if the passwords were properly hashed.
This isn't necessarily true (and is very dependent on what your password was) - they could have iterated through lists of common passwords w/ special characters, hashed them, and compared them to their DB, forcing a pw reset for everyone that had a match.
edit - just want to state that if they disallow special characters it really is a terrible policy, my point is just that resetting your password isn't proof they are stored in plaintext
I had same reaction over weekend when I reset my password. I tried to use 20 char length with some special characters and their "validation" blocks it. Poor password management irritates me to no end.
Did you get an email saying this, or did this happen when you logged in? At login they could examine the password you sent, check if it matched their hash, and then prompt you to change it.
That was T-Mobile Austria and at the time T-Mobile USA (and iirc a couple other T-Mobile subsidiaries) said they used a different customer account system than T-Mobile Austria and handle account passwords differently.
(T-Mobile Austria has since figured out that storing this is a bad idea and promised to change how they do it. Dunno what they have done as I'm not a customer of them nor live in Austria, I just remember the the shitstorm on twitter about it.)
And it was only 3 years ago that T-mobile that affected 15 million, which they largely blamed on Experian at the time.
"On Sept. 15, 2015 Experian discovered an unauthorized party accessed T-Mobile data housed in an Experian server. Records containing a name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T-Mobile's own credit assessment were accessed."
T-Mobiles response to that incident was to offer customers 2 years of free credit monitoring service from Experian. That free service would have ended a year ago, just in time for the T-Mobile's next breach.
> Ceraolo, who says he was not involved in the breach, says he was able to confirm that the hacker accessed T-Mobile via a vulnerable API.
I want some details here. Just the other day we had a blog post lauding fairly open API approaches for client UIs (in GraphQL, but I see similar arguments elsewhere). Lock your shit down, don't give the frontend more than it needs, and if you're in a company with some type of ridiculous team separation where the backend has to treat the frontend as a customer that doesn't work for the company it's just a matter of time.
Not saying this was a frontend API, just saying it's a frequent vector due to the lax auth requirements and "internal" query-like approach they often take.
I think its about time US passes laws that any company that suffers a data breach is mandated to give a identity theft protection for 1 year to people who's information was compromised.
Identity theft protection doesn't do anything, it isn't even "protection" just notification after the fact and some agent will hold your hand.
Instead how about companies have complete financial liability? That way they'll need insurance, and their premiums will skyrocket if they get breached.
Screw identity theft protection. It's at best pointless and at worst a scam to get you to pay to continue the "protection" after the initial period expires.
They should instead have a minimum fine per-user that gets paid in cash directly to the impacted individuals. Paying $10 x 1M accounts would make businesses wake up to this problem much faster. Maybe even have the fine be tiered based on the level of data that was compromised:
I'm not sure that would do anything other than spur the companies to have an identity theft protection department.
I'd rather them give basic compensation to anyone with breached data (even if it is $10) in addition to covering the costs of anyone who had problems after the breach. The first year, I'd think it would be best if the consumer didn't have to prove it was their fault as that could be too much of a burden for folks.
I'd give an exception for companies that went over and above on their own security and still got breached. After all, security doesn't make one completely safe (much like places can still get robbed), simply less likely.
I'll take laws just requiring transparency. I want to know exactly what happened, exactly what was taken, how much, exactly how the passwords were hashed, etc.
> T-Mobile declined to comment. "We don't discuss publicly how we encrypt passwords,"
While I agree with the sentiment, everyone should have basic identify theft protection for free. SSN should not be so insecure or should not be used and the stuff the credit bureaus offer seems like a protection racket.
Make it life. The reason identity theft protection exists is because we have inadequate laws to sue these companies in the first place. If someone's identity gets stolen, the breached company should be fully responsible without the user having to file a lawsuit and pay a ton of money / spend a lot of time trying to fix things. Just to be clear, the breached company is typically the credit issuer or any party that allows unauthorized access to the wrong person. It's preposterous that the user has to pay for a mistake by the bank who gave a loan or other type of credit to an impostor. Make these institutions pay and fine then a percentage of their annual revenue up to a hundred percent. You'll see how quickly security practices change.
In looking at T-mobile's home page there is no mention of the breach. Wouldn't the responsible thing for them to do is post it somewhere high profile that their customer's might see it?
Instead the notice is buried here which doesn't even appear to be a linked to on their home page.
After being a Tmobile customer for 6 years(and leaving this year), I do not trust a word they say.
