[HN Gopher] T-Mobile Confirms It Was Hacked
___________________________________________________________________
T-Mobile Confirms It Was Hacked
Author : jbegley
Score : 234 points
Date : 2021-08-16 20:18 UTC (2 hours ago)
(HTM) web link (www.vice.com)
(TXT) w3m dump (www.vice.com)
| sakopov wrote:
| Between this and Equifax hacks alone, can we make an assumption
| that the majority of SSNs out there are tainted?
| rvz wrote:
| It has been fully admitted. Award this company a colossal fine
| for getting hacked and having personal user data being leaked
| over the internet.
|
| But also unfortunately, let the SIM hacking games begin.
| derwiki wrote:
| Would it be beneficial for T-Mobile customers to switch
| carriers? Or can nothing be done to avoid being SIM hacked at
| this point?
| dvdkon wrote:
| Maybe carriers will finally start taking identity
| verification seriously. When everyone's name, address and SSN
| (or equivalent) is leaked, somebody might finally get the
| idea that they're rubbish secrets.
|
| My name and address is actually public as a self-employed
| Czech. My date of birth shouldn't be hard to find and plenty
| of people even publish it (why shouldn't they?), my mother's
| maiden name might be somewhere too, and I don't even have her
| as a friend on any social media platform.
|
| I really think it's time to start accepting no less than a
| unique password, hardware identification key or a physical
| visit to a location with a forgery-resistant ID card.
| devnulll wrote:
| Have any companies had significant fines levied? Certainly
| nothing large enough to change behavior.
|
| The OPM leak remains the most significant overall of which I'm
| aware. The Experian leak tops my commercial data leak list,
| although they get bonus points for then selling people their
| own data protection service(s).
| m-p-3 wrote:
| Equifax: _rubs hands_
| pengaru wrote:
| Why does T-Mobile have SSNs of its subscribers?
| t3rabytes wrote:
| The big US carriers are post-paid and run credit checks on
| subscribers.
| blacksmith_tb wrote:
| Not necessarily, I'm on TMO, grandfathered in to an ancient
| 'unlimited data/100min talk' pre-paid plan (so they have very
| little on file for me, luckily).
| swiley wrote:
| It's days like today that I'm very glad I use a prepaid VOIP
| service that accepts bitcoin.
| gruez wrote:
| There's even a prepaid e-sim provider that accepts bitcoin:
| https://silent.link/
| dionidium wrote:
| Right, but surely they could run your credit and then throw
| away the data, right? What interest do they have in holding
| on to it?
| nealyoung wrote:
| If you stop paying, they want to make a report to the
| credit agencies.
| social_quotient wrote:
| Folks haven't learned that this data is a liability and not
| an asset.
| sorry_outta_gas wrote:
| credit checks/verification/enforcement for yearly contracts
| probably
| aaomidi wrote:
| Credit checks
| nsxwolf wrote:
| Why do they need to keep them?
| timdev2 wrote:
| Perhaps so they can report you the credit rating agencies
| if you go into arrears.
|
| If that's the case, it would be an incremental improvement
| if the credit agencies implemented some tokenization
| scheme, sort of like credit card gateways do.
|
| Not that anyone should trust the credit agencies either,
| but you'd still be removing unnecessary points of potential
| compromise.
| kimbernator wrote:
| All contract-based telecoms (at least in the US, I can't speak
| to elsewhere) run credit checks against postpaid customers
| since they typically involve a financial obligation (2 year
| contract and/or financing the device)
| georgyo wrote:
| The obvious follow up question, after they ran the credit
| report, why do they continue to store your SSN.
|
| They are not periodically running credit checks. If they
| were, then people with active credit monitoring would be
| notified, even for "soft" checks.
| [deleted]
| belltaco wrote:
| Maybe to report to collection agencies and credit score
| bureaus in case of default?
| chrischen wrote:
| So given that T-Mobile authenticates me with SSN when I call them
| does this mean they can't do this anymore or it opens me up to
| SIM hijacking?
| 88840-8855 wrote:
| The parent company's stock price (Deutsche Telekom) seems not to
| care at all that this happened. The market seems not to see that
| data breaches are a risk to business.
| sangd wrote:
| For the past year, I've been getting random calls and texts from
| a lot of unknown sources. Many times the callers even spoofed
| different numbers. And sometimes people call me because they said
| I called them. I suspect phone user information has been leaking
| probably in many different ways.
| [deleted]
| sergiomattei wrote:
| > The data includes social security numbers, phone numbers,
| names, physical addresses, unique IMEI numbers, and driver
| license information, the seller said.
|
| Lord, that's an insane amount of data.
| SavantIdiot wrote:
| Wow, that's a SIM-jacker's paradise of personal data. I haven't
| had to change a SIM card in a decade, hopefully it is a lot
| harder now.
| sscotthall wrote:
| Coincidentally, I heard from a T-mobile reseller that
| T-mobile is forcing them to reissue new SIM cards to all
| their customers. Unclear if this is related, but the timing
| is interesting. This was communicated a few weeks ago, before
| the breach was publicly known.
