Forum Discussion

dragon1562's avatar
dragon1562
LTE Learner
Hace 5 años

SIM Swap vulnerabilities/ 2FA risks

So with the onset of SIM swap attacks as well as numerous links over the year I wanted to start a discussion to talk about things that we as consumers can do to better protect ourselves. As well as I hope to share information and ideas to T-mobile to improve their security when it comes to our accouts.

For those of you who don't know about  the scam that has been going on a attacker will pretend to be you to get T-mobile to assign them a sim card with your number. It is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message or call placed to a mobile telephone. Think whenever a bank for example sends you the little 6 digit code to your phone to reset a password as a example.

I believe T-mobile should have measures in place that allow for a customer to require a instore visit as a pre-requiste before any kind of change like that can occur. T-mobile should also be sending updated alerts before any kind of change happens on the account to both the cell numbers on the account as well as the email address on file. These alerts should require approval before the change itself can actually go through. This would be far more full proof than just having a pin on the account and would prevent this scam from working as easily as it does.

Thankfully, this has not happened to me but it is concerning as T-mobile is really lacking in providing tools for consumers to secure themselves.

  • LeeLa's avatar
    LeeLa
    Newbie Caller

    I see that Tmobile does have a security feature to prevent unauthorized SIM swaps (seems it was available in 2022 though this is the first I’ve heard of it).
    Have to go into account to click the SIM protection on.
    If I understand it correctly, if the account holder does want to change SIM cards then they have to go into their account to turn the SIM protection off.

    My question is, is this really doing anything?  If a hacker has your password for Tmobile, won't they just go in and turn the SIM protection off?

    I’m failing to see how this is really protection our accounts and essentially our lives.

    Anyone have any thoughts on this that I may be missing?

    Gracias

  • Shad_'s avatar
    Shad_
    Roaming Rookie

    Like so many others the same exact thing happened to me. Tmobile let an unauthorized user who didnt have my device, or my pin, or a valid matching picture ID (all of which Tmobile had on file to use to verify the port request) and still approved the port being requested from 2500 miles away from where I live. Imagine all those red flags and they still let it go through. After the fact they blamed the thief, Coinbase who the thief reset my psswd using device they gave them before converting and transferring all the assets in the account, and even me, and they still do to this day as we sit in arbitration 18 months later. 

     

    Researching my case they have known this was an issue for many years, proven by what I mention below, and the fact they have something in their eula specifically about it and crypto. Rather than address it they would prefer to pass the losses on to their customers which is proven by their actions. What modern feat of technology was needed to stop my sim swap? Something that should be right up a phone companies alley, a 2 min phone call to me before approving.

    It gets even worse. As you can see in this article

    https://www.androidpolice.com/t-mobiles-finally-taking-sim-swap-fraud-seriously-with-new-transfer-pins/

    they have had a feature in place that would have protected all their customers that went through this. For the years they have known about this scam, they have had an interal setting called NOPORT. It prevents ports from going through and is only made available to their own internal employees to protect them from this scam.

    At first I did tremendous amounts of research into tracking down the thief and providing it to Tmobile. They refused to provide any to me whatsoever, including those of their own internal investigation telling me I would need a court order. It became apparent to me and the detectives involved that pursuing the thief was simply not something Tmobile even tries to do, its all about debt mitigation and you instantly become their opponent instead of both of you pursuing the thief.

     

    Media is finally starting to catch on and I have done two separate interviews for MSNBC and Yahoo finance and after all the dealing with FCC last year they passed legislation that forces companies like this to properly verify identity before a swap.

     

    This forced Tmobile to finally change policy enough to try to contact customer first and eliminate the lone wolf employees involved by making 2 necessary to do one. Again, all that is really needed is to simply call the account holder and ask if he approves the port, it takes 2 minutes and protects your customers from years of stress and financial losses.