Here is a list of unethical things they've done-
>Claim UNLIMITED when restricting people at 10gb hotspot and 50gb data. Their depriortization is unusable, but they claim otherwise.
>They sent their social media marketing team to astroturf in an /r/frugal thread critical of tmobile.
>Their customer service person canceled a plan and added a plan when moving around numbers. I dont know if this was intended or an accident, but after 2 months of paying extra, I asked for a refund, the store wouldnt do it. I had to call. This was a 2 hour process.
I've had T-Mobile for ~18 years (since they acquired VoiceStream in Chicago). Yes, the customer service folks aren't on point (and I've had to escalate issues to their executive customer support team). Yes, their data breach caused my data to be exposed. Am I moving? Not at all. Where else am I going to go that's better? Sprint? Terrible network and most likely about to be absorbed by T-Mobile. AT&T and Verizon? Both have had similar SIM replacement breaches by customer service (either coordinated attacks or ignorant reps ignoring procedure), and are wildly more expensive for the same service.
Your mistake is the illusion of choice. There are no good mobile carriers, only the least worst.
Another for the list: a single stray tap on some ad got me (silently) enrolled in some useless service, charged directly to my T-mobile bill.
Workaround: Pay monthly, resist their pressure to sign up for auto-pay. Shift bill payment chore day to third week of each month, to deal with T-mo's 17-day window between billing and overdue dates.
All that said, from what I've seen, the competing providers are worse still.
I've had their customer support and in-store employees straight up lie to me about terms and conditions to get me to buy things. I'll never use T-Mobile again after crap like that.
Sounds like a regular computer but small and with an LTE modem. That should be the future, but, barring making cell networks a free, national utility, I don't understand how there still aren't carriers (ISPs) that map customers to a device (unless they charge a flat, global fee for general access) and possess at least some of their data.
(In general, though, SMS 2FA is a bad idea; device, not SIM-based, things like Google Authenticator are much better and render SIM hijacks toothless as far as 2FA is concerned. You're still hosed with respect to your payment method, address, carrier credentials, etc. of course.)
[+] [-] seibelj|7 years ago|reply
I use Google Auth OTP for all the accounts that I can, and as far as I can tell nothing was breached or stolen, but I wouldn't rely on your cell phone or number for anything whatsoever, it's way too easy to socially engineer, or have some easily corruptible retail employee steal from you.
[+] [-] rm999|7 years ago|reply
https://www.t-mobile.com/offers/t-mobile-digits
[+] [-] kuwze|7 years ago|reply
https://www.ccn.com/bitcoin-investor-sues-att-for-224-millio...
https://cointelegraph.com/news/california-police-arrest-teen...
[+] [-] hippich|7 years ago|reply
[+] [-] hb3b|7 years ago|reply
Imagine if this were to happen to a journalist or politician. The stakes are quite high.
[+] [-] swarnie_|7 years ago|reply
[+] [-] bogomipz|7 years ago|reply
[+] [-] heywot|7 years ago|reply
[+] [-] toomuchtodo|7 years ago|reply
[+] [-] wegs|7 years ago|reply
I emailed the CEO. It got moved to a team who assured him there were no problems. The pages got taken down, but the underlying issues were, as far as I know, ignored (the communication to the CEO was essentially that there were no issues, and he believed his team over me).
I still trust T-Mobile more than Spring/AT&T/Verizon as a company, but data security is non-existent.
I'm not quite sure what to do with that.
[+] [-] kevin_thibedeau|7 years ago|reply
T-mobile stores plaintext passwords. They recently invalidated a password I had been using with them for some time because they changed their rules and disallowed special characters (tons of stupid there). They wouldn't have known to do that if the passwords were properly hashed.
[+] [-] negativegate|7 years ago|reply
[+] [-] tyleraldrich|7 years ago|reply
edit - just want to state that if they disallow special characters it really is a terrible policy, my point is just that resetting your password isn't proof they are stored in plaintext
[+] [-] weej|7 years ago|reply
[+] [-] ppseafield|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] jschwartzi|7 years ago|reply
[+] [-] mrep|7 years ago|reply
Call me skeptical considering they said 4 months ago that they store part of their passwords in plain text: https://motherboard.vice.com/en_us/article/7xdeby/t-mobile-s...
[+] [-] Crosseye_Jack|7 years ago|reply
(T-Mobile Austria has since figured out that storing this is a bad idea and promised to change how they do it. Dunno what they have done as I'm not a customer of them nor live in Austria, I just remember the the shitstorm on twitter about it.)