| ryanmcbride wrote:
| It's insanely easy to change sim cards. A few times I've done
| it they haven't even asked for ID. I even set up a 'port out
| pin' that requires me to give a 6 digit pin anytime I want to
| change something about my service or get a new sim card, it's
| 50/50 whether they actually ask for it or not.
| kgwxd wrote:
| Over the weekend, I got 2 phishing text messages about 2 bank
| accounts, at banks I actually use, one of which is a local
| bank, not a national chain.
|
| One said my main checking account bank access was locked out
| due to suspicious activity just minutes after I did something I
| might expect a bank to flag (paying an individual via PayPal
| and multiple charges at a single gas station). I wasn't in a
| position to verify it at the time (I don't do bank stuff on my
| phone, and I certainly wasn't going to click the link), so I
| switched to using another card while I was out. A few hours
| later, I got another phishing message about the card I had
| switch to.
|
| I don't get many phishing attempts on my phone and they've
| always been for banks or other services I don't even use. I'm
| really hoping it's just coincidence that I got 2 semi-
| believable attempts in a row because the alternative is that
| they're able to see what I'm doing in real-time.
| janvdberg wrote:
| This tweet explains how they might have gotten in (i.e. unpatched
| ssh servers)
| https://twitter.com/damienmiller/status/1427195852011937797?...
| tyingq wrote:
| From the picture:
| https://pbs.twimg.com/media/E848JkGUUAIhIq5?format=jpg&name=...
|
| _" Audit Flags: NO_PCI NO_SOX"_
|
| Ouch.
|
| Also, _" IBM 9117-MMD"_ would be a POWER7+ server that was EOL
| in December of 2020.
| barbarthjdj wrote:
| If I believe my data (SSN, name, address) has been breached, what
| should I do? How should I prevent identity theft?
| dang wrote:
| Recent and related:
|
| _T-Mobile investigating claims of 100M customer data breach_ -
| https://news.ycombinator.com/item?id=28192423 - Aug 2021 (183
| comments)
| [deleted]
| hamburgerwah wrote:
| This should result in the corporate death penalty but won't so
| will keep happening. If you zeroed out all of the investors this
| type of mass compromise would immediately cease.
|
| As long as -- cost of compromise < cost of security -- on and on
| this will go.
| chrisbolt wrote:
| Just because the problem is that cost of compromise < cost of
| security, the solution is not to raise the cost of compromise
| to infinity. That's treating it in a very black and white,
| binary way. It also increases the incentive to spend more on
| covering up any compromise.
| [deleted]
| gruez wrote:
| I agree with the principle of raising the cost of compromise,
| but disagree with your proposal of raising it to infinity
| (which is effectively what happens when you wipe out the
| shareholders). Getting hacked sucks, but surely consumers
| aren't experiencing _infinite_ losses when that happens?
| dave5104 wrote:
| Feels like a better idea might be legally forcing some top X
| levels of management out as a form of corporate death,
| invalidating any golden parachutes on the way out too.
| [deleted]
| refurb wrote:
| Couple that with making engineers liable for what they build.
| Just like we do with physical engineering - build something
| that knowingly harms people? Get sued.
| bpodgursky wrote:
| Executing one of the few large US mobile providers will do
| nothing except raise prices by eliminating even the marginal
| remaining competition.
| notJim wrote:
| I'm curious for folks who like solutions like this, have you
| ever had a vulnerability in production? I would be shocked if
| most software engineers haven't had at least one outdated
| package, or one line of poorly-escaped javascript or similar at
| some point. It seems like luck (and maybe being a poor target)
| that these things are usually found before they are exploited.
| Should the companies we all work for cease to exist?
|
| I agree broadly with regulations designed to raise the cost of
| security flaws and so on, but I feel like there's this
| expectation that if we make the punishment extreme enough,
| people will begin writing perfect software and operating
| perfect servers, and I just don't buy it. It seems sort of like
| saying if someone causes a production issue or accidentally
| leaks a database, they should be summarily fired. More likely
| it was a mistake, and we should understand why it happened so
| we can prevent it in the future.
| amelius wrote:
| Being a large company, they should at least demonstrate that
| they took appropriate measures. E.g. show the reports written
| by the pen-testers they hired.
| koolba wrote:
| If you're billion dollar company's application architecture
| is such that any one compromised system leaks the entirety of
| your customer data then you're definitely doing it wrong.
| It's not just a matter of one compromised package being able
| to wreak havoc, it's the scale and blast radius of the havoc.
| koheripbal wrote:
| It's just victim blaming and anti-corporation rhetoric.
|
| No one over 30 takes this position seriously.
| vlovich123 wrote:
| I don't know. I'm over 30 & I think the punishments aren't
| severe enough for repeat offenders (maybe T-Mobile falls
| here?) or in the face of egregious violations of best
| practices & incompetence (Equifax). I think firing the
| board of directors & instantly selling off the shares of
| the majority stock holders on the open market might be
| better measures, but it requires the government bringing
| lawsuits & that's not popular in the US anymore.
