Man Sues T-Mobile For Allegedly Failing To Stop Hackers From Stealing His Cryptocurrency

Over the weekend, a lawsuit was filed against T-Mobile claiming that the company's lack of security allowed hackers to enter his wireless account last fall and steal cryptocoins worth thousands of dollars. "Carlos Tapang of Washington state accuses T-Mobile of having 'improperly allowed wrongdoers to access' his wireless account on November 7th last year," reports The Verge. "The hackers then cancelled his number and transferred it to an AT&T account under their control. 'T-Mobile was unable to contain this security breach until the next day,' when it finally got the number back from AT&T, Tapang alleges in the suit, first spotted by Law360." From the report: After gaining control of his phone number, the hackers were able to change the password on one of Tapang's cryptocurrency accounts and steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin," but given the volatility of bitcoin prices, the hackers may not have benefited from the soar.

The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it. Tapang also states that hackers are able to call T-Mobile's customer support multiple times to gain access to customer accounts, until they're able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.

T-mobile?

Then why is there an AT&T icon at the top of the article?

Re: T-mobile?

Then why is there an AT&T icon at the top of the article?

Because his number was ported to AT&T.

All the criminal activity happened at the AT&T' side.

But it ridiculous to go after T-Mobile, they released the number after being given the correct info on the port request, and restored the number after netting told the request was fake.

Moral of the story is to keep your personal data private. Nobody did anything wrong here except for the hackers.

Re:T-mobile?

Aww look, it's the pathetic little neckbeard who can't get work because of indians (or at least that's who he's decided to blame). Imagine being on here, copy-pasting that shit, endlessly. What magnificently pathetic worthlessness you embody. Well done you. Don't forget to top yourself.

Re: T-mobile?

[parkinglot777]

Because his number was ported to AT&T.

All the criminal activity happened at the AT&T' side.

But it ridiculous to go after T-Mobile, they released the number after being given the correct info on the port request, and restored the number after netting told the request was fake.

Moral of the story is to keep your personal data private. Nobody did anything wrong here except for the hackers.

Did you really read TFA? You just assume that so called "hacker" in the story really did the hack? This is another misused case of the word "hacker"...

Carlos Tapang of Washington state accuses T-Mobile of having “improperly allowed wrongdoers to access” his wireless account on November 7th last year. The hackers then cancelled his number and transferred it to an AT&T account under their control. “T-Mobile was unable to contain this security breach until the next day,” when it finally got the number back from AT&T, Tapang alleges in the suit

The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang’s account prior to the incident, but didn’t actually implement it. Tapang also states that hackers are able to call T-Mobile’s customer support multiple times to gain access to customer accounts, until they’re able to get an agent on the line that would grant them access without requiring further identity verification. The complaint also lists several anonymous internet users who have posted about similar security breaches to their own T-Mobile accounts.

The thief called up T-Mobile support and social engineered the right person to change all information and gain access to the number, and then the person transferred the number to AT&T. Now you tell me why AT&T should be responsible? Also, nobody give personal info to anyone. Most information you need to do this kind of thief is usually in public. It is all about skills to find the right person to talk to on the other line.

Re: T-mobile?

Would you argue his data was stolen by phreakers instead?

Re:T-mobile?

[wardrich86]

AT&T-Mobile

ISR

In Soviet Russia, phone company gives coins to YOU.

Re:ISR

In Soviet slashdot, Russia gives shit about you

This is a problem always

Because they don't want you to go into the store. Not just t-mo but banks as well.

Re:This is a problem always

Really? I go into T-Mobile shops fairly often when I have issues and I never have much trouble getting help. There's only a few things that the guys at the shop can't do.

If they don't want us going to the shop, they're doing a shitty job of it. Plus, whenever we do go to the shop, it gives them a chance at selling other products and services just like any other people that go into those shops.

Re:This is a problem always

No shit the shop fleshies are happy to help, Einstein. It's the suits who don't want to write paychecks.

>they can help with most things
Yes, I'm aware the fleshies are more useful than machines, and offer a superior experience/service/competence. The suits don't care.

>they're doing a shitty job of chasing me out
What, you think staffing a brick'n'mortar with assholes would be a smart business move?

GP's point stands. The beneficiaries want you using the $8/hr phone jockeys, when not using the automated menu.

Re:This is a problem always

[JackieBrown]

The suites are fleshies, silly. I really hope this term doesn't catch on.

Just call up BitConnect's fraud protection number.

Wait, that's not a thing. Thank god for the FDIC then...oh right. Hmmm.

Well at least you can rest easy knowing the big ebil banks don't have any control over you!

Phone Authentication Isn't

[mentil]

Using access to a phone number as an authentication method is the REAL problem here. Choose cryptocurrency/banking websites that don't allow access to your account simply by having access to your registered phone number. Using an encrypted channel rather than SMS helps, but there are still problems with e.g. IMEI spoofing and, as demonstrated, social engineering. This seems like a targeted attack, as the attacker knew his phone number and which websites he had cryptocurrency on, so 'security questions' likely wouldn't have helped, either.

Re:Phone Authentication Isn't

[msauve]

"Using access to a phone number as an authentication method is the REAL problem here. Choose cryptocurrency/banking websites that don't allow access to your account simply by having access to your registered phone number."

Well, no.

The phone/SMS thing is supposed to be only one factor in a multi-factor ID system. And, since there are supposedly legal restraints in place to prevent unauthorized transfers of phone numbers, it's not unreasonable. When I read the title, I was inclined to think the guy was just trying to misplace blame. But, if the carrier was social engineered to do a number transfer, the onus is on them. Number portability should require effort, for good reason.

Banks are, by law, supposed to require two factor authentication. (Crypto is the WWW - Wild Wild West). Unfortunately, the rules allow one factor to be the the device used to access the account (e.g. web cookies). That makes it too easy for both factors to be present on a single device (re: password managers). Multi-factor authentication only really works if the factors are forced to be physically separate.

Re:Phone Authentication Isn't

[tlhIngan]

phone/SMS thing is supposed to be only one factor in a multi-factor ID system.

Nope, it's not. NIST has officially delisted SMS and phone numbers as a valid factor - they note that you cannot control phone numbers and a phone number does not necessarily lead to the phone in question.

And given the known vulnerabilities in SS7, it's entirely possible to take over a part of the phone network temporarily (especially cellular networks, which use SS7).

Thus, SMS is no longer valid as a mechanism for multi-factor ID - it's too vulnerable. It's part of the reason why everyone has moved to authentication apps.

Re:Phone Authentication Isn't

[msauve]

"Nope, it's not. NIST has officially delisted SMS and phone numbers as a valid factor"

You are wrong. Use of the PSTN is now "RESTRICTED". "Delisted" is not even a category. Further, the guidelines specifically include the use of SMS:

The out-of-band authenticator SHALL uniquely authenticate itself in one of the following ways when communicating with the verifier:
...
Authenticate to a public mobile telephone network using a SIM card or equivalent that uniquely identifies the device. This method SHALL only be used if a secret is being sent from the verifier to the out-of-band device via the PSTN (SMS or voice).

Re:Phone Authentication Isn't

[tirnacopu]

Actually you both have referred to the correct source of information, but at different times: when Bruce Schneier mentioned this in 2016 at https://www.schneier.com/blog/..., the SP800-63b draft said "deprecated", it's now "restricted". Goes to show how difficult is to stay informed and compliant in this constantly changing threatscape.

