The T-Mobile Breach and 5 Ways to Protect Yourself

various-sim-cards.jpg

On August 23, 2018, T-Mobile announced1 that they suffered a security breach earlier in the week. Potentially up to 2 million customers may have had their personal information stolen as a result. Some of this information included name, billing zip code, phone number, email, account number, and account type. As of the writing of this post, it is unknown how the attack was carried out and who was responsible.

Although some news outlets have reported that no financial information was stolen, it is important to note why this information is still valuable - this information can be used to carry out an attack known as SIM swapping.

 

What is SIM Swapping?

A majority of cell phones around the world use SIM cards that allow the phone to communicate with cell towers owned by the service provider. More importantly, these allow for the easy switch from one phone to another.

Although this makes updating to the newest phone model easier and convenient, it opens up an avenue of attack where someone can transfer your existing phone number to a different SIM card by simply calling up your service provider and pretending to be you. This can lead to a whole host of problems such as: allowing an attacker to see all your texts and phone calls, losing access to your phone number, or more importantly, an attacker gaining access to your two-factor authentication codes.

 

Why should you care?

SIM swapping is a pretty big deal that can result in you losing access to your phone number and every account you enabled SMS (text message) verification on. Although this attack is currently very popular in the cryptocurrency community, we may see an uptick in SIM swapping attacks as a result of this breach. Everyone impacted by this breach and even people who weren’t can take steps to protect themselves today.

 

5 Ways to Protect Yourself Today

  1. Make sure you have a PIN or password associated with your cell provider. That way an attacker will need to know that additional information before they can make changes to your account.
     

  2. Don’t click on any suspicious emails or programs that could compromise your computer or phone. Be extra vigilant if you were affected by the breach, as you may see an increase in suspicious emails pretending to be from T-Mobile.
     

  3. Use strong passwords for your online accounts and try not to reuse the same password for multiple sites. We recommend using a password manager that will help you create and manage strong, unique passwords for every site you visit.
     

  4. If possible do not use texting (or SMS) as a way to do two-factor authentication. Try to use authenticator apps, like Google Authenticator, to login to sites that you use. If an authenticator app is unavailable, make sure to download your recovery codes for sites where SMS verification is the only option, so that you can access your accounts if your phone gets SIM Swapped.
     

  5. Most importantly, try to minimize the amount of data that you expose online about yourself. Think about the security questions that services make you answer like “what is your mother’s maiden name?” If the answers to those questions can be easily found on social media, then your accounts may be at risk.

 

References:

  1. https://www.t-mobile.com/customers/6305378821

  2. https://www.theverge.com/2018/8/24/17776836/tmobile-hack-data-breach-personal-information-two-million-customers

  3. https://www.wired.com/story/sim-swap-attack-defend-phone/

  4. https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/