Got hacked in a pretty strange way, figured this might be useful information for you all, plus a therapeutic rant so here goes. At some point Thursday night, someone called and set up a MetroPCS account. Let’s call him Eric, since that’s the name he used. At this point, Vilma, the MetroPCS rep, let him take a T-Mobile number that I’ve had with T-Mobile since 2004, and which was registered in my name (definitely not Eric).
Actually T-Mobile doesn’t get off the hook here, they own MetroPCS so this is on them too. Usually I’m a big time T-Mobile cheerleader, but right now not so much.
So anyways, I’m pretty paranoid about security, VPNs for public wifi, complex unique passwords, etc. But it turns out that two-factor authentication (the system where they text a code to your phone that you then enter or read back), is only as strong as the defenses against having your number ported to a different SIM. Which Eric and Vilma pointed out are, to put it generously, not robust.
All of the highly secure, unique passwords that I had for all my accounts went out the window, as “Eric” then proceeded to go hitting banks where I might have accounts, selecting “I forgot my password” and then “text me a code.” First indication I had that something was wrong was when I got a password change notice for an account. So I had the better half call bank 1 since she was the primary account holder there. After some lengthy negotiations, she finally convinced them to lock down the account. The Bank 1 supervisor that actually helped us finally mentioned they had seen this with a few T-Mobile customers.
Then I tried to text an account number my wife needed – and my phone showed No Service. No texts or anything from T-Mobile to let me or my wife know that someone had begun the porting process for my number.
Meanwhile, while Bank 1 was messing around, the culprit tracked down from the direct debit for our mortgage that we had an account at Bank 2. At this point, I got another text that they then pulled the same stunt at Bank 2, which actually quickly shut everything down, as soon as I called, thankfully.
They then moved on to request a new password from Bank 3, but since I only have $25 in that account there the joke was on them. Didn’t stop them from trying to take the $25 though, but luckily it was caught in time.
At this point, I went and disabled two factor authentication on every important account that used that number, and also deleted it as a profile number from all of the accounts (since if they called using the stolen number they would have “verified” they were me). That stopped everything, and in the meantime my wife contacted T-Mobile to get the number back, since they wouldn’t talk to me – because I had been deleted from the account when the criminal had stolen my number.
So we get them to transfer back my number. And that process takes almost 36 hours. The time from the first password change notice to starting to reverse the number port was a little over 90mins. In that time, the criminal had almost total visibility and access to our bank accounts.
I finally have my number back, but we will see if T-Mobile gets its you know what together on this problem. Right now it looks like they are avoiding trying to address it for all their customers, so if you do have T-Mobile, make sure to call them and set up all the security you can against these types of hacks. These protections are not on by default.
Morals of the story:
1. If you use your phone for two factor authentication, set up maximum security for number port outs or transfers with your carrier.
2. If you are developing websites, password resets should not rely solely on 2FA resets until carriers address the port out issue.
3. T-Mobile people – I know a lot of you, you do a great job, and it pains me to rag on your employer, but it’s time for some tough love. You guys need to get your act together on this – this is a huge potential liability, and this problem is only going to get more acute if you don’t address it now. There need to be significant additional protections for transferring numbers to new SIMs or to other accounts or carriers.