Re:Phone Authentication Isn't

[msauve]

A draft is never normative.

Re:Phone Authentication Isn't

There needs to be so much more awareness of this. Thinking that sending a text is a secure way to verify anyone's identity is idiotic. It's bothered me for a long time that all anyone would need to do to bypass it is do a little research on me and gain access to my phone (which is straight up simple if someone wants it bad enough.) As this kind of thing happens more, I suppose that awareness will grow.

Say what?

[msauve]

steal 1,000 OmiseGo (OMG) tokens and 19.6 BitConnect coins, Tapang claims. The hackers then exchanged the coins for 2.875 Bitcoin and transferred it out of his account, the suit states. On November 7th, the price of Bitcoin was $7,118.80, so had the hackers cashed out then, they would have netted a profit of $20,466.55. Tapang goes on to say, "After the incident, BTC price reached more than $17,000.00 per coin,"

WTF does the price of Bitcoin have to do with it? If someone stole $20 from me 5 years ago and bought a Bitcoin with it, it's unreasonable for me to claim $9K in damages today.

Maybe the thieves then bought some coke off Silkroad and snorted it. Net Present Value, $0.

Re:Say what?

[mysidia]

WTF does the price of Bitcoin have to do with it?

The price of Bitcoin and whatever business ventures the attackers spent the money on are irrelevent. The damages are the market value of exactly what was stolen at the time that it was stolen --- with the POTENTIAL of adding lost price appreciation between the time stolen and next statement period on the account; if the theft was not discovered immediately, since the accountholder was reviewing accounts infrequently only by reconciling statements with their accounting, Beyond that LOST PROFITS are theoretical and will be very difficult to claim, since the victim would have had the time to buy replacement crypto and chose not to..

Re:Say what?

[Comrade+Ogilvy]

In a civil case, it is always reasonable to suggest the replacement costs of that which was damaged or stolen. Judges and juries who agree with the plaintiff's argument regarding fault do not automatically accept such price numbers, for various reasons, including the prices swinging too much to set an obvious number.

Re:Say what?

[CaptainDork]

The damages are the market value ...

The play money has no value at all.

It's like saying someone stole his pet rocks.

Re:Say what?

[mysidia]

The damages are the market value ...

The play money has no value at all.

It's like saying someone stole his pet rocks.

The play money has no value at all.

It's like saying someone stole his pet rocks.

That's not true. The money had value at the time it was stolen Based on The fair market value (Or what the market would pay for the property at the time that property was stolen or changed without permission) and could have been sold by the legitimate owner for an amount of cash ---- therefore the lost property equal that amount of cash it could've been sold for instead (As of the point in time before the first unauthorized transaction) MINUS the worth of any amounts of $$$ or property that were successfully salvaged or returned.

Re:Say what?

[CaptainDork]

The money had value at the time it was stolen ...

"Money," in your context is fiat

In the pet rock analogy, the money had value at the time it was stolen ..

The market value of the pet rocks was imaginary and emotions.

You, know, like binary unicorns and stuff.

Re: Say what?

[CaptainDork]

The first thing the guy has to do is show damages.

That requires discoverable evidence.

Also, he has to show violation of contract on the part of the service provider.

Time will tell.

Re: Say what?

Hmm if it's like auto insurance, it would only concern the cost to replace the lost item. So if his crypto wealth tanked to $10 they could offer him $10.

But I think he will lose this fight.

Re:Say what?

A lot of binary goods have value despite being purely nothing more than a number.

For example, despite being literally nothing more than a 2048-bit number, an RSA signing key (private key) might have a substantial value (especially on a black market) because of what that key is used to sign/decrypt and who trusts data signed with that key.

Bitcoin is the same: there is no money, but a 2048-bit RSA key which access a wallet containing 2 bitcoins will have over 10k USD value right now. I can literally sell that number for 10k USD (or 1mil yen or 2k hotdogs or 50k pet rocks) and someone will pay me that much for it. Isn't that cool?

Re: Say what?

Said RSA signing key only has value to criminals seeking to use it for criminal activity. It has value to the owner, but the only 'market value' is in criminal markets that law enforcement, and any vigilante forces that the market will bear, should be actively striving to obliterate.

Re:Say what?

[mysidia]

"Money," in your context is fiat

The cryptocurrency is also considered a form of the money -- in terms of however much fiat the market says that cryptocurrency is worth during a particular day.

The government has already recognized that cryptocurrencies are cash-equivalent; if common marketplaces exists for trading them that establish their pricing and worth in fiat.

The market value of the pet rocks was imaginary and emotions.

No... the loss is similar to stolen gold. Your derogatory opinion regarding the fundamental worth of the cryptocurrency has no relevance to the case; the way it is decided what the monetary value of what was stolen is what people were willing to pay for that thing at the time of the theft by quoting its price from public marketplaces, if they exist --- marketplace quoted prices are verifiable and thus not imaginary, since they show the price of the goods for trade....

Just because the value of gold may fluctuate after the theft, or the thief may have traded the gold to something else before robbing the account does not mean the loss is something other than the fair market value the gold had at the time it was stolen --- the loss is not replacement value of the property LATER months after the theft, either, after the price may have gone to zero, anymore than the $$$ stolen would be reduced if the property was perishable goods such as milk that went sour while they were in the thief's possession.

Re: Say what?

[mysidia]

Hmm if it's like auto insurance, it would only concern the cost to replace the lost item.

That's because your auto insurance policy is actually a contract that specifies how the loss is to be determined and what insurance will pay you.

Generally if you are a business or investor --- then your loss from theft will be the retail dollar amounts on the lost item to include your Lost profits since you would or could have sold those items but the theft got in the way, or at least the number of dollars you paid for them ---- But if you are a consumer whose purpose for holding the property is not to hold as investment and/or resell at a higher price, or you make personal use instead, then the loss IS the lesser of the cost to restore the item by repairing the damage OR the cost on the aftermarket to replace your lost item with one of similar type and condition and remaining value to the one you lost - fulfilling the same personal use and remaining lifetime ---- for example, If your car was 10 years old at the time it was lost, for example, its value on the market depreciated over that 10 years from $30,000 to less than $1,000, that's what you would have gotten if you sold it -- when your car worth $1000 today is totalled: you're not entitled to a brand new car that is worth the original $30k, before your mileage and normal use came into play.

On the other hand, if you hold a classic car or a painting you bought for $100k as a collector's piece or investment, then that is an appreciating asset purchased not to be used or consumed --- but with the intention of profiting from it, and the loss from a theft would be an estimate of Fair Market Value based on expert opinions that would be more than you paid for it.

Re: Say what?

[EndlessNameless]

This is a stupid and naive point of view. Law enforcement will never eliminate black markets, so we need practical ways to address loss.

The assets controlled by that key have a market value. Theft of the key easily translates to theft of the assets. You can recover the value of lost assets either from the thief or from a party who was responsible for securing them. This is why most parking garages explicitly disclaim responsibility on the tickets---they do not want to be legally responsible for securing your vehicle and its contents.

The question here is whether TMobile is legally responsible for ensuring the integrity of his account and SMS communications. I'm not a lawyer so I'm not going to guess at the outcome of a trial. If I were TMobile, I'd probably just pay the ~$20K to avoid court and bad publicity.

Re:Say what?

[CaptainDork]

A lot of binary goods have value despite being purely nothing more than a number.

e-books.

e-books would have been a better analogy that failed.

