T-Mobile breached important data stolen

[Chuckanut]

Perhaps a sigh of relief (for now) when I logged in to be notified with a banner that states:

"Cybersecurity incident: T-Mobile continues to aggressively investigate this incident. At this time we have no information that indicates your SSN, driver’s license or government issued ID associated with your account were impacted. If that changes, we will contact you. To be clear, in this incident no personal financial or payment information, credit or debit card information, account numbers, account passwords, or your wireless accounts were accessed."

I'm glad for you.

Alas, their lack of good security has already given away my particulars which are now out there in the wilds of the dark web. Thank you T-Mobile. What a great guy the CEO is to tell us they are planning on closing the door now that my horse has escape. Not so good.

If they were serious instead of the useless security subscription, they would give us all at least 6 months of FREE service.

 

[2177V]

I've been following this news item for the past couple of days and haven't seen it posted here. I searched but didn't find it.

I'm posting here, because folks may ignore it somewhat since so many data breaches have happened in the past from lots of companies.

This time it's DIFFERENT.
Part of the hack may have stolen PIN numbers for T-mobile accounts. With this PIN a person can perform a sim theft. (claim they are you, sim is broke, get a new sim with your existing phone number on a burner phone).
Then they have access to break many 2-factor authorization.
They can then go to every large bank/brokerage and put in your email and click on forgot password, receiving the code on their phone to change your password.

This affects nearly ALL customers.

For all my financial accounts and email accounts, I changed my passwords. I also asked the financial institution for a double authentication using my email address with an updated password after I enter my password.

I no longer trust a single password system to access my financial accounts. My email now has an updated password. I directed my financial institutions that I needed a double authentication system using my email.

I have a Vanguard account and Vanguard sends me an email and a text message notifying me of any withdrawal requests. I kinda wish my banks would do the same thing but they don't.

 

[O2Bfree]

I have a Vanguard account and Vanguard sends me an email and a text message notifying me of any withdrawal requests. I kinda wish my banks would do the same thing but they don't.

This surprises me, I thought that all banks these days let you set up alerts for your online account.

 

[2177V]

This surprises me, I thought that all banks these days let you set up alerts for your online account.

Vanguard sets the text message and email notification automatically so there is no action needed at all by the account holder since a retirement withdrawal is less frequent than a checking account.

Some banks may let you set up an alert but you have to manually specify the amount, the circumstances and how you will be notified. I believe e-banks allow you this manual option but the smaller brick and mortar credit unions may not.

 

[O2Bfree]

Vanguard sets the text message and email notification automatically so there is no action needed at all by the account holder since a retirement withdrawal is less frequent than a checking account.

Some banks may let you set up an alert but you have to manually specify the amount, the circumstances and how you will be notified. I believe e-banks allow you this manual option but the smaller brick and mortar credit unions may not.

Yes, I have both. I set my b&m account to alert me for transactions greater than $0.01 and card not present. It's not really a smaller bank, but I imagine the smaller ones will come on line with that eventually.

 

[2cheap2eat]

I suspect so, yes.

We also get emails for any changes.

But we changed the PIN and passwords and turned on Account Takeover Protection.

What’s Account Takeover Protection? Haven’t heard of it.

 

[2cheap2eat]

Perhaps a sigh of relief (for now) when I logged in to be notified with a banner that states:

"Cybersecurity incident: T-Mobile continues to aggressively investigate this incident. At this time we have no information that indicates your SSN, driver’s license or government issued ID associated with your account were impacted. If that changes, we will contact you. To be clear, in this incident no personal financial or payment information, credit or debit card information, account numbers, account passwords, or your wireless accounts were accessed."

Anyone know if legacy Sprint accounts were hacked or just original T-Mobile accounts?

 

[RetMD21]

This time it's DIFFERENT.
Part of the hack may have stolen PIN numbers for T-mobile accounts. With this PIN a person can perform a sim theft. (claim they are you, sim is broke, get a new sim with your existing phone number on a burner phone).
Then they have access to break many 2-factor authorization.
They can then go to every large bank/brokerage and put in your email and click on forgot password, receiving the code on their phone to change your password.

I missed this the first time. Are people using their email as user name? Seems like a bad practice to me

 

[Agapostemon]

I used to have a T-mobile prepaid account. I ported out my number a couple years ago. So when I heard about the breach, I checked to see whether my old T-mobile account still existed. They don't have my phone number. But I was able to login with my email. So I changed the password.

I tried to get my account completely deleted. Since there's no way I was going to call them and get put on hold, I tried their chatbot. It routed me to Sales. I found their twitter account and DM'd them. That got responses from at least three CS reps. Eventually, they came to the conclusion that since my phone number was removed from their system, so was other other personal information.

But every time I asked them to also remove my email address, they asked me for the phone number. Which I am not going to give them. So I'm stuck with a stub of an account left behind in the T-mobile system.

 

[audreyh1]

What’s Account Takeover Protection? Haven’t heard of it.

It’s an option at T-mobile.

What is actually means is that your phone number can’t be taken over (specifically ported to another carrier) without that turned off for your account. So it’s another layer of protection. Probably significant protection because someone would have to impersonate you/get access to your account at T-mobile to takeover your phone number/change SIM, and this is tough to do with a PIN in place. Probably why many of us changed our PIN and account password regardless of who and what was compromised.

 

[audreyh1]

Does your email use the phone if you forget your password ?