| mdoms wrote:
| > If you zeroed out all of the investors this type of mass
| compromise would immediately cease.
|
| It absolutely would not. Yes we would see greater investment in
| cyber security and it would pay dividends, but the idea that we
| can totally eliminate data breaches if we just try really super
| hard is unrealistic.
| Teever wrote:
| This is absurd. There is a simple way to eliminate data
| breaches -- Don't keep data. Humans have been conducting
| businesses for thousands of years without the need to hoard
| large quantities of personal data.
|
| If there was sufficient regulatory force to induce companies
| to make the choice between not hoarding data or not existing
| then I'm sure that business would carry on as it has for
| millennia.
| yzmtf2008 wrote:
| This doesn't make any sense. Capital punishment has existed
| since forever - yet the fact that they are still carried out
| means that they are not stopping all of the crimes punishable
| by death.
| dstick wrote:
| It does make sense. You're confusing corporate liability with
| personal liability. The parent's point is that if the
| investors / shareholders would be responsible. Stuff like
| this would be severely reduced because resources would be
| allocated to prevent it. Right now, the only damage is a
| financial one. And as long as the damage is lower than the
| cost of prevention, hacks like this will continue to happen.
| ghayes wrote:
| So isn't the solution here to up the penalties,
| specifically with codified minimums ($X per leaked phone
| number, $Y for leaked SSN, etc)? The corporate death
| penalty would end up hurting the consumers significantly
| more than this method, which would primarily hurt the
| share/debt-holders, which is the intent. Corporate
| dissolution seems like a concern when fraud or malfeasance
| is specifically involved.
|
| For context, I'm very likely in this breach, but it
| wouldn't make me any happier to hear T-Mobile was shut-down
| tomorrow.
| Zelphyr wrote:
| A lot of people fear losing their money more than they fear
| death. I think corporate capital punishment, in theory, could
| work. The other side of that coin, however, is the number of
| people put out of work if that were to happen.
|
| Either way, there needs to be far stiffer penalties levied
| against companies who don't secure their systems better and
| lose sensitive customer data.
| cortesoft wrote:
| If any compromise wipes out a company automatically, you
| suddenly increase the incentive to hack a company by a huge
| amount. That doesn't seem like a good way to increase security.
| gruez wrote:
| 1. short company
|
| 2. hire cyber-mercenaries to hack company
|
| 3. ???
|
| 4. profit
| polka_haunts_us wrote:
| I had 5 spam calls this morning from various suspicious phone
| numbers, including one from Europe. That's more than I've gotten
| since I first got this phone number _total_.
|
| I guess it's unreasonable to expect the good times to last like
| that but man, I'm still deeply unhappy with T-Mobile right now.
| S_A_P wrote:
| Don't feel bad- Im on AT&T and Ive noticed a HUGE uptick in
| spam sms messages. Pretty sure my number was leaked in some
| breach.
| gruez wrote:
| >Pretty sure my number was leaked in some breach.
|
| Why do spammers need leaked phone numbers? Can't they just
| call/message every number?
| easrng wrote:
| They can and do, but it's cheaper if they have a list so
| they can just text numbers they know get SMS.
| pininja wrote:
| Calling, while cheap, isn't free or infinitely fast. They'd
| likely pay for knowing "active" or "lucrative" numbers.
|
| Jim Browning videos are a fantastic resource to learn more
| about the inner workings of scams
| https://youtube.com/c/JimBrowning
| yuy910616 wrote:
| Calling isn't zero cost, and that spammer time isn't zero
| cost, so in this case, there is a incentive from the
| spammer to weed out people who costs the most.
|
| So isn't the popular idea that you should NOT answer spam
| calls wrong? Logically, you should answer every spam call
| and try to get them to stay on the line for as long as
| possible, therefore maximizing their cost.
|
| This is assuming they have some CMS software on the
| backend that allows them to categorize numbers.
| Nzen wrote:
| There are systems to waste telemarketer time, ex lenny
| troll [0] (which acts like a senile person). While I used
| to answer in bad faith, I stopped given the realization
| that I am hurting people of lower economic standing more
| than the company that employs them.
|
| [0] https://lennytroll.com/about.php
|
| On the tangential topic of war dialing (calling every
| number as an exploration) I recommend checking this
| discussion https://news.ycombinator.com/item?id=27602383
| gruez wrote:
| >Logically, you should answer every spam call and try to
| get them to stay on the line for as long as possible,
| therefore maximizing their cost.
|
| You also have to factor in your costs as well. I checked
| a random VOIP service and they charge a penny per minute,
| or $0.60 per hour. The federal minimum wage is an order
| of magnitude higher at $7.25/hour. Therefore it's more
| expensive for you to stay on the line to mess with them.
| bbarnett wrote:
| Or leaked once, when your phone number appeared on a phone,
| with an evil app installed.
| judge2020 wrote:
| For what it's worth I've continued to report these to both
| AT&T[0] and Safe Browsing[1].