Re:Say what?

[CaptainDork]

No... the loss is similar to stolen gold.

TL;DR right after I thought, "How much, precisely, does binary weigh?"

Re:Say what?

The money had value at the time it was stolen ...

"Money," in your context is fiat

In the pet rock analogy, the money had value at the time it was stolen ..

The market value of the pet rocks was imaginary and emotions.

You, know, like binary unicorns and stuff.

My pet rock weighs 1kg and is 99.99% gold.

Re:Say what?

[CaptainDork]

How much does a cryptocoin weigh?

Maybe

[Murdoch5]

It sounds like AT&T or T-Mobile (not sure which carrier), was absolutely, partially at fault, for not assuring a reasonable level of security to their infrastructure. If the account in question did not require at least 2FA+ to access, which could of been enabled and disabled by the customer, and it's contents were not fully encrypted, to the point that it required an additional layer or security to unlock, such as a TOTP, then they are at fault for not providing a reasonable, and responsible security level for the account access.

However, it also appears that the coin exchange is also at fault, for not providing the same level of infrastructure security.

This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security. I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.

Re: Maybe

absolutely at fault, but when someone calls in 6 times in twenty-four hours insisting that they are who they say they are and they say "[redacted]" (i.e. 'the magic words'), the support personnel are supposed to give in because that's the code for "we're the fucking government, let us in now, or else."

Re: Maybe

[WaffleMonster]

It sounds like AT&T or T-Mobile (not sure which carrier), was absolutely, partially at fault, for not assuring a reasonable level of security to their infrastructure.

CPNI rules for carriers don't mandate 2FA. They do require change notification and some (unspecified) method of subscriber authentication such as an access PIN.

This entire problem seems to be a classic and disturbing case, of companies not providing reasonable security.

If you think existing laws are insufficient you should work to build consensus to get them changed. Rooting for lawyers to be the arbiters of what is "reasonable" is itself extraordinarily reckless and unreasonable.

If the account in question did not require at least 2FA+ to access, which could of been enabled and disabled by the customer, and it's contents were not fully encrypted, to the point that it required an additional layer or security to unlock, such as a TOTP ...
I think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully, could finally usher in what is sadly missing from almost every service the average person accesses.

What does encryption and 2FA have to do with T-Mobiles role in any of this? Sounds to me like your confused about the underlying issue.

Re: Maybe

[Maritz]

Oooh, big claim. No evidence offered. Probably because it's absolute bollocks.

Maybe they have an old code, but it checks out, right?

Re: Maybe

[Murdoch5]

CPNI rules for carriers don't mandate 2FA. They do require change notification and some (unspecified) method of subscriber authentication such as an access PIN.

Which is a major issue, under no circumstance should a carrier be able to see into a persons account, without the person in question providing security keys or turning off account level encryption.

If you think existing laws are insufficient you should work to build consensus to get them changed. Rooting for lawyers to be the arbiters of what is "reasonable" is itself extraordinarily reckless and unreasonable.

I never said lawyers should be the arbiters of what is reasonable, as the legal system is massively behind when it comes to technology. The first step towards fixing an industry wide issue, such as this, is to get companies who lack security, discredited in the IT community, which is something a number of people are working on.

What does encryption and 2FA have to do with T-Mobiles role in any of this? Sounds to me like your confused about the underlying issue.

If you give someone an account and nothing stops a customer service rep from getting into that account, or resetting access to that account, that would be a major security violation. Accounts should always be stored in such a way as to prevent anyone but the user of that account from gaining access, or changing access details, 2FA and encryption help to stop this problem through validation of the account holder.

Re: Maybe

[WaffleMonster]

Which is a major issue, under no circumstance should a carrier be able to see into a persons account, without the person in question providing security keys or turning off account level encryption.

How do they send out bills, manage and provision access if they can't see into a persons account?

I think you mean to say access controls or masking rather than encryption. Encryption makes no sense in this context. The carrier owns subscriber data NOT the customer.

I never said lawyers should be the arbiters of what is reasonable, as the legal system is massively behind when it comes to technology.

Hard to interpret the words "think this lawsuit has the potential to set a good bar for reasonable security and if it's done right and successfully" in any other way than a prayer for legal precedent.

The first step towards fixing an industry wide issue, such as this, is to get companies who lack security, discredited in the IT community, which is something a number of people are working on.

The IT community is NOT EVER going to discredit ITSELF. I've had a front row seat for centuries as the entire industry blissfully got away with doing stupid shit. Low hanging fruit stupid it knows full well is wrong yet they can't help themselves. They hide behind "EVERYONE DOES IT". The "IT community" is a bunch of spineless followers.

Perhaps 1000 years from now when:

- EVERYONE is no longer entering passwords into adhoc web forms
- Give up insecure authentication protocols (e.g. CHAP/Kerberos).
- No longer rely entirely on automated procedures based on feedback from insecure protocols (eg DNS and HTTP) to establish trust relationships (PKI)
- When banks and ecommerce sites stop filling their pages with faux padlock gifs and meaningless assertions of security.
- When anyone in the world can't put whatever the hell they please in the FROM line of an email with an executable payload and the recipient have no clue.

In 1000 years come back and talk to me about security and IT community discrediting itself. Until then I'll keep laughing my ass off at any and all such assertions.

If you give someone an account and nothing stops a customer service rep from getting into that account, or resetting access to that account, that would be a major security violation.

I agree from what is know about T-Mobile case if the customer went out of their way to setup a security procedure to authenticate themselves and T-Mobile failed to live up to their end they should be on the hook for something.

Yet to assert customer service reps bringing up accounts is a major security violation is not something I agree with.

Accounts should always be stored in such a way as to prevent anyone but the user of that account from gaining access, or changing access details, 2FA and encryption help to stop this problem through validation of the account holder.

The account MUST be available in a form accessible to the provider in order to provide and manage service. It can't as a practical matter be encrypted and accessible to nobody but the end customer. This is not a reasonable position to have. It's a complete nonstarter.

If a provider offers enhanced security for CSR access to accounts and the user takes them up on it... god bless. If you think everyone should be required to OFFER some kind of enhanced security... physical token cards, encryption keys then god bless... work to build consensus for that position.

Otherwise in the real world EVERYONE does stupid shit.. check caller id, ask for an SSN or PIN...etc. The only credible alternative are physical trips to a physical office with government issued IDs in hand. This wastes a tremendous amount of everyone's time and resources and simply isn't worth doing by default even if it prevents some fraud.

Nobody is deploying key fobs or encryption keys to their customers by default and even if it did it wouldn't solve much. People will lose or destroy them and expect their service anyway. The chance of this changing any time soon is zero. The change of IT driving such change is zero.

Re: Maybe

[Murdoch5]

I'm going to take your reply out of order:

Nobody is deploying key fobs or encryption keys to their customers by default and even if it did it wouldn't solve much. People will lose or destroy them and expect their service anyway. The chance of this changing any time soon is zero. The change of IT driving such change is zero.

Wrong! I run two companies, which make IoT enhanced products, everyone of my customers gets dedicated encryption keys when they set the products up, and those keys prevent me from seeing any of the data which is transmitted from the devices to my infrastructure. If we need to look into something, such as a product failure, the customer has to go into the software and send us a version of the key that is a one time hash. Once we have that we, we gain access to the key and read the log files. Once we're done, the key is automatically regenerated and once again we're locked out. You can't say, "Nobody is deploying keys fobs or encryption keys", when responsible companies are.

