I was affected by this, they SIM swapped a line on our account twice, both times on Friday at 5:23pm (followed by swapping the old SIM back at 5:42pm).
Just received the CPNI notice today from T-Mobile, we had a 6 digit PIN set prior to the first SIM swap on January 10th, and changed it before the following SIM swap on January 17th.
T-Mobile told me these swaps occurred at a store for both attacks. I did remove all authorized users from the account prior to the SIM swap on the 17th. T-Mobile has refused to provide Seattle Police Dept with any info about the fraudulent activity, and left me in the dark prior to the letter today.
We need legislation around liability for SIMs, as every single large financial institution seems to be using SMS messages as proof of identity. Better yet, we need legislation that protects individuals from liability if a business uses SMS as proof of identity.
Edit: For ATT, I don’t know what power they give their employees to change or bypass people’s passcode, but as a user, all you need to reset passcode are last 4 digits of account owner’s social, billing zip code, and access to one of the phone lines on the account where they will send an SMS to verify you’re one of the people on the account.
I would hope that for much stricter processes to reset passcode, like a notarized letter or showing passport and physically going to a store to prove identity.
When my AT&T sim was swapped a short while back, AT&T told me the same thing about a retail store. The support person you talked to believes this because that’s what the computer system says. I even received an automated SMS a week later asking for feedback about my “retail experience” at that location.
The law enforcement task force I spoke to told me that in reality, the swappers have remote access to the admin portal and just fill out a field with a store close to your billing address to make it look legit. Nobody was ever at that retail location.
All of the metadata about the swap is manually entered by the attacker. The support people don’t understand that and just read off of their screen. Even the automated systems are fooled.
Is it possible to give more details on all this? I was sim-swapped on the 21st resulting in a sizable bitcoin theft. I’d really appreciate it if you could email me at my contact email on my profile with any note it do you have. Thanks so much!
The language here is worded in such a way that a non-technical person would believe that there's nothing T-Mobile could have done to prevent this from happening. I was hoping to hear why employee email accounts contained customer addresses and phone numbers but it doesn't appear like they think that's a problem, nor do they mention it in the closing section on what they plan to do to prevent this in the future.
I would imagine it is difficult to do customer service for a phone carrier without using phone numbers in internal emails. Customer addresses could just be something like "customer is reporting poor service at their home address: 123 Xyz Lane, etc". Presumably all orders placed electronically contain a phone number and address as part of the invoice, so that may be part of it as well.
If it’s a note on the account, there’s no need for the address.
If it’s a message to amother team (engineering?) to check the antenna out, then why just send the general address? ‘Customer at XYZ Lane is reporting poor service’
No need to tie the user in there or their property number. The antenna will cover the area easily enough.
That was posted in April 2018. Very unlikely there's any relation to this.
Also, the OP added that representatives only see the first 4 characters of a password in plainext. That's still absolutely horrendous and unjustifiable, but not as bad as full plaintext storage.
Of course the typical non-information made up by a PR department and cleared by legal...
So they are saying a contracted Email provider was compromised. It should not be a big secret what provider T-Mobile uses in the US. Microsoft? Gmail? ...?
Earlier today this happened: One of my employers strategic partners is a national telecom and cellular provider. You probably have their service. Just happens to not be t-mobile in this case.
Anyway we were working on a project regarding turning down some MPLS circuits at a data center we are exiting and one of the engineers from this telecom asked us to submit further updates and status changes to a personal yahoo email address of his.
I’m still waiting on a response from our account manager if this is standard and expressing concern.
The director of my business unit was apoplectic when I showed him.
But seriously, T-Mobile talks about their provider, not about a random employee using an unauthorized one. Even if their statement has little substance, I assume it is not directly untrue. But even that happened before...
I've actually had good encounters with Fi support. Funny enough, I think it's the only Google service that I've been able to get a human to talk to for an issue.
T-Mobile says that no financial data or social security numbers were accessed in this data breach, but account info like name, billing address, and phone number was accessed.
Just received the CPNI notice today from T-Mobile, we had a 6 digit PIN set prior to the first SIM swap on January 10th, and changed it before the following SIM swap on January 17th.
T-Mobile told me these swaps occurred at a store for both attacks. I did remove all authorized users from the account prior to the SIM swap on the 17th. T-Mobile has refused to provide Seattle Police Dept with any info about the fraudulent activity, and left me in the dark prior to the letter today.