|
| 0: https://www.att.com/support/article/my-
| account/KM1051831/#:~....
|
| 1:
| https://safebrowsing.google.com/safebrowsing/report_general/
| dwighttk wrote:
| I kinda wish Apple would let me mark voicemail as spam. They
| wouldn't even really need to do anything with that info. Just
| delete the voicemail and maybe keep track of the number and
| if I mark the same number three times then block it.
|
| I know I can block a caller, but I don't know enough about
| how these scams work to know if blocking a number slows them
| down at all.
|
| I just don't let my phone ring ever so I don't deal with too
| much of the spam. Every once in a while I open the phone app
| and see I have like 15 new voicemails. I'm guessing I do that
| once a month so they are just calling every other day.
| ASalazarMX wrote:
| The amount of unwanted calls has skyrocketed this last year. I
| was forced to automatically reject calls that weren't in my
| contacts. Anyone important already can email or message me.
|
| Big email providers are very good at filtering spam, so if
| enough people blocks calls, the only spam venue left would be
| instant messaging.
| heisenbugtastic wrote:
| Set my voice mail message to a modem carrier tone. Does not
| help too much with the spam calls, but no political calls
| anymore.
| yuy910616 wrote:
| I've actually been answering each spam call - and try to get
| them to stay on the line for as long as possible.
|
| My assumption is that they have some sort of CMS software and
| that it costs money to call. If you don't answer - they'll
| keep trying you. But if you do answer and costs them money -
| they'll put you in the 'do not call' list.
|
| Just my guess - but so far it has worked for me personally.
| ASalazarMX wrote:
| It's a good strategy. They feed the autodialer with a list
| of phones, and when it hears human voice, it transfers the
| call to an operator. If you didn't answer it will call you
| several more times. If you answered but didn't speak, it
| will (probably) not insist for that day.
|
| My record is a call of around 14 hours. The autodialer
| called me after 10:00pm (supposedly illegal here), and
| there were no operators to take the call. I left my phone
| charging with the call active, and went to sleep, since the
| caller pays the call. Kept the call until I needed to go
| out, and I like to think that even if the call wasn't
| expensive because it was bulk price, maybe having a line
| busy helped slow down spam for others.
|
| I don't do that anymore because spam calls have multiplied,
| it would mean answering more spam than I'd like.
| mwint wrote:
| I can confirm answering calls and using as much of their
| time as possible totally works. I've been doing this for a
| year or more now; I get excited when a spammer calls me
| now. It's about a monthly affair.
|
| I have a bookmark for https://www.getcreditcardnumbers.com/
| - I happily give them all the credit card numbers they want
| (the ones from that site pass the checksum, but of course
| isn't valid in combination with a made up expiry and CVC).
|
| After a couple card numbers fail, they cuss me out,
| sometimes threaten my life, and never call again.
|
| My theory is they get flagged by their payment processor if
| they submit many bogus credit card numbers.
|
| It's about a 10-minute investment once a month. Less time
| than I used to spend answering and hanging up on spam
| calls.
| ASalazarMX wrote:
| This is brilliant. I don't know what a pissed off spammer
| with who knows how many of your info could do, though.
| The last time I made one angry for wasting her time, I
| received even more calls from other spammers.
| nerdponx wrote:
| I would love to run SpamAssassin (a least the Bayesian text
| analysis part) SMS/IMs. I suspect it would do pretty well.
|
| Is there a way to tell if a phone number is from a VoIP
| service? It'd be great if I could just block those wholesale,
| as well as any text message that's sent from an email
| address.
| mwint wrote:
| Having worked in products using VoIP stuff, you'll hit
| issues with 2FA requests from some apps. The big names have
| their own shortcodes, but many smaller apps use a generic
| VoIP number from Twilio or similar.
| aaaaaaaaaaab wrote:
| Is this a US thing? I've never received unsolicited spam calls
| here in Europe...
| ASalazarMX wrote:
| Mexico too. Before the pandemic I had a few spam calls a
| month, but now there were days when I received 20-50 from a
| misconfigured call center automatic caller.
|
| It forced me to silence all calls from strangers. We have
| laws and a system to block and report spam callers, but it
| seems they don't work anymore.
| stordoff wrote:
| I get spam texts fairly often in the UK, and I almost never
| give out my number, so no idea where they come from.
|
| I also occasionally get calls from unknown numbers, which I
| don't answer, but if I look them up are usually associated
| with spam calls. My grandmother also gets them fairly often
| on her landline, usually of the "there is a problem with your
| computer" scam variety, but sometimes trying to sell her
| insurance for a random appliance.
| g_p wrote:
| Fingers crossed, but I've not really had any spam issues on
| a few UK numbers.
|
| I have even been quite generous in giving out one (i.e.
| using for any online stores that insist on a phone number),
| and I've yet to really have any unsolicited call that I can
| think of.
|
| Phone numbers do get recycled by operators, so there's
| definitely some luck - I've seen some issues with landline
| numbers, specifically people trying to trace former users
| of the number. I imagine if you get "unlucky", you might
| really have little option beyond call blocking or trying to
| get a new number.