I'm not the only person doing this, you can find many companies that will, for instance look at ProtonMail, they have the same approach and there are several electronic lab book tools that function the same way, amount others, which I'm not going to list. I've had customers complain about this level of security, but my answer is always the same, "This is how a responsible company handles security, if you want to use insecure devices, go ahead, but I'll never sell you one.".

The account MUST be available in a form accessible to the provider in order to provide and manage service. It can't as a practical matter be encrypted and accessible to nobody but the end customer. This is not a reasonable position to have. It's a complete nonstarter.

I answered this above, but this is very doable and reasonable. There is no reason I have to access one of my customers accounts, without their consent. If there is an issue they need to resolved or something they would like looked into, they have to go provide us access, much in the same way as the device access I explained above. This system would be great for mobile carriers, as they have no reason to go into my account, unless I allow it.

I agree from what is know about T-Mobile case if the customer went out of their way to setup a security procedure to authenticate themselves and T-Mobile failed to live up to their end they should be on the hook for something.

I don't want to say your lying, but it sounds like you don't agree at all to this point. The measures I'm explaining are to make sure that the person who can access the account, does access the account. If the customer doesn't want someone in their account, then it should be so, but currently, as far as I'm aware, no North American carrier allows anything close to this level of reasonable protection.

- EVERYONE is no longer entering passwords into adhoc web forms
- Give up insecure authentication protocols (e.g. CHAP/Kerberos).
- No longer rely entirely on automated procedures based on feedback from insecure protocols (eg DNS and HTTP) to establish trust relationships (PKI)
- When banks and ecommerce sites stop filling their pages with faux padlock gifs and meaningless assertions of security.
- When anyone in the world can't put whatever the hell they please in the FROM line of an email with an executable payload and the recipient have no clue.

There are points that need to be driven home to the average person, there good points to make, and people in the technology field should be driving them home.

-You really shouldn't be using passwords, unless it's as a first factor method of authentication, and even then, use something like a YubiKey.
- Excellent point on insecure authentication protocols, they should be activity discontinued and even blocked.
- A good firewall should block all HTTP request and as people move onto Secu

Re: Maybe

[WaffleMonster]

Wrong! I run two companies, which make IoT enhanced products, everyone of my customers gets dedicated encryption keys when they set the products up, and those keys prevent me from seeing any of the data which is transmitted from the devices to my infrastructure.

Good for you but TFA is about Telecom services provided to mortals not "IoT enhanced products". It's hard to parse any relevant point of similarity from this. The issue of encrypting data was in no way relevant to TFA.

The issue was a CSR failing to authenticate account holder requesting an account change. The carrier was managing account information all mobile carriers are required to possess in order to provide service.

I'm not the only person doing this, you can find many companies that will, for instance look at ProtonMail, they have the same approach and there are several electronic lab book tools that function the same way, amount others, which I'm not going to list. I've had customers complain about this level of security, but my answer is always the same, "This is how a responsible company handles security, if you want to use insecure devices, go ahead, but I'll never sell you one.".

Sorry you lost your encryption key... the phone number you had for the last 40 years doesn't work anymore and there is nothing you can do to get it back. Sorry but hey at least we are serious about handling security...?

I hope you can see how a niche Email service whose raison deter is SECURITY has nothing on earth to do with practical issues facing mobile carriers with normal human beings as customers.

I answered this above, but this is very doable and reasonable. There is no reason I have to access one of my customers accounts, without their consent.

You seem to be mapping your experience on to something else entirely and assuming they are the same.

The point is that there should be no way for a customer service rep, to see the account, or preform control functions, without the account user letting them.

The point of contention from TFA is modalities surrounding "account holder letting them".

When you setup one of my devices, it warns you a number of times to backup your password, as if you lose it, we can't do anything to get you into your account.

While it may well work for your purposes this is a nonstarter for mobile telecom with millions of mortals as customers.

-You really shouldn't be using passwords, unless it's as a first factor method of authentication, and even then, use something like a YubiKey.

Who are you to tell me what I should or should not be doing? Security is a set of TRADEOFFs. Everyone has different value judgments.

A good firewall should block all HTTP request and as people move onto Secure DNS.

Secure DNS is currently a massive unpatched DDOS amplification vector that puts the network at considerable risk while solving nothing PKI hasn't already addressed.

It's not like anything resolved by DNS queries are themselves secure. BGP isn't secure and the network is inherently untrustworthy. What difference does secure naming service really make?

All email should be encrypted, PERIOD! All of my customers have to use secure mail to contact my companies.

Who are you to decide this for me? Maybe a cryptographic signature is sufficient for my purposes. Perhaps I WANT content to be public or be evident on the network for management/transparency purposes. Telling people what they should or should not do because of what you personally think is important misses the reality people only care about what is important to them.

In regards to billing, the system should watch the usage data and bill based on that, which wouldn't affect the account security

To bill usage you need to know who th

Re: Maybe

[Murdoch5]

Your entire reply sums up to: "It's hard, annoying and I'm going to cry about it"

Everything I talked about is practical and reasonable, and security is the most important first consideration in todays society. People enjoy living easy, insecure lifestyles, that are a mess of digital footprints and poor electronic habits, and it's up to people who know better to get them to stop. If your entire argument is you're going to do what you want and no one should force you to do it in a secure way, then you're part of the problem, everything I listed is reasonable and any reasonable tech company or electronic service company should strive towards and beyond it.

Re:Well sure

[BronsCon]

Buy T Mobile, our phones suck and our prices are high

T-Mobile has the same Samsung Galaxy S8 and iPhone X as AT&T, Sprint, and Verizon and, with Sprint as the possible exception, has better pricing than the rest. The fuck you talkin' about?

Good luck with that, dude

Anyone can sue anyone for anything.
The trick is actually winning the lawsuit.

"Good luck with that, dude." /s

Re:Good luck with that, dude

[Maritz]

If he can show that they were supposed to apply a PIN but did not, he's got a fairly solid case. Will cost him an awful lot though, the US judicial system is not supposed to be utilised by ordinary plebs unless they're in the dock.

Re:Good luck with that, dude

If this guy wins anything at all, it'll open a floodgate of class-action lawsuits against ISPs and mobile carriers, and everyones' Internet rates will at least double in the next year to cover the court costs.

I was expecting to favor the phone company

[gurps_npc]

But when I read they had promised they had put a security code in place but they had not done so, they lost it.

This guy took the appropriate steps, the phone company should pay up.

If you say you have security on your account but do not actually put it in, then you owe the customer money

Re:I was expecting to favor the phone company

[CaptainDork]

The promise to pin-protect better be discoverable, otherwise it didn't happen.

Re:I was expecting to favor the phone company

[gurps_npc]

If they made any effort at all to do it, there will be e-records of the attempt.
If it was done on the phone, there should be some note to do it.

Re:I was expecting to favor the phone company

maybe, but if you are dumb enough to use your phone number as an authentication method I think you pretty much deserve to be separated from your money

Re:I was expecting to favor the phone company

its also fine to eliminate the security illusion by using these insecure means as proof that there can never and will not ever be secure internet transactions.

No it cant work easier or better if you make me do more things: It is insecure.

Its time to start billing the shills for the lie that it was.

Re:I was expecting to favor the phone company

[CaptainDork]

The pin is set at the carrier and they have precisely the same technology as you and I do, including a Delete key.