I’m seeing different things. One does give your an option to use emails or phone numbers associated with your account to recover your user name, but only after you give them other personal information. I’m going to call them to discuss this. Another requires you to give them your account number plus other info to get help with login credentials such as user name. That seems more robust as the account number is much more obscure.

 

[audreyh1]

I missed this the first time. Are people using their email as user name? Seems like a bad practice to me

No, it’s not that simple at most financial institutions. I have one store credit card that uses email. All the others have an independent user name.

 

[Chuckanut]

I’m seeing different things. One does give your an option to use emails or phone numbers associated with your account to recover your user name, but only after you give them other personal information. I’m going to call them to discuss this. Another requires you to give them your account number plus other info to get help with login credentials such as user name. That seems more robust as the account number is much more obscure.

I assume (always dangerous!) that one could simply walk into a T-Mobile store, show proper government ID and also get help changing things on the account.

 

[Sunset]

T-mobile will accept: Email, phone number , or username for the login...

Makes it easier for a hacker , who thinks of their phone number as secret...

 

[audreyh1]

I assume (always dangerous!) that one could simply walk into a T-Mobile store, show proper government ID and also get help changing things on the account.

Well, someone has to go to the trouble of creating the ID. Without a clue that they can might gain access to valuable accounts where they also don’t know. That’s not a minor hurdle. And keep trying over and over? It’s kind of a one shot deal per store.

And not knowing the account PIN is still an issue.

I believe that T-mobile made this harder a few years ago, but I don’t remember what steps they took.

 

[Lsbcal]

When I heard about the breach I asked the rep about Account Takeover Protection but they apparently weren't trained in that yet. Today after seeing this thread I remembered to do that. So thanks.

BTW, after I did this on the web I had to call in to add it to DW's phone number. The rep also added it to our 2 Apple watches which have different numbers (for accounting only apparently). Also the rep set DW's caller ID to be different then mine as the account is registered in my name. She knows the PIN as we have then info in Lastpass.

Too many bells and whistles. I wonder if this will all get too much as I age gracefully.

 

[Chuckanut]

Well, someone has to go to the trouble of creating the ID. Without a clue that they can might gain access to valuable accounts where they also don’t know. That’s not a minor hurdle. And keep trying over and over? It’s kind of a one shot deal per store.

And not knowing the account PIN is still an issue.

I believe that T-mobile made this harder a few years ago, but I don’t remember what steps they took.

I was actually thinking of a legitimate customer who needed help.

 

[Chuckanut]

For those of you interested, Steve Gibson, a well known IT Security proponent has given us his take on the T-Mobile situation and what we can do to plug the weakest link in cell phone security. (Using SMS messages to change passwords, as 2FA, etc.).

This discussion starts on page 9. The info preceding that page is highly technical and true geek stuff. So you may wish to skip it, unless you are a proud geek.
Emphasis added.

https://www.grc.com/sn/sn-834-notes.pdf

Since the PIN was one of the items of information stolen that’s under a subscriber’s control, and
since it’s CRUCIAL for verifying your identity to your cellular carrier, it reallyMUSTbe changed.

All of the various cellular carriers now offer some form of “SIMjacking” protection. This is also
known as “SIM swapping” or “port-out scamming.” It occurs when a scammer contacts your
cellular provider and pretends to be you. The trouble is, in the case of T-Mobile, a scammer will be armed with everything T-Mobile knows about you—including the account PIN that was stolen.

 

[RetMD21]

For those of you interested, Steve Gibson, a well known IT Security proponent has given us his take on the T-Mobile situation and what we can do to plug the weakest link in cell phone security.

https://www.grc.com/sn/sn-834-notes.pdf

Very interesting pdf. For my part, my financial accounts have their own email and my login ids are non-obvious but I did have a 4 digit pin until yesterday. It is disappointing that Tmobile was so careless.

 

[Sunset]

We got a text and email, so I used my regular login to check, in case the text and email were a scam. There is a new Prepaid webpage.

For all the Prepaid customers, T-mobile has finally made a new website page, so prepaid customers can change their PIN.

It was pretty stupid of them to only allow changing a PIN for Postpaid customers in the first place. They would let you change password and security questions but not the pin

That is great that Prepaid can now change the PIN. I changed ours to 12 digit pins!!

However, be cautious of changing your password, I changed our right after the breach and it allowed 48 characters.
The new website allows you to change it, but limits it to 8 characters.. That is too weak to be secure.
So I didn't change mine, and left it 48 characters.

This show the lack of good software development processes they have. After a breach, security concepts should be incredibly important to maintain customer trust.

 

[Lsbcal]

...
The new website allows you to change it, but limits it to 8 characters.. That is too weak to be secure.
So I didn't change mine, and left it 48 characters.

This show the lack of good software development processes they have. After a breach, security concepts should be incredibly important to maintain customer trust.

If they really only allow 8 character passwords that is an incredible security error. Or is this coupled with some other security measures?

I added Tmobil to my apps on my iPhone and use face ID with that.

 

[Sunset]

If they really only allow 8 character passwords that is an incredible security error. Or is this coupled with some other security measures?

I added Tmobil to my apps on my iPhone and use face ID with that.

When the breach first happened, I changed my password and the old webpage allowed 48 characters (it stated it in the rules).

So I made a 48 character password.

This new site, IMHO has a programming error and only allows 8 characters to be created (wrong validation) even though the system is using up to 48 character passwords.

I log in with my phone number and my long password, no other security measure is used.