|
| I did find it interesting that, at least for N=1, giving
| out your number fairly freely, including when you shop
| online (but not opting in to marketing etc) didn't seem to
| result in any issues, even after 8 years or so.
| njovin wrote:
| Yes, it's pervasive. I get 4-5 calls per day, most of them
| scams trying to sell auto warranties or cheap vacations. All
| of them spoof the caller ID of the caller so it looks like
| somebody from my area. We have a national do-not-call list is
| a joke but that only holds legitimate businesses accountable.
| There's almost no enforcement for these fly-by-night
| companies.
|
| There are initiatives in the works to prevent this behavior
| but they keep getting delayed, presumably because the telcos
| will have to do some work that doesn't fill their pockets so
| they're dragging their feet.
| skissane wrote:
| I get them frequently in Australia. Calls claiming (but
| likely faked with VoIP) to come from various places overseas,
| and from within Australia. I get a few different types:
|
| a) Recently it has been computer voices leaving me voicemails
| claiming I've ordered thousands of dollars of stuff on
| Amazon, and I need to call some number to cancel the order
|
| b) I got one guy claiming to be from a major ISP and saying
| my Internet was broken and he needed to help me fix it. I
| knew it was nonsense because I don't even use that particular
| ISP
|
| c) Recorded messages claiming the Australian government is
| going to prosecute me for tax evasion, and if I just wait for
| the call centre operator to come online, they'll fix the
| matter for me by accepting payment of unpaid taxes
|
| I think they are just dialling random numbers, looking for
| easily-tricked people.
| brnt wrote:
| Got it in France too all the time. Never in Switzerland or
| the Netherlands though.
| BrandoElFollito wrote:
| I got maybe two calls in France in the last 10 years, from
| companies I am with (but still unsollicited)
| paulddraper wrote:
| I've gotten lots of scam calls over the past 12 months, and
| lots more over the last 30 days.
| dheera wrote:
| I get about 10+ spam calls a day, I just block all calls except
| for a couple of whitelisted numbers, and forward the rest to
| something that plays a hold song endlessly.
| capitainenemo wrote:
| Sometimes I get calls from people I forget to whitelist or
| who might actually be important (workmen for example). So, I
| have my default phone ringtone set to a 0.1s, 200 byte mp3 of
| silence. Anyone in my address book gets my standard address
| book ringtone. Then I just check the emails of the voicemails
| once a day.
| ARandomerDude wrote:
| In before a 20yo culture warrior says "allowlist."
| samstave wrote:
| I get numbers from EU as well -- and I get some at ~3AM PST as
| well...
| abawany wrote:
| Google Voice (GV) and Voip.ms have fairly sophisticated
| screening that tends to get the 'vehicle warranty' bots to hang
| up quickly. I wish our phone carriers offered such methods to
| ensure that their 'services' remain relevant in an increasingly
| spammy world. Edit: for GV, you will need to enable screening
| by going to https://voice.google.com/u/0/settings and setting
| "Screen calls" and for Voip.ms, you will need to setup a IVR so
| that callers have to enter in a code before they are allowed
| through.
| rPlayer6554 wrote:
| The Google Pixel has this built in as well.
| saxonww wrote:
| I'm on Google Fi and get car warranty calls all the time.
|
| The only technique that works is to not answer the phone
| unless it's from a known contact. Most spam stuff won't leave
| a message, or it will be a consistent ~4 seconds of silence.
| Fi (or Android? IDK) has a call screening function which 9/10
| if I send something to it, they will hang up before the
| automated preamble finishes.
| samstave wrote:
| I think we need an automated Invoice Filing System for
| "warranty calls" billed directly to the auto companies.
|
| In addition to the Hilton and Marriott Hotel Chains for
| their "You recently stayed at the [Hotel]" calls...
|
| I was an elite member at Marriott for years, and I am
| convinced that my numbers were released in their breaches.
| brandonhorst wrote:
| Google Fi and Google Voice are not the same thing - Fi has
| no such built-in protection.
| [deleted]
| samstave wrote:
| I get MANY GV spam calls
|
| https://i.imgur.com/jKEA3Tw.png
|
| I NEVER use my GV number... I just don't know how they get my
| number to begin with....
|
| But the numbers that are super spam are all the ones with ~4
| second VM.
|
| I keep hearing from this weird New Jersey Jewish Accent where
| he tells me "I am under attack for someone who is causing my
| pain and attempting to steal money from me and if I pray and
| send him money he will take care of this attack against me"
|
| This spam call is really good at avoiding number blocking -
| and I get ~2 calls per month from this recording... (The
| accent is like if Mel Blanc attempted to do an over-the-top
| Jewish accent... its really over the top. I recommend
| everyone listen to it and picture "The Producers" with Mel
| Blanc singing it...
|
| I actually listen to it every few months or so because how
| comical the message is.
| abawany wrote:
| Consider enabling screening in GV settings
| https://voice.google.com/u/0/settings .