A pin on the PHONE is not of any help. He didn't lose custody his hardware.

Re:I was expecting to favor the phone company

[vux984]

I see your argument, but I'm not sure the phone company can be held liable for losses unrelated and beyond the phone services.

I mean, suppose you'd hired a locksmith to replace the lock on your car door. And he bungled it, and your car was ransacked, and its contents emptied, and then it was set on fire.

Would the locksmith be liable? or is this going to land on your regular car insurance?

I did a quick skim of what locksmith insurance coverage looks like, and it would cover damage or injury caused by the lock. (e.g. if you left an exposed edge and it cut someone, or the tock wasn't aligned properly and damaged the door itself and the door needed replacing, that would be covered. But it doesn't look like the locksmith is liable for losses due to theft if the lock is faulty. That would be your regular theft insurance.

But even, if we think a case against the locksmith is viable then suppose then that inside the glove box you had left the account information and passwords for your offshore bank accounts worth 200 million, and they get drained.

Is the locksmith really liable for that loss too? I'm not buying it.

Re:I was expecting to favor the phone company

Is the locksmith really liable for that loss too? I'm not buying it.

The term you are looking for is an expanded case premises liability. Typically premises liability refers to personal injury cases but also is used in criminal injury cases, such as theft.

The answer is yes, locksmiths have been successfully sued for all damages a burglar caused because that third-party burglar managed to break into a property in a way the burglar claimed could not be done.

Another legal term relevant is adequate security. If the court deems T-Mobile's security adequate, the case dies. If not, they might be held liable because of the additional security feature they claimed to have put in place but failed to do so. That statement turns T-Mobile's position into a contractual agreement to enact that security mechanism as a matter of adequate security.

The expanse of T-Mobile's liability will depend on state statute and the Judge presiding. If T-Mobile is deemed to have a reasonable expectation that the account was or plausibly could have been used as two-factor authentication along with the other factors outlined above, T-Mobile might be on the hook for any and all losses incurred.

It has happened to locksmiths that have made specific claims. It has happened to small-business owners that knew better, ex. where repeated crimes are committed in the parking lot and no additional security measures were put in place. It has happened to homeowners that knew there was a hazard in their yard and lacked no-trespassing signs. There is no legal reason why T-Mobile is not liable as well.

Re:I was expecting to favor the phone company

They mean if the request was made by phone, not to put a pin on the phone.

Re:I was expecting to favor the phone company

[CaptainDork]

If it was done on the phone ...

vs

If it was done over the phone ...

Re:I was expecting to favor the phone company

[gurps_npc]

If the locksmith physically helped a stranger gain access to your car, then they would be liable for the theft of the car and anything inside it.

The phone company did a lot more than merely fail to provide a lock, they actively helped the guy steal stuff.

If they hadn't promised a lock, than their help could be described as incidental - guy left things unlocked, they had a reasonable belief they were helping the actual owner. But when they promised the lock but fail to delier, any and everything they did to help the criminal makes them an accessory.

Re:I was expecting to favor the phone company

[vux984]

"If the locksmith physically helped a stranger gain access to your car, then they would be liable for the theft of the car and anything inside it."

Really? By that logic the bank teller cooperating with the guy with the gun is now an accomplice because 'they physically helped' with the crime. Obviously, the bar is a little higher than that.

If the locksmith assisted the theives that's quite different from the thieves taking advantage of a mistake the locksmith made.

" But when they promised the lock but fail to delier, any and everything they did to help the criminal makes them an accessory."

Yes, to an extent I DO see that.

But if you gaurd something really valuable, would you hire a few illegal day laborers off the street as your security?

Likewise, trusting minimum wage outsourced randos in customer service at a telco to be the lynchpin in your personal security chain is pretty stupid.

I don't trust those guys not to screw up my voicemail when I change rate plans. I wouldn't put them on the critical path of security for my investment accounts.

You want to hold someone accountable? Might as well hold the idiot company that suggested using your phone SMS as 2FA; THEY also should have known that the sanctity of your cellular account is in the hands of minimum wage outsourced randos.

Your phone company though, never promised you much of anything; except that if they do fuck up, they'll give you a few bucks credit on your bill and fix it. That's my issue here, much as I hate the telcos... they didn't promise they were competent to be THE lynch-pin in your personal security system protecting all your most valuable assets.

Re:I was expecting to favor the phone company

[Obfuscant]

But when I read they had promised they had put a security code in place but they had not done so, they lost it.

Yesterday (the day after this story was posted), I got an SMS from T-Mobile:

T-Mobile Alert: We have identified an industry-wide phone number port out scam and encourage you to add account security. Learn more: ...

T-Mobile is not a bank

Show me where T-Mobile agreed to safeguard securities for customers worth tens of thousands of dollars as part of their wireless subscription.

Re:T-Mobile is not a bank

But phone providers are an important service which can be used for serious things. Sort of like selling a door lock which doesn't work. There will be liability, and I'm glad. It's way too easy to port away someone's phone number, and if it takes a 20k lawsuit to shut the hole it's well worth it.

Re:T-Mobile is not a bank

[gravewax]

regardless you should not be using your phone number to secure something of value. that is just braindead on the part of the user.

Re:T-Mobile is not a bank

The user may not know better. But all those websites that use SMS as security, including for example investment banks.

Don't Worry T-Mobile

I'm sure that no matter how much it was your fault for letting this happen, you'll somehow not be held responsible. Like if you hire a security guard to guard your property. The most they can lose is their job, right? So, I guess all T-Mobile is out is a customer.

Now, if the BBB wants to slam them or the DA wants to hold someone responsible for fraud... LOL. Of course, I'm kidding. We can't risk anyone losing their jobs.

PS - Don't forget to pay them the time period they were failing to guard your property properly.

Re:Don't Worry T-Mobile

[_Sharp'r_]

I'm sure T-Mobile will use some weasel words in their terms on conditions to say they aren't responsible for anything beyond the lost wireless service time.

The thing which will argue against that is in your example of the security guard only able to lose his job, to better fit the circumstances the security guard would have agreed to require a secret code (say, a PIN) to validate visitors and instead he told the burglars to come right in, no code required, let me open the door for you. That may still get him in trouble as an accessory, because at that point he's actively assisting the criminals against what he agreed to do as his job.

T-Mobile, as represented by their employees, took a proactive measure to assist the criminals in violation of what they had agreed with the customer to do. Damages directly attributable to that action have a decent shot at an equitable remedy where T-Mobile has to make the guy whole, i.e. pay for his losses.

Re:Don't Worry T-Mobile

at some point the idiot user has to take some responsibility, seriously what sort of idiot secures anything against a phone number nowadays. this is not some new special attack that has only just been thought of and is EXACTLY the reason why only a retard would use it as an authentication mechanism for anything of value.

Re:Don't Worry T-Mobile

seriously what sort of idiot secures anything against a phone number nowadays.

The same sort of person who puts their money in a bank? Or have you not heard of bank robberies, identity theft, etc? The simple fact is that unless you've got specific regulation to protect, you're likely fucked because people like you think that unless it's impossible to steal, the person who has stuff stolen from them deserved it. That's just moronic.