[+] [-] ourmandave|7 years ago|reply
Seems low. I wonder if they'll adjust it upwards like every other data breach that happens every week since I can remember?
Sadly, I don't even care since I was never a T-Mobile customer and they already have my entire life like f*cking Keyser Soze 50x times over.
[+] [-] bogomipz|7 years ago|reply
"On Sept. 15, 2015 Experian discovered an unauthorized party accessed T-Mobile data housed in an Experian server. Records containing a name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T-Mobile's own credit assessment were accessed."
T-Mobiles response to that incident was to offer customers 2 years of free credit monitoring service from Experian. That free service would have ended a year ago, just in time for the T-Mobile's next breach.
Clearly nothing has changed at T-Mobile.
https://www.t-mobile.com/customers/experian-data-breach-faq
[+] [-] RobertRoberts|7 years ago|reply
[+] [-] darkstar999|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] weej|7 years ago|reply
[+] [-] kodablah|7 years ago|reply
I want some details here. Just the other day we had a blog post lauding fairly open API approaches for client UIs (in GraphQL, but I see similar arguments elsewhere). Lock your shit down, don't give the frontend more than it needs, and if you're in a company with some type of ridiculous team separation where the backend has to treat the frontend as a customer that doesn't work for the company it's just a matter of time.
Not saying this was a frontend API, just saying it's a frequent vector due to the lax auth requirements and "internal" query-like approach they often take.
[+] [-] akshayB|7 years ago|reply
[+] [-] Someone1234|7 years ago|reply
Instead how about companies have complete financial liability? That way they'll need insurance, and their premiums will skyrocket if they get breached.
[+] [-] koolba|7 years ago|reply
They should instead have a minimum fine per-user that gets paid in cash directly to the impacted individuals. Paying $10 x 1M accounts would make businesses wake up to this problem much faster. Maybe even have the fine be tiered based on the level of data that was compromised:
[+] [-] Broken_Hippo|7 years ago|reply
I'd rather them give basic compensation to anyone with breached data (even if it is $10) in addition to covering the costs of anyone who had problems after the breach. The first year, I'd think it would be best if the consumer didn't have to prove it was their fault as that could be too much of a burden for folks.
I'd give an exception for companies that went over and above on their own security and still got breached. After all, security doesn't make one completely safe (much like places can still get robbed), simply less likely.
[+] [-] chadlavi|7 years ago|reply
[+] [-] kodablah|7 years ago|reply
> T-Mobile declined to comment. "We don't discuss publicly how we encrypt passwords,"
That is unacceptable, data breach or not.
[+] [-] glennpratt|7 years ago|reply
[+] [-] mnm1|7 years ago|reply
[+] [-] scient|7 years ago|reply
[+] [-] s73v3r_|7 years ago|reply
[+] [-] bogomipz|7 years ago|reply
Instead the notice is buried here which doesn't even appear to be a linked to on their home page.
https://www.t-mobile.com/customers/6305378821
[+] [-] MrEfficiency|7 years ago|reply
Here is a list of unethical things they've done-
>Claim UNLIMITED when restricting people at 10gb hotspot and 50gb data. Their depriortization is unusable, but they claim otherwise.
>They sent their social media marketing team to astroturf in an /r/frugal thread critical of tmobile.
>Their customer service person canceled a plan and added a plan when moving around numbers. I dont know if this was intended or an accident, but after 2 months of paying extra, I asked for a refund, the store wouldnt do it. I had to call. This was a 2 hour process.
So 2M customer data? Says tmobile.
So no passwords stolen? Says tmobile.
I remember when they were 'the good guys'.
[+] [-] toomuchtodo|7 years ago|reply
Your mistake is the illusion of choice. There are no good mobile carriers, only the least worst.
[+] [-] post_break|7 years ago|reply
[+] [-] everybodyknows|7 years ago|reply
Workaround: Pay monthly, resist their pressure to sign up for auto-pay. Shift bill payment chore day to third week of each month, to deal with T-mo's 17-day window between billing and overdue dates.
All that said, from what I've seen, the competing providers are worse still.
[+] [-] brink|7 years ago|reply
[+] [-] theossuary|7 years ago|reply
[+] [-] m52go|7 years ago|reply
[+] [-] shrimp_emoji|7 years ago|reply
(In general, though, SMS 2FA is a bad idea; device, not SIM-based, things like Google Authenticator are much better and render SIM hijacks toothless as far as 2FA is concerned. You're still hosed with respect to your payment method, address, carrier credentials, etc. of course.)