| r00fus wrote:
| I use GV and call-screening. Much less spam. Callers hate
| it, but it's kinda like a verbal captcha.
|
| Oh and my cell phone area code is different than the local
| area code - so I ignore all calls from my (xxx) - xxx range
| regardless.
|
| My family/friends have my direct#.
| abawany wrote:
| BTW, you can go into 'Legacy GV' interface and into
| Groups to whitelist contact groups (e.g. 'All Contacts')
| who will get straight to you without this screening.
| sosborn wrote:
| > I just don't know how they get my number to begin
| with....
|
| They don't need to get it. They can just take random
| guesses with valid area/country codes.
| dopamean wrote:
| I've been using google voice for 7+ years and I get a TON of
| those vehicle warranty calls. At least one almost every day.
| abawany wrote:
| You need to enable screening by going to
| https://voice.google.com/u/0/settings .
| criticaltinker wrote:
| _> The seller told Motherboard that 100 million people had their
| data compromised in the breach. In the forum post, they were
| offering data on 30 million people for 6 bitcoin, or around
| $270,000._
|
| Is it possible that one day the market for SSNs and other private
| data will become so saturated that exfiltrating such data becomes
| unprofitable?
|
| On a slightly more serious note, is anyone aware of a compilation
| of prices paid for such data? I'm imagining something like a
| Consumer Price Index [1], but for stolen private data. Maybe far
| in the dystopian future inflation will make life harder for
| hackers.
|
| [1] https://www.bls.gov/cpi/
| throwawayboise wrote:
| I can't imagine that it already isn't.
|
| SSNs were never secret until fairly recently.
|
| I guess an up-to-date cross-reference of SSNs and current
| active accounts of other types might always have some value to
| certain buyers.
| Overton-Window wrote:
| Not your keys, not your data. These compromises only strengthen
| the argument for decentralisation and pseudonyms.
| 73r7fudhdjduru wrote:
| Considering almost 1/3 illegal immigrants use stolen identity
| information and the Democrats aren't eager to fix the border,
| since children of illegal immigrants slant blue, this seems
| unlikely barring another situation where the Republicans
| control the House, Senate, and Presidency (and don't screw the
| time away arguing amongst themselves).
| fingerlocks wrote:
| T-mobile has roughly 105 million subscribers, as per cursory
| Google search. So that's everyone?
| 8ytecoder wrote:
| If all the leaks accumulate we'll just have one giant global
| lookup table with SSNs, names and addresses.
| vngzs wrote:
| From Flashpoint's analysis [0], in 2019 a SSN is $5.
|
| [0]: https://go.flashpoint-intel.com/docs/pricing-analysis-of-
| goo...
| criticaltinker wrote:
| Very informative, thanks for sharing.
|
| Here are a couple excerpts I found interesting:
|
| _> FULLZ: Slang for a full package of personal information
| connected to an individual, fullz provide enough information
| for a criminal to steal and profit from a victim's identity.
| Fullz generally include the victim's name, Social Security
| number, date of birth, account numbers, and more._
|
| > REPRESENTATIVE SAMPLE OF 2019 FULLZ PRICING IN USD
|
| _> 2018 credit card and fullz from service industry $10 _
|
| _> Cashing out bank accounts and fullz empty it $4 _
|
| _> EU /Asia/UK credit cards / fullz $860 _
|
| _> $20,000 bank loan cashout using fullz $30 _
|
| _> Fullz SSN - DoB $5 _
|
| > REPRESENTATIVE SAMPLE OF 2019 IDENTIFICATION DOCUMENTS AND
| PRICES IN USD
|
| _> U.S. passport PSD template $18 _
|
| _> Driver's license template, passport, certificates $1,000 _
|
| _> UK driving license, passport pack, PSD photo $3-$26 _
|
| _> Australian passport PSD template $18 _
|
| _> Canadian passport PSD template $26-$46 _
|
| _> France passport PSD template $45 _
|
| _> Germany passport PSD template $46 _
|
| _> Netherlands passport PSD template $50 _
|
| _> Spain passport PSD template $45 _
|
| _> Sweden passport PSD template $5 _
|
| _> Turkey passport PSD template (fully editable) $45 _
| whoomp12342 wrote:
| no, because people who get compromised will eventually put in
| place anti-fraud measures, effectively making stale data have a
| halflife and at the same time creating new targets
| twistiti wrote:
| You can get an rough idea using
| https://www.privacyaffairs.com/dark-web-price-index-2021/
| report
|
| A valid US valid social security number is estimated at 2$, a
| USA selfie with holding ID is estimated at $100 $2
| SkyMarshal wrote:
| Note to self, never take a selfie while holding my ID,
| negotiate some other means of remote identity verification.
| onion2k wrote:
| _Is it possible that one day the market for SSNs and other
| private data will become so saturated that exfiltrating such
| data becomes unprofitable?_
|
| The revenue isn't 6 BTC. It's 6 BTC * however many people are
| willing to buy at that price. More suppliers would surely drive
| the price down, but at this point there are probably tens of
| thousands of people who'd buy if the data was cheaper, so it'll
| remain profitable for a _long_ time.