PS - I was the GP, and I really do hope his suit succeeds. The more companies are punished and must compensate for this shit, the less shit they'll just let things happen because they're basically out nothing. That and, of course, it means if I get stolen from and they're involved, I have a greater change of getting my money back. All this bullshit of arguing companies aren't responsible and the consumer is always irresponsible is nothing less than corporate dick licking

PPS - Seriously, "at some something the idiot user has to take some responsibility"? What fucking world do you live in where users aren't taking responsibility, especially for shit that's not their fault? Like the George Carlin comment, I'd love to be one of those politicians who can speak about "taking responsibility" as if it were a new thing. As if most people can scapegoat shit in any meaningful way.

Re:Don't Worry T-Mobile

A bank is insured against theft, my bank is also backed by government guarantees should it go broke so your response is as fucking stupid as the moron that uses his phone to secure something valuable.. choosing a moronic way to lock up something valuable IS HIS FAULT. it is the metaphorical equivalent of putting your back vault keys under your front door mat and then whining when someone took them.

Re:Don't Worry T-Mobile

When I put money into a bank I am not responsible for any losses due to fraud and get reimbursed for any money stolen from my accounts. Add in the government FDIC protections for amounts up to $250,000 and I am pretty well covered. Cryptocurrencies offer none of these protections. Cryptocurrencies shift 100% of the risks tp the buyer while providing no recourse when you are a victim of fraud.

"What fucking world do you live in where users aren't taking responsibility" Earth? Finding people willing to take any responsibility for their actions is becoming impossible and that trait
defines today's entire generation of morons with no critical thinking skills, a 60 second attention span, and easy to manipulate.

Re:Don't Worry T-Mobile

A bank is insured against theft, my bank is also backed by government guarantees should it go broke so your response is as fucking stupid as the moron that uses his phone to secure something valuable.. choosing a moronic way to lock up something valuable IS HIS FAULT.

The simple fact is that unless you've got specific regulation to protect, you're likely fucked because people like you think that unless it's impossible to steal, the person who has stuff stolen from them deserved it.

Yep, thanks for proving you don't read and are a moronic asshole. Why do you think banks had regulations forced upon them? Where do you think FDIC came from? It sure as fuck was not a result of banks being generous or pushing regulations to protector their customers.

No, it was a byproduct of people reasonably using banks and being totally fucked over because of bank runs in the 20s/30s. At some point it was finally realized it was moronic to let bank failures fuck over people and bad for the economy to let banks get out of being responsibilities to customers. If a person tries to secure something with a phone number and transferring that phone number is supposed to require a pin to avoid this whole fucking situation, then obviously their failure to actually require that pin makes the responsible

it is the metaphorical equivalent of putting your back vault keys under your front door mat and then whining when someone took them.

No, this is equivalent to your bank deciding to just hand over its copy of your safety deposit box key to some random asshole without bothering to confirm it was you. I'd expend a minimal of compensation for the contents and possibly criminal prosecution for the utter incompetence.

Re:Don't Worry T-Mobile

Cryptocurrencies offer none of these protections. Cryptocurrencies shift 100% of the risks tp the buyer while providing no recourse when you are a victim of fraud.

So I guess all those people who buy gold shouldn't go to the cops if they're robbed, right? I mean, let's just ignore that the issue is the robbery, not the effective worth of the gold [except in so far as valuing compensation]. If a bank were to turn over your safety deposit box content to some random stranger, do you think you should just suck it up? Take responsibility for their fuck up?

What fucking world do you live in where users aren't taking responsibility

Earth? Finding people willing to take any responsibility for their actions is becoming impossible

The words you're looking for is "trying to". People are "trying to" not take any responsibility for their actions, but that sure as fuck does not translate to them getting out of it. People die of overdoses. People go to jail. People try to blame other people, but thy're still shit poor, evicted, and then out on the street (or mommy and daddy's house if they're lucky).

and that trait defines today's entire generation of morons with no critical thinking skills, a 60 second attention span, and easy to manipulate.

Welcome to every generation. It's easy to cast stones about how everyone is a moron. You're no moron, right? That's why you just generalized over a whole generation of morons, yet conveniently left out everyone else. Which generation was it that brought us MAD? Which generation was responsible for centuries of petty fiefdoms and virtually continuous wars? Oh, right, that's basically every generation. That's sadly the human condition.

If all you can bitch about is people not owning up to stuff, perhaps you should start with yourself.

Re:Don't Worry T-Mobile

a telephone company isn't a security provider, to expect them to provide a bank like mechanism is FUCKING MORONIC. The fact you can't see that means you are almost certain to be parting ways with whatever assets you own in the near future.

Re:Don't Worry T-Mobile

a telephone company isn't a security provider, to expect them to provide a bank like mechanism is FUCKING MORONIC.

Miss the forest for the trees. Or you just don't give a shit about the actual point. Or you simply don't understand what's going on.
    I'm guessing all of the above.

The fact you can't see that means you are almost certain to be parting ways with whatever assets you own in the near future.

Great ass you've got there. Really good for talking out of. Maybe some day you will say something intelligent out of your other big, round hole.

Re:It's a phone.

[avandesande]

That's not what is happening here. People will set up account recovery with their phone used as a relay for a recovery pin. Most likely he has some kind of online wallet linked to it.

T-mobile's security is shit

[MatthiasF]

I had my account broken into on T-Mobile. It's far too easy for people to break in since all you need is the phone number and some personal information.

They need to let you choose your own login account names and some security questions.

Just way too lax helping you keep your account secure.

Re:T-mobile's security is shit

That is why I use a shitty NVMO. Good luck getting through to their customer service reps...

Re:T-mobile's security is shit

[Obfuscant]

Just way too lax helping you keep your account secure.

Hey, it's better, at least. At one point they were relying on client-side javascript for security.

They need to let you choose your own login account names

As many cell services do, they run an SMS/email gateway. It USED to be that you could select your own username. E.g., foobear@tmomail.net. You could give that to someone so they could send you SMS via email and they wouldn't have your phone number, too. You could change it if they became a problem. They dropped that with little to no notice, so now if you tell someone your cell's email address they also have your phone number. Makes the service a lot less usable.

and some security questions.

Be careful what you ask for. United Airlines decided to add "security questions" to their website, and they appear almost every time you go there to do something urgent. They set the system up with a handful of questions with a PRESET list of answers. "What's your favorite musical instrument?" Things that I can't remember the "right" answer to because none of them are right to begin with. You also cannot just remember "first one on the list" because they scramble the order every time they ask. Sigh.

Re:T-mobile's security is shit

Wouldn't that mean that even if there was a pin, someone could call and reset it using the information they likely already had?

Re:T-mobile's security is shit

[mentil]

It's far too easy for people to break in since all you need is the phone number and some personal information.

Good thing the security is rock-solid for the gatekeepers of people's personal information: TransUnion, Experian, and Equifax.
Oh, wait...

Also, answers to security questions tend to boil down to 'personal information'. What's REALLY needed is some kind of interactive test that gets at the core of how someone thinks, in a way that's stable over time, and the exact test can be slightly randomized each time yet the results will always be verifiable as a particular person. Like imagine the Google 'choose all the pictures of Roads' only more subjective, like 'choose all the randomly-generated images you find to be very pleasing'.

Re:T-mobile's security is shit

[kyncani]

They could call and send you an email at least, asking if you really want to make the change.

Re:T-mobile's security is shit

[sh00z]

I had my account broken into on T-Mobile. It's far too easy for people to break in since all you need is the phone number and some personal information.

They need to let you choose your own login account names and some security questions.

Just way too lax helping you keep your account secure.

