Many T-Mobile and AT&T subscribers could have been victims of a “SIM swap”

Many T-Mobile and AT&T subscribers could have been victims of a “SIM swap”

2

T-Mobile customers purchasing an Apple iPhone from Apple’s online store have to enter a four-digit PIN number or the last four digits of their social security number if they plan on financing the device (view image at the top of this article). For some reason, the page used to allow an infinite number of attempts to punch in the correct numbers which made the platform vulnerable to brute force attacks. And once a hacker has his hands on a T-Mobile customer’s PIN number, or last four digits of a customer’s social security number, he can request a new SIM card tied to the victim’s T-Mobile account. At that point, not even two-factor authentication would be able to save the T-Mobile subscriber from having accounts connected to a smartphone from getting cleaned out.

In case you were wondering, AT&T, Verizon and Sprint subscribers financing the purchase of a new iPhone from Apple’s online store once had more protection from brute force attacks than T-Mobile subscribers. After five to ten incorrect guesses at the PIN number or last four digits of the social security number, a hacker has just 60 minutes to find the correct digits. A perfect solution? No, but it is better than infinite guesses.

77 million T-Mobile subscribers were exposed due to this vulnerability. AT&T also had a similar issue revealed this week when it was discovered that the website for phone insurer Asurion released PIN codes belonging to AT&T customers. This security flaw could have allowed a hacker to request a new AT&T SIM card, thus giving the thief unlimited access to a victim’s handset.

“Asurion takes customer security and privacy very seriously, and as such we have an ongoing, layered security program in place to prevent security issues. We are investigating the researcher’s concerns, but have immediately implemented measures to address these concerns to ensure customers’ accounts are safe.”-Nicole Miller, spokesperson, Asurion

As it turns out, both Apple and Asurion made the necessary changes to their websites. But it does show that carriers around the world need to make it harder to obtain replacement SIM cards. Additionally, carriers in general must beef up security, including using background checks from legit security firms to check out newly hired employees. Several incidents involving the theft of bank and cryptocurrency accounts were made possible with the help of rogue employees working for wireless providers. These insiders funneled personal account information to the thieves in exchange for cash.

source: BuzzFeed via Phonescoop

Popular stories

Loading Comments…

COMMENT

All comments need to comply with our

Community Guidelines

Phonearena comments rules

A discussion is a place, where people can voice their opinion, no matter if it is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some random thoughts, which are not directly related to the matter.

Things that are NOT allowed:

• Off-topic talk – you must stick to the subject of discussion
• Trolling – see a description
• Flame wars
• Offensive, hate speech – if you want to say something, say it politely
• Spam/Advertisements – these posts are deleted
• Multiple accounts – one person can have only one account
• Impersonations and offensive nicknames – these accounts get banned

Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a post should be moderated – please, report it.

Have a question about the rules or why you have been moderated/limited/banned? Please, contact us.

Join the discussion…