So this was my weekend so far...

"someassemblyrequired" (someassemblyrequired) 01/06/2018 at 20:57 • Filed to: I'm going back to using payphones

9

14

Got hacked in a pretty strange way, figured this might be useful information for you all, plus a therapeutic rant so here goes. At some point Thursday night, someone called and set up a MetroPCS account. Let’s call him Eric, since that’s the name he used. At this point, Vilma, the MetroPCS rep, let him take a T-Mobile number that I’ve had with T-Mobile since 2004, and which was registered in my name (definitely not Eric).

Actually T-Mobile doesn’t get off the hook here, they own MetroPCS so this is on them too. Usually I’m a big time T-Mobile cheerleader, but right now not so much.

So anyways, I’m pretty paranoid about security, VPNs for public wifi, complex unique passwords, etc. But it turns out that two-factor authentication (the system where they text a code to your phone that you then enter or read back), is only as strong as the defenses against having your number ported to a different SIM. Which Eric and Vilma pointed out are, to put it generously, not robust.

All of the highly secure, unique passwords that I had for all my accounts went out the window, as “Eric” then proceeded to go hitting banks where I might have accounts, selecting “I forgot my password” and then “text me a code.” First indication I had that something was wrong was when I got a password change notice for an account. So I had the better half call bank 1 since she was the primary account holder there. After some lengthy negotiations, she finally convinced them to lock down the account. The Bank 1 supervisor that actually helped us finally mentioned they had seen this with a few T-Mobile customers.

Then I tried to text an account number my wife needed – and my phone showed No Service . No texts or anything from T-Mobile to let me or my wife know that someone had begun the porting process for my number.

Meanwhile, while Bank 1 was messing around, the culprit tracked down from the direct debit for our mortgage that we had an account at Bank 2. At this point, I got another text that they then pulled the same stunt at Bank 2, which actually quickly shut everything down, as soon as I called, thankfully.

They then moved on to request a new password from Bank 3, but since I only have $25 in that account there the joke was on them. Didn’t stop them from trying to take the $25 though, but luckily it was caught in time.

At this point, I went and disabled two factor authentication on every important account that used that number, and also deleted it as a profile number from all of the accounts (since if they called using the stolen number they would have “verified” they were me). That stopped everything, and in the meantime my wife contacted T-Mobile to get the number back, since they wouldn’t talk to me – because I had been deleted from the account when the criminal had stolen my number.

So we get them to transfer back my number. And that process takes almost 36 hours. The time from the first password change notice to starting to reverse the number port was a little over 90mins. In that time, the criminal had almost total visibility and access to our bank accounts.

I finally have my number back, but we will see if T-Mobile gets its you know what together on this problem. Right now it looks like they are avoiding trying to address it for all their customers, so if you do have T-Mobile, make sure to call them and set up all the security you can against these types of hacks. These protections are not on by default.

Morals of the story:

1. If you use your phone for two factor authentication, set up maximum security for number port outs or transfers with your carrier.

2. If you are developing websites, password resets should not rely solely on 2FA resets until carriers address the port out issue.

3. T-Mobile people – I know a lot of you, you do a great job, and it pains me to rag on your employer, but it’s time for some tough love. You guys need to get your act together on this – this is a huge potential liability, and this problem is only going to get more acute if you don’t address it now. There need to be significant additional protections for transferring numbers to new SIMs or to other accounts or carriers.

rillweid - Now with more TRD and less TDI > someassemblyrequired 01/06/2018 at 21:13

0

That stinks. I don’t have T-Mobile but this is a good thing to look out for. Thanks for the heads up.

someassemblyrequired > rillweid - Now with more TRD and less TDI 01/06/2018 at 21:16

0

Definitely not a good experience, but I’m guessing this is a potential issue if you use your cellphone for online accounts on any carrier. It’s one of those situations where I feel like a tool for it happening, but I’m gonna suck up the shame and warn others.

Spanfeller is a twat > someassemblyrequired 01/06/2018 at 21:22

0

Could this be an issue for corporate accounts?

I remember needing to get a letter from my mom´s office when I needed a new sim card (she gets two office lines so she gave me one) but then the office changed from Telcel to AT&T....

someassemblyrequired > Spanfeller is a twat 01/06/2018 at 21:27

0

Possibly, part of the reason the hack was effective was T-Mobile didn’t text out a notification that someone had initiated a port. So we had no idea, other than the password change notices and the fact my phone wasn’t working as clues something like this had happened.

Spanfeller is a twat > someassemblyrequired 01/06/2018 at 21:41

0

It seems like a shitty situation man, I´m sorry that happened to you, it seems like an unlikely hack!

pip bip - choose Corrour > someassemblyrequired 01/06/2018 at 21:43

2

That’s scary

GLiddy > someassemblyrequired 01/06/2018 at 22:03

0

This is scary. I have 2-factor on a couple accounts, and am on T-Mobile. I wonder if it might be better to just use my Google Voice number? I remember than Google Voice numbers are notoriously hard to port.

CompactLuxuryFan > someassemblyrequired 01/06/2018 at 22:05

1

This is exactly why app-based two-factor is superior to receiving a text. However, it’s not available for everything. The CEO for the company I work at had this done to him a few weeks ago in order for somebody to go in and steal the company’s Instagram handle (of all things), which was set up through text because Instagram doesn’t offer app two factor. His carrier is Verizon, however, and they didn’t port his number, they just called and ordered a replacement device to their own address, which is even worse.

FTTOHG Has Moved to https://opposite-lock.com > someassemblyrequired 01/06/2018 at 22:28

1

We use RSA 2-Factor at work. It’s actually more like 2.5 factor, because in addition to the code that changes every 60 seconds you need a 6 character PIN spliced into the code. And your stanadard password. It’s a pretty elegant solution because it requires having the soft toke on a physical device and in my case the device is an iPhone with an 8-digit PIN that I can nuke from orbit if I lose it. I think tokens can be revoked on the server side too. I’m amazed banks not only don’t use RSA at least as an option for those that want it set on their accounts. I’d use it for any web account that has my financial info if I could. I’m not for forcing it on people, but SMS codes are pretty outdated and clearly insecure.

someassemblyrequired > GLiddy 01/06/2018 at 22:40

0

I have heard Google is better, but I’ve not looked into it enough yet to be sure. You can set up a PIN/Passphrase with T-Mobile, but that’s not a security feature that’s set up by default.

someassemblyrequired > FTTOHG Has Moved to https://opposite-lock.com 01/06/2018 at 22:41

1

Yeah, the SMS codes are really really weak given this type of hack.

someassemblyrequired > CompactLuxuryFan 01/06/2018 at 22:42

1

Yeah the fact they won’t just send you a text that says “Hey, a port request has been submitted, if you did not initiate, please call us at blah blah blah.”

DucST3-Red-1Liter-Standing-By > someassemblyrequired 01/07/2018 at 16:02

1

Yubikey, just bought a couple for Christmas. Paired with my password manager, and I am pretty much set. As a fellow security ‘enthusiast’, I highly recommend them

someassemblyrequired > DucST3-Red-1Liter-Standing-By 01/07/2018 at 16:33

0

Thanks, I had heard a little about them, but I think I’m gonna have to look in to getting one now.