If you're stuck with crappy pre-defined security questions for which a hacker could find the correct answer, you just need to use "secure" answers! Father's middle name? Oldsmobile! First school you attended? Burrito!

Re:T-mobile's security is shit

[Khyber]

Why are you using a shitty NVMO when you should use a good MVNO instead?

Re:It's a phone.

You stored thousands in coins on your phone. YOUR PHONE! Stupid is as stupid does.

No, he didn't store it on his phone. HIS PHONE!
It was however his two factor number used for the SMS to verify it was him logging in.
Let that be a lesson to anyone that thinks using your phone number for two factor is a good idea.

Re:It's a phone.

[sg_oneill]

You stored thousands in coins on your phone. YOUR PHONE! Stupid is as stupid does.

Before throwing around accusations of stupidity I suggest actually reading the article.

Re:It's a phone.

[gravewax]

That's not what is happening here. People will set up account recovery with their phone used as a relay for a recovery pin. Most likely he has some kind of online wallet linked to it.

and that is somehow better? if anything that is even worse. at least a phone you can have encryption, password/pin protection etc.

Why isn't he suing the wallet site

They let an unauthorized person access their system. Ways that could have been avoided: using security questions before allowing a reset, having an extra factor of authentication like a RSA SecureID key or similar device, only allowing password resets from known IPs/domains, two factor SMS with a security question and response on the website with the answer (a merging of two factor and security questions), the list goes on...

Re: It's a phone.

It was however his two factor number used for the SMS to verify it was him logging in.

If this was only his second factor then the hackers couldn't have gotten in.

But this guy lost control of both factors.

It sucks to be him, but he has to man up and realize he got screwed by thieves and drop this idiotic suit against T-Mobile.

A simple, effective security precaution

Call your wirlesss carrier. Have them put a security notice on your account that nobody is allowing to change the SIM or port the number without showing up a retail store, in person, with a photo ID.

Everyone should do this.

Re:A simple, effective security precaution

[darkain]

From TFS: "The suit alleges T-Mobile is at fault partly because the carrier said it would add a PIN code to Tapang's account prior to the incident, but didn't actually implement it."

So, yes, in theory it is a great idea... when actually implemented.

Re: A simple, effective security precaution

A security notice is different than a PIN.

Mmmmm. Bitcoin and Cellphones...

[mark_reh]

Now there's a match made in heaven! The least secure form of "currency" or "investment" managed via the least secure form of electronic surveillance / communications device.

Who could have foreseen this sort of problem?

Re:Well sure

Buy T Mobile, our phones suck and our prices are high

T-Mobile has the same Samsung Galaxy S8 and iPhone X as AT&T, Sprint, and Verizon and, with Sprint as the possible exception, has better pricing than the rest. The fuck you talkin' about?

It's not the phone, it's the network. T-Mobile's network sucks cock. Sure, T-Mobile AT&T Sprint are cheaper than Verizon but you get what you pay for in a big way.

Re: Well sure

I guess 80Mbps+ everywhere I use my phone sucks dick?

How does he get around mandatory arbitration?

[schwit1]

T-Mobile isn't going to want this anywhere near a jury.

Re:How does he get around mandatory arbitration?

[sizzlinkitty]

Some states don't allow mandatory arbitration, like California. I'm not sure if Washington does, but its a possibility.

Re:How does he get around mandatory arbitration?

[schwit1]

SCOTUS upheld federal law permitting mandatory arbitration, which trumps state law

https://www.reuters.com/articl...

Re:How does he get around mandatory arbitration?

The state may be willing to ignore SCOTUS precedent and force the federal court to rule on every single case they want to apply it to.

e-mail notification problem

[goombah99]

This is exactly why I have two e-mail accounts. One for daily use on the phone and one for banking not on the phone. The annoying thing is that makes the banking one hard to check easily. I can't get notifications. And those might be time sensitive.

I wish that banks could figure this out. What they need is to let you provide two e-mail accounts. One for all messages and one for anything that involves authorizing transactions or recovering passwords.

Re:e-mail notification problem

I wish that banks could figure this out. What they need is to let you provide two e-mail accounts. One for all messages and one for anything that involves authorizing transactions or recovering passwords.

Or it would be really nice if banks simply allowed for actual authentication, as in of any sort.
But adding multiple authentication methods instead of forcing you to use insecure email and text messages would be a good start.

I suspect the trouble is this breaks their system of standardizing on one or two things and enters the realm of "custom" to the point they don't want to deal with the extra work.

In most cases it's no skin off their back, so why should they care? It costs them money to care, and they lose nothing by not caring.
This is the root of the problem. Making it easier/cheaper to implement such features would likely cause additional problems on top of what it's attempting to solve, so the only realistic option is to make them lose when they don't care about their customers security. Hold them responsible for that money.

Of course, even to add real security would need some concessions to be made in their favor.
If a customer demands a form of authentication to be required, we need to be willing to both not hold the bank responsible when they do exactly that, and also provide them that right in law.

If for example as a customer you setup an actually secure form of authentication and demanded them to enforce its use, we can't hold the bank responsible for not releasing your funds if you fail to authenticate as agreed or lose your ability to do so.
Either by explicit laws to allow them to do so, or some other form of legal hackery such as declaring by contract that the account and money in it doesn't legally belong to YOU, but belongs to any individual, and Only individuals, who authenticate correctly with the agreed upon method.

If you screw up and lose your "keys", you can't complain when the bank doesn't give you your money. We can't have it both ways here.

Re: e-mail notification problem

My bank does not have an email address for me. The only phone number they have is a landline that does not have SMS.

cryptocurrency worth thousands of dollars

Now hundreds!

Phone customers want poor security

[FeelGood314]

Do you really think the phone company enjoys your grandmother calling them and saying she lost her phone and then trying to get her new phone working with her old number? That is the typical phone customer. You can't have good security with most people because they have no good way of authenticating themselves. I spend an hour on the phone with Revenue Canada last week and the first 3 people I spoke to couldn't authenticate themselves, the first thought giving me a number to call them back at was good enough. (My MP is looking into it)

T-mobile knew this so they claimed to add a real layer of security, except according to the plaintiff they never followed through in enforcing it.

As for the price of bitcoin, it is hard to sell OmiseGo tokens for cash but easy to sell them for bitcoin. The thieves stole the OmiseGo, converted them to bitcoin and then sold the bitcoin. That is why the plaintiff is claiming the value of the bitcoin sold.

Re: Well sure

[BronsCon]

Don't worry about that idiot; he hasn't actually looked at T-Mobile in over a decade. Sure, their network used to suck, but so did every other network at some point or another; T-Mo has put more into expanding their network in the last 5 years than the other 3 combined and it's paid off big time.

This explains a lot...

Now the text message I got from them last week makes sense.

"T-Mobile Alert: We have identified an industry-wide phone number port out scam and encourage you to add account security. Learn more: t-mo.co/secure"

I was suspicious of it and went to their website to see if i could add it myself. I could not. Still being suspicious I called their general customer service line to verify. I figured my phone company wouldn't randomly port out my number to any Tom, Dick, or Harry claiming to be me. There must be some other lapse in their processes for this to be such an issue. At least with the new PIN in place I have some rudimentary form of 2FA to prevent someone trying to port my number witbout my knowledge.

T-mobile is becoming the best network

I don't know where you are but I use T-mobile International (highest tier business plan) and it's dirt cheap relative to competing plans, overall very reliable, and features unlimited data AND unlimited hotspot.