| paulddraper wrote:
| True. Increased supply offset by increased demand.
| trimbo wrote:
| If there's a large enough market, why doesn't someone buy it
| and then undercut the original seller by selling it for 3
| BTC? Or 1? (Or maybe they do?)
| bbarnett wrote:
| There will be a licensing agreement, of course.
|
| (Napoleon Dynamite 'Gawd!')
| [deleted]
| vngzs wrote:
| The price goes down as a target is in more breaches. If
| your SSN is previously leaked, it's worth less.
| martinald wrote:
| That's one way of looking at it, the other is that the
| financial system itself begins to fail under the volume and
| price of fraud.
|
| Ransomware ransoms have increased massively. They were often a
| few thousand dollars only a few years ago, now often hear about
| $50m+.
|
| On the smaller scale SMS/email phishing has got absolutely
| enormous too in volumes. Banks and credit card providers are
| refunding 100s of millions (if not more) in fraud, in actually
| a very low margin business (retail banking). It genuinely could
| threaten the ability of banks to continue operating retail
| banking services if it continues to almost exponentially grow.
| rlpb wrote:
| > It genuinely could threaten the ability of banks to
| continue operating retail banking services if it continues to
| almost exponentially grow.
|
| Preventing this kind of fraud is a solved problem. The reason
| it still happens is that banks are forced, through
| competition, to minimise "identity proving" burden for
| consumers, in a "get credit now with instant approval!" kind
| of way.
|
| At the moment we're stuck in a "marketing armageddon" of
| banks competing with each other by not properly verifying
| identity before granting credit or transferring away money.
| This seems to me like a Tragedy of the Commons.
|
| If, across the board, people were required to prove their
| identity properly before banks rely on them, then the problem
| would go away overnight. It'd be a bit more tedious for
| consumers, but I don't see how that would cause banks to
| fail. The cost would merely move from fraud to identity
| verification.
|
| Perhaps some people wouldn't be sold credit that they can't
| afford, but I don't buy that such people are keeping the
| banks afloat. Before banks stop operating retail banking
| services, I'm sure they'll just start actually verifying
| identity properly to keep that market.
| 8ytecoder wrote:
| Doing that has "economic costs" too. I have seen both the
| models. In the US, you can walk in to a dealer and walk out
| with a car. Elsewhere, you usually get your preapproval
| before you start car shopping. Then usually you have to go
| to the bank to close the paperwork and get the car in a few
| days to a week. It's for the best in general. But it'll
| make people make more informed decisions and that'll reduce
| the spending.
|
| And proper identify verification - like looking at the
| document in person - also has downsides. It still can be
| forged. Just a little harder than what we have. (Other
| countries with mandatory physical KYC and a wet signature
| still have fraud issues)
|
| Overall I think it's a lot of added cost and inconvenience
| for a slightly better benefit.
| hn_throwaway_99 wrote:
| As someone in the banking industry, this is the "right"
| answer. When I got started in banking I was pretty shocked
| about how easy it was to "authenticate" yourself to open a
| bank account. For example, this breach has pretty much all
| the things needed to open an account in someone else's
| name: Name, SSN, DoB, Address. That's pretty much all the
| KYC services use for validating an account application.
|
| There are, of course, easily added forms of additional
| verification - for example, Stripe just added their
| Identity service which lets you take a picture of your
| driver's license and then match the image against a selfie.
| But that puts "friction" in front of the application
| process, so most banks don't do something like this unless
| other signals make them think the application has a high
| fraud risk.
|
| If basically everyone's Name, SSN, DoB and Address is
| easily viewable public info, this will all change.
| toast0 wrote:
| The US system of credit reporting and associated ease of
| establishing credit is like super convenient. But it's
| largely based on trust. There isn't a whole lot of identity
| verification, and there are a lot of parties in the system
| that take identifying information at face value and run with
| it.
|
| This is nice when it's actually you, but it's a giant PITA to
| unravel when it's not. My spouse's name and SSN was used to
| rent an apartment in Oakland, as well as attempts to open
| credit cards at the apartment address (thankfully they tried
| to open an account at Amex but she already had one there and
| they called to confirm; at least one issuer said they were
| likely to approve). We were able to get all the credit
| applications denied/cancelled, but the rental lease is
| harder; the leasing office says they can't do anything
| without a criminal complaint and Oakland PD won't talk to us.
| nerdponx wrote:
| Good! Maybe then the government will actually start to care
| once the lobbyists start to ask for help.
|
| The downside is that the "help" will probably just consist of
| funneling more taxpayer money to large shareholders and
| execs, while banks figure out ways to dodge liability without
| actually solving the problem.
| vosper wrote:
| Is the government required here [0]? Could commercial
| operators not improve their own security through their own
| investment and taking it seriously? If ransomware hits them
| in the chequebook where stolen customer data didn't, then
| they might find that quite motivating?
