Tag Archives: T-Mobile

T-Mobile Sued For Lack of Security

I am always skeptical about these lawsuits.  One issue is usually “standing”, but in this case, I don’t think this will be an issue.  Often, if the party being sued thinks they are going to lose, they tend to settle, quietly, with no precedent from a court decision.  In this case, I predict this one may be settled quietly by T-Mobile.  UNLESS, the person filing the lawsuit is more interested in creating a precedent.  We shall see.

OK, here is the story.

Carlos Tapang is suing T-Mobile because someone was able to take over his phone account, transfer it to another carrier and use that new account to compromise his cryptocurrency account to the tune of $20,000 plus.  The good news (not really) is that this occurred when Bitcoin was selling for about $7,000, not the high price of $20,000.

The reason T-Mobile will likely lose if this goes to trial is that T-Mobile said that they would put a PIN on his account, BUT DID NOT.  Ooops.

Also, the hacker socially engineered T-Mobile customer service until one customer service person believed the hacker’s story and allowed him into the account without knowing the proper information.

THIS HAPPENS ALL THE TIME – CUSTOMER SERVICE PEOPLE ARE TRAINED TO KEEP CUSTOMERS HAPPY, NOT SECURE.

If this goes to trial and T-Mobile loses – big if – then it could cause the carrier to improve security.  That is part of what they say they want T-Mobile to do.

Tapang was able to recover his phone number – actually, he is lucky.  Many people lose their number permanently.  But it was too late.

While the article doesn’t say, what probably happened is this.

The attacker somehow figured out that he had a cyptocurrency account.  He either knew or guessed that it was tied to his phone number.  This is the typical “two factor” authentication which uses your phone number and a text message .

Using a text message as the second factor is relatively unsecure because if someone is able to get control of your phone number, they can receive the necessary information for a PASSWORD RESET and the TWO FACTOR text message code.  That is probably exactly what the hacker did.  Then  he emptied Tapang’s cryptocurrency wallet.

And, as we see all the time. the cell phone carriers are horrible when it comes to security.  It is hard to train call center employees, especially with the high employee turnover (for some call centers it is more than 100% turnover per year).  And, if security is good and they won’t hand over information, they wind up with upset customers.  On the other hand, if you do turn over the information without proper authentication, you wind up getting sued.  It is a challenge for the carriers because people want convenience over security.  Until is costs them $20,000.

Well, what can you do?

Number one – do set up a PIN on your cellular account and be a pain in the rear until they actually do it. TEST IT!  With Sprint they seem to be very good about the PIN, but if you don’t know it, they will sometimes let you answer other questions – which is bad security.  More than once I had to go into a Sprint retail store and show them my government issued photo ID to get a PIN reset.  THAT will deter most hackers.  Not all, but most.

Second, DO turn on two factor authentication for any account that that you would be upset about if you lost control of and hackers were able to “empty it out” – such as a bank account, brokerage account or cryptocurrency account.

IF YOU DO NOT CARE WHETHER HACKERS ARE ABLE TO EMPTY YOUR BANK ACCOUNT, SET YOUR PASSWORD TO 123456 AND DON’T WORRY.  IT WILL GET EMPTIED.

Second, if at all possible, do not use a text message as the second factor.  Use an app on your phone such as Microsoft authenticator, Google authenticator or Authy.  These apps are tied to your device once they are set up and NOT tied to your phone number.  If you phone number is stolen it will not help a hacker steal your money.

But this is up to you.  If you figure that it won’t happen to you, choose convenience.  If you think that it might happen to you and you would be upset if your account was emptied out, then use two factor.  Even though it is less convenient.  Google says that less than 10% of GMail users use two factor.

Information for this post came from The Verge.

Facebooktwitterredditlinkedinmailby feather

The Cost Of A Data Breach – T-Mobile May Fire Experian

T-Mobile and Experian both announced that an Experian database containing credit application data for prospective T-Mobile customers (people who applied to finance a new phone or new phone service) between September 2013 and September 2015 was accessed by hackers.  T-Mobile outsources their credit application process to Experian, which is typical, and that is where the breach was.

The data that was compromised included name, address, social, driver’s license, date of birth and additional, unspecified information.  No credit card or bank information was compromised.

First the punch line and then the rest of the story.

T-Mobile CEO John Legere, who is known for speaking his mind, said that T-Mobile is “instituting a thorough review of our relationship with Experian”.  Does this mean that they are going to fire Experian as a vendor?  Certainly possible, but not a given.  There are only 3 major credit bureaus to choose from, but they could pick someone who is NOT a bureau to manage the process and store the data.  Or they could bring it in-house.

In addition, reading between the lines, T-Mobile had a cyber incident response plan and that included providing credit monitoring to the customers who’s data was stolen.  That credit monitoring was through ProtectMyID.com, a division of Experian.  Unfortunately for T-Mobile’s PR department, the company that caused the negative PR (Experian) is the company that T-Mobile set up as the Go-To company to make up for the negative PR.

Legere almost immediately Tweeted that “I hear you re: Experian as service protection option.  I am moving as fast as possible to get an alternative in place by tomorrow.” [ Note: the tomorrow he referred to is today].

So at a minimum, it is likely that T-Mobile will “fire” Experian as their credit monitoring service.

Some thoughts about  the situation:

  • Breaches are pretty much inevitable these days.  What you want to do is minimize, mitigate and manage it.
  • T-Mobile/Experian moved quickly in announcing the breach.  If the breach was closed on September 16, 2015 and they announced the breach on October 1, 2015, that is only a two week window to plan their response.  This means that they must have had their incident response plan already set up.
  • It is unfortunate that their incident response plan included credit protection services from the source of the breach.  That is hard to plan for.  Perhaps it would have been better to use someone who was not already a vendor.
  • Regarding minimizing the breach effects, why did they keep two years worth of history.  It would seem like after they made the credit decision, they could have discarded the data in 30 days.  What you don’t have can’t be stolen.  Companies seem to love to hoard data.  Sometimes that is not a good plan.
  • Apparently the data was encrypted.  More evidence that encryption is not a silver bullet.  Although they are not saying, the fact that the data was compromised even though it was encrypted means that the hackers had a valid userid and password.
  • Experian has not released any details of the hack and may never release the details.  What they want to do it put this behind them.  I am sure they are doing a post mortem even as I write this and that is where the mitigate part comes in.  I do think they will likely learn from this, whether they share that with us or not.
  • T-Mobile seems to be doing a good job of managing this so far.

What is unclear at this point is whether Experian has lost a large customer completely, partly or can recover the relationship.  It appears for sure that they will lose most if not all of the credit monitoring business.

I don’t expect this to have much negative impact on T-Mobile’s business – stay tuned.

Information for this post came from ITWorld.com and T-Mobile’s web site, T-Mobile.com.

Facebooktwitterredditlinkedinmailby feather