Few more hours

Don't worry, a few more hours and bitcoin will be worth zero anyway.

An investment bank is not actually a bank

What people think of as a "bank" is a commercial bank.

An investment bank is not a bank; it is a securities broker and underwriter that represents companies in securities transactions like going public, mergers, selling stock or issuing bonds.

Multifactor authentication is a scam

[WaffleMonster]

People are being mislead enmasse into believing 2FA exists to protect them and enhance security when reality is this technology is pushed almost exclusively in public settings as a means to not have to deal with people forgetting their passwords.

Automated reset facilities result effectively in factor x OR factor y rather than factor x AND factor y. This predictably results in a significant reduction of security in the name of not having to deal with considerable administrative burden of "I forgot my password".

Those marketing 2FA as an enhancement to security deserve to be on the receiving end of lawsuits for their deceptions.

Re:Multifactor authentication is a scam

2FA is more secure than username/password authentication. Take a break from arguing reality.

Re:Multifactor authentication is a scam

You are an idiot. 2FA has nothing to do with what you described.

Re:Multifactor authentication is a scam

[WaffleMonster]

You are an idiot.

No shit.

2FA has nothing to do with what you described.

This should be obvious to all. My comments had absolutely nothing to do with 2FA as an idea or technology.

They were limited exclusively to IMPLEMENTATION of technology.

2FA as actually deployed in majority of public facing environments is provably LESS SECURE than passwords alone.

Re:Multifactor authentication is a scam

[WaffleMonster]

2FA is more secure than username/password authentication. Take a break from arguing reality.

Had you have RTFA you would have found out second factor (Smartphone) was used to bypass having to know users password by leveraging automated password reset facility.

Re:Well sure

[Maritz]

But the important thing is that diverse babies are really important. Anybody that doesn't think diverse babies are really awesome must be Hitler. Buy T Mobile, our phones suck and our prices are high, but diverse babies.

What is that drivel supposed to mean?

Steam

And Steam keeps telling me to add my phone number so they can send one time codes to whoever steals my phone.

My PC has more security than my phone. A lot more, the only security my phone has is being in my pocket, and my password is random generated too long to remember without using a password manager (and not one of those web-based password snatchers).

Good luck with that

I think most cell phone companies caution against the use of exchanging payment information through un secure means. T Mobile is not your mother. You do stupid stuff, you pay the price.

SIM swap fraud

[MoHaG]

This type of attack is quick common in South Africa, where it is called SIM swap fraud.

In most cases, a corrupt employee at a store of the network assists criminals to obtain a new sim for a customer's account. They then use that, with credentials obtained elsewhere (likely phishing) to get into the user's internet banking and transfer money away.

Using push notifications to an app prevents this. Other things that work is to use HOTP or TOTP tokens instead.

Re:SIM swap fraud

[MoHaG]

This seems to be a case of a fraudulent port of the number though... Here the subscriber needs to confirm before a port is allowed to take place.

It also seems to be a password reset token, not a normal 2-factor auth...

(The main way to deal with that, would likely be to send a code/confirmation link to both the user's email and phone) (Chances that both are compromised is much lower...)

This is why we need identity companies.

[BlueCoder]

The way it should work is that you confirm you identity with an identity provider. Other companies verify with them. Authorization has to be digitally signed by multiple parties. These companies would have specific procedures for recovering identities and would free other companies from having to deal with it. The procedures you agree to with the identity company are binding and chosen by you.

This is why you have key fobs which can even be Bluetooth. Unhackable as they only receive and transmit data. Which you should only use like a digital signature. How often would a person use their signature back when people used checks? Don't let web sites to force you to use them for signing in or accepting EULA's.

Re:Just call up BitConnect's fraud protection numb

[djrosen]

https://support.coinbase.com/c...
"If you are a United States resident, your Coinbase USD Wallet is covered by FDIC insurance, up to a maximum of $250,000"

He accepted the risk when he bought bitcoin

Shall I sue Target because someone pickpocket took the wallet they sold me?

Put your money in a bank and you'll have some chance at redress if someone steals it.

Re:It's a phone.

[avandesande]

How am I saying this is better? I am just explaining what happened.

Stop using my phone # as a login credential!!!!!!1

Moral of the story is to keep your personal data private. Nobody did anything wrong here except for the hackers.

One of the things that annoys the fuck out of me, is that Google keeps asking for my phone number, because they want it to be a backup password recovery thing. That is, if I let Google do what they want to do, then anyone who has my phone number will have total control over my Google account.

I keep saying no, but they harass me all the time. I have seen other companies (*) do this too. It will eventually get to the point where I either have to stop using their services, or I let them use my phone number as a second way to authenticate my account.

What this means, is that I can't use my Google account for anything important. I can't use it as a 3rd party login, for example, because that menas I would be giving anyone who gets my phone number the ability to perform such third party logins.

Fortunately, I don't use my Google (or Facebook or Twitter, etc) credentials for logins to other sites, but I know a fuckload of people who DO. And that means that that those people need to make sure that no one ever takes their phone number. It's a thing they should be constantly worrying about and trying to protect. For some reason, I suspect they don't.

How likely is it that someone would take my phone number? Well, here's the problem: I simply don't know. But since I don't know, I assume it's risky and could happen too easily. I wonder if these other people who do use a service that constantly nags them for phone numbers and also uses it as external authentication to other sites, maybe presume the other way. ("If I don't know, then it's probably fairly safe.") TFA is an anecdote that shows that it can happen.

Anyway, what I'm really getting at, is that the problems are foreseeable but maybe we all differently assess the risk. I personally think this guy has no legitimate case against T-Mobile, because if taking over his T-Mobile account could cause him to lose control of something important, that means he never should have linked his T-Mobile account to that important resource. If your phone number can be used (e.g. click the link in this SMS) to access something, recover a "lost" password etc, then you already know that you are at risk, therefore no reasonably cautious (**) person would ever do anything like that.

(*) Another company who does this is Facebook, and they won. I had to give Facebook my phone number in order to have more than on API key, and my employer relies (!?!) on these API keys (called "app id" in Facebook lingo) is in spite of the fact that I long ago told them that someone above me in the org (e.g. the owner!) needs to make his own account and be the administrator of the API keys. But, of course, nobody wants to be the person who has a Facebook account, so I was the lucky "winner." Until I'm fired or quit, and then I don't know what they'll do, because I'm deleting my Facebook account the day I stop working here, since to me, Facebook is a "work thing."

(**) And this is where we have an argument about whether or not something very commonplace is very stupid, or somehow "reasonable" since so many people happen to do it. A thousand lemmings can't be wrong, therefore there should be a law that cliffs may not exist, since they're so irresistable to jump off of.

Re: It's a phone.

But this guy lost control of both factors.

No he didn't lose control they used the phone to reset the factors.

Use a burner phone under assumed name?

[knorthern+knight]

If I had that much money backed by a phone number, I'd get a $10/month PAYG (Pay As You Go) phone under an assumed name. Say your name is "Joe Blow". Bad guys know it, and can find the number associated with that name. They know which phone number they have to socially engineer.

But if you have a burner phone, under the name "Jane Doe", that you use to receive SMS confirmations, that'll be more secure. Obviously, have the phone rooted, and Google/Facebook/etc "cr-apps" removed, and don't give out that phone number to anybody except the service you're securing with it.

And if the bad guys can find out your "Jane Doe" number from the digital coin company that you use it for, I'd say they've already been pwnd to the max.