|
| [0] It obviously is for government departments.
| tialaramex wrote:
| The government is the final arbiter in a bunch of cases
| you care about. Whether you are (for example) a US
| citizen is not a decision for T-Mobile, or Amazon, or
| Walmart, or Delta, that's up to the US government+
|
| The government (and not private corporations) tracks
| births, deaths, immigration, emigration, and of course it
| chooses to issue identity paperwork.
|
| In general the closest commercial entities like banks can
| do is identity matching. So e.g. maybe Bank A asks you
| "Hey, do you have, like, a mortgage? Who with?" and you
| pick Bank X from the list of six options and OK, either
| that's a lucky guess or you know that "you" have a
| mortgage with Bank X.
|
| This is pretty poor, it's something, but it's not very
| much, it's up there with Facebook's "Here are some
| pictures of people, which of them is your friend?" which
| of course falls down when either: You "friend" people you
| don't actually know and wouldn't recognise; or your
| "friends" don't like Facebook having accurate photo data
| and intentionally mislabel random other people or things
| with their name...
|
| And as with the Facebook thing it breaks in surprising
| and hard to reproduce/ demonstrate ways. Maybe _you_
| think of this as your Big Bank mortgage, but if you check
| the small print it 's actually a Different Bank mortgage,
| that Big Bank are re-branding, and so you just picked
| wrong.
|
| So yes, in practice government is where this would get
| solved, if you've any appetite for solving it.
| toomuchtodo wrote:
| Different parts of government. Legislators, specially, need
| to care about digital identity. They don't care enough (see
| below copy pasta, rest of the FCW piece talks about how
| identity legislation has been punted to fall Congressional
| sessions) yet.
|
| Maybe banks have to bleed more (Reg E mostly protects
| consumers from this fraud exposure) before they'll come
| willing to regulators asking for it. If that's the path to
| success, it's a shame but not surprising.
|
| https://www.congress.gov/bill/116th-congress/house-
| bill/8215...
|
| https://fcw.com/articles/2021/08/12/infrastructure-
| digital-i...
|
| "A draft version of the Senate infrastructure bill, which
| was obtained by FCW, included $500 million for the
| Department of Labor to institute a grant fund to supply
| states with digital identity proofing tools that are
| compliant with National Institute of Standards and
| Technology to combat fraud in unemployment insurance
| benefits.
|
| In addition to the program administered by the Labor
| Department, the draft legislative language called for the
| Office of Management and Budget to develop a plan for
| federal digital identity verification, including an
| inventory of current efforts and a study of the feasibility
| of establishing a governmentwide system that provides
| equitable access to users of government services and
| protects privacy. There was talk in the administration and
| in the Senate of adding $3 billion in funding for
| governmentwide identity solutions as part of the
| infrastructure bill.
|
| Instead, the entire section on program integrity covering
| the digital identity grants program and the OMB policy push
| was removed from the bill before it came up for a vote and
| was not offered in any of the amendments that came up as
| the bill was debated on the Senate floor.
|
| The White House and various Senate press offices by and
| large did not respond to emailed questions from FCW about
| what happened with the digital identity section of the
| bill."
| bogomipz wrote:
| So they didn't learn their lesson after their customer's SSNs
| were stole in 2015? In that Hack they bizarrely claimed that
| Experian was storing the SSNs for them.[1]
|
| For the record this shitty company also had a customer data
| breach in 2018[2], 2019[3] and 2020[4]. With this latest hack it
| makes 6 data breaches in 5 years. At what point will this
| negligence be considered criminal?
|
| [1]https://money.cnn.com/2015/10/01/technology/tmobile-
| experian...
|
| [2]https://threatpost.com/t-mobile-alerts-2-3-million-
| customers...
|
| [3] https://www.geekwire.com/2019/t-mobile-discloses-breach-
| expo...
|
| [4] https://www.zdnet.com/article/t-mobile-says-hacker-gained-
| ac...
| aspectmin wrote:
| Maybe it's time we invented robust systems to prevent us from
| having to share all of our personal data with companies like
| these, yet still be able to transact with them.
| brnt wrote:
| For global companies, can we specify the countries affected? I
| don't see any details on this anywhere.
| sofixa wrote:
| The article mentions social security numbers, so i assume the
| US. (Afaik the German and Austrian equivalents aren't usual
| referred to as SSN, although i might be mistaken)
| brnt wrote:
| In the Netherlands and France it's often translated as such.
| sofixa wrote:
| Idk about the Netherlands, but the French one is absolutely
| not used for random identification - it's only purposes are
| taxes, health insurance/care, and pensions, so the only
| institutions who know it and can ask for it are related
| government things, your employer and medical staff.
|
| So a mobile operator having your social security number
| would be extremely weird.
| brnt wrote:
| Hence my confusion.
| Bhilai wrote:
| T-Mobile is one of the habitual offenders. I am betting on no
| adverse consequences from this breach also.
___________________________________________________________________
(page generated 2021-08-16 23:00 UTC)