     

    If this happens to you take them to arbitration. They will do nothing but lie to you, try to shift blame and intentionally waste as much of your time as possible with multiple legal firms burying you in information requests then refusing to do anything once they get them. Transferring accounts like that is gross negligence and they can not hide behind an EULA to shield them from this negligence.

  • Shad_'s avatar
    Shad_
    Roaming Rookie
    sweetpeach wrote:

    This is why I've been advised to record completely non nonsensical answers to security questions (I have to write them down so I don't forget them) and passwords generated by computer. It's about all you can do, like locking your door, make it so hard to hack you that they move on to the next one...

    All that wasted time on your end makes no difference at all when tmobile hands out those keys to your front door. I had a password that was 30 characters long with numbers, symbols and caps and in the end it was all just needless hassle for me as the thief simply resets your password after being handed your account on a device they control.

    This crime involves the thief just telling the Tmobile rep their phone got broken. I have records for my sim swap showing that is ALL they did, say the phone was broken. The csr then bypassed all other security and transferred my service to that thief and their new device.

     

    If you really want to protect yourself then leave Tmobile for a company that actually cares about security. Tmobile has been hacked 7 times in the last 4-5 years, and has more sim swap cases than all other providers combined.

    DO NOT use the 2fa they recommend, this is the crux of the sim swap scam as they really just need to control your tmobile account and then they can start using all the information that they bought from dark web sites where all those tmobile hacks leaked it, like the latest one where a lone 20 year old made off and put up for sale nearly 100million past and present tmobile customers information on a site called cybercrime. That 20 year old described Tmobiles security as laughably bad, and that is after 6 or so previous hacks so they are either unwilling or incapable of properly securing your account and information.

  • sweetpeach's avatar
    sweetpeach
    Bandwidth Buddy

    This is why I've been advised to record completely non nonsensical answers to security questions (I have to write them down so I don't forget them) and passwords generated by computer. It's about all you can do, like locking your door, make it so hard to hack you that they move on to the next one...

  • Chiming in.. I'd recommend combing through the forum threads and reaching out to individuals to point them back to this thread you started. Otherwise this post falls on deaf ears. IDK how many victims are thinking to come to the T-Mobile forums to discuss their issue. You'll find victims on Reddit as well. 

    I just want to point out some things in your post. 

    A number of the SIM swap attacks are happening in-person. The in-store visit you're recommending is the doom of many customers this year especially with the mask-on mandates. Driver's license or knowledge of SSN tends to defeat the use of the passcode on the account. It comes down to how well-trained the rep is to enforce account security on behalf of the customer. That said, fake ID and you're in. 

    I do like the idea of approval needed before, but if they're coming in person and arguing that they lost their phone in a boating accident for example then they may argue that they might not have the required access to verify, herein they assert the need to override via SSN or driver's license. Outside of that approval scenario, email notifications after the fact may not be helpful if the email account recovery # is that cellphone number. If a SIM swap attack is taking place, you can bet they're headed for the email accounts if not just the bank accounts. Some of those notifications a user may never receive because the attacker's now intercepting. Android devices don't immediately sync email outside of Gmail (email service, not the app). There's generally a 15min wait. That's enough time to password reset that email account using 2FA via SMS per the SIM swap, intercept that notification email and continue their dirty work. 

    What I was thinking was: maybe a separate call to a 3rd party (landline phone at home?) and have someone ready to answer and vouch. Husband requests the change, wife answers the phone. Or child/parent, maybe it's grandma answering the phone. IDK.. I can only think this wouldn't be helpful for those who live alone or have no one to vouch for them. Team work makes the dream work?

    In some cases I’m thinking not to even enable recovery options for certain accounts/services, because they just end up being new backdoors to your account. 

    For example, T-Mobile will enable Google Authenticator -- but an attacker can bypass using security questions. Social engineering for the win? You set up GAuth, and can't disable SMS 2FA or security questions; so the attacker still performs the SIM swap and renders that authenticator code useless.