[HN Gopher] T-Mobile Confirms It Was Hacked ___________________________________________________________________ T-Mobile Confirms It Was Hacked Author : jbegley Score : 234 points Date : 2021-08-16 20:18 UTC (2 hours ago) (HTM) web link (www.vice.com) (TXT) w3m dump (www.vice.com) | sakopov wrote: | Between this and Equifax hacks alone, can we make an assumption | that the majority of SSNs out there are tainted? | rvz wrote: | It has been fully admitted. Award this company a colossal fine | for getting hacked and having personal user data being leaked | over the internet. | | But also unfortunately, let the SIM hacking games begin. | derwiki wrote: | Would it be beneficial for T-Mobile customers to switch | carriers? Or can nothing be done to avoid being SIM hacked at | this point? | dvdkon wrote: | Maybe carriers will finally start taking identity | verification seriously. When everyone's name, address and SSN | (or equivalent) is leaked, somebody might finally get the | idea that they're rubbish secrets. | | My name and address is actually public as a self-employed | Czech. My date of birth shouldn't be hard to find and plenty | of people even publish it (why shouldn't they?), my mother's | maiden name might be somewhere too, and I don't even have her | as a friend on any social media platform. | | I really think it's time to start accepting no less than a | unique password, hardware identification key or a physical | visit to a location with a forgery-resistant ID card. | devnulll wrote: | Have any companies had significant fines levied? Certainly | nothing large enough to change behavior. | | The OPM leak remains the most significant overall of which I'm | aware. The Experian leak tops my commercial data leak list, | although they get bonus points for then selling people their | own data protection service(s). | m-p-3 wrote: | Equifax: _rubs hands_ | pengaru wrote: | Why does T-Mobile have SSNs of its subscribers? | t3rabytes wrote: | The big US carriers are post-paid and run credit checks on | subscribers. | blacksmith_tb wrote: | Not necessarily, I'm on TMO, grandfathered in to an ancient | 'unlimited data/100min talk' pre-paid plan (so they have very | little on file for me, luckily). | swiley wrote: | It's days like today that I'm very glad I use a prepaid VOIP | service that accepts bitcoin. | gruez wrote: | There's even a prepaid e-sim provider that accepts bitcoin: | https://silent.link/ | dionidium wrote: | Right, but surely they could run your credit and then throw | away the data, right? What interest do they have in holding | on to it? | nealyoung wrote: | If you stop paying, they want to make a report to the | credit agencies. | social_quotient wrote: | Folks haven't learned that this data is a liability and not | an asset. | sorry_outta_gas wrote: | credit checks/verification/enforcement for yearly contracts | probably | aaomidi wrote: | Credit checks | nsxwolf wrote: | Why do they need to keep them? | timdev2 wrote: | Perhaps so they can report you the credit rating agencies | if you go into arrears. | | If that's the case, it would be an incremental improvement | if the credit agencies implemented some tokenization | scheme, sort of like credit card gateways do. | | Not that anyone should trust the credit agencies either, | but you'd still be removing unnecessary points of potential | compromise. | kimbernator wrote: | All contract-based telecoms (at least in the US, I can't speak | to elsewhere) run credit checks against postpaid customers | since they typically involve a financial obligation (2 year | contract and/or financing the device) | georgyo wrote: | The obvious follow up question, after they ran the credit | report, why do they continue to store your SSN. | | They are not periodically running credit checks. If they | were, then people with active credit monitoring would be | notified, even for "soft" checks. | [deleted] | belltaco wrote: | Maybe to report to collection agencies and credit score | bureaus in case of default? | chrischen wrote: | So given that T-Mobile authenticates me with SSN when I call them | does this mean they can't do this anymore or it opens me up to | SIM hijacking? | 88840-8855 wrote: | The parent company's stock price (Deutsche Telekom) seems not to | care at all that this happened. The market seems not to see that | data breaches are a risk to business. | sangd wrote: | For the past year, I've been getting random calls and texts from | a lot of unknown sources. Many times the callers even spoofed | different numbers. And sometimes people call me because they said | I called them. I suspect phone user information has been leaking | probably in many different ways. | [deleted] | sergiomattei wrote: | > The data includes social security numbers, phone numbers, | names, physical addresses, unique IMEI numbers, and driver | license information, the seller said. | | Lord, that's an insane amount of data. | SavantIdiot wrote: | Wow, that's a SIM-jacker's paradise of personal data. I haven't | had to change a SIM card in a decade, hopefully it is a lot | harder now. | sscotthall wrote: | Coincidentally, I heard from a T-mobile reseller that | T-mobile is forcing them to reissue new SIM cards to all | their customers. Unclear if this is related, but the timing | is interesting. This was communicated a few weeks ago, before | the breach was publicly known. | ryanmcbride wrote: | It's insanely easy to change sim cards. A few times I've done | it they haven't even asked for ID. I even set up a 'port out | pin' that requires me to give a 6 digit pin anytime I want to | change something about my service or get a new sim card, it's | 50/50 whether they actually ask for it or not. | kgwxd wrote: | Over the weekend, I got 2 phishing text messages about 2 bank | accounts, at banks I actually use, one of which is a local | bank, not a national chain. | | One said my main checking account bank access was locked out | due to suspicious activity just minutes after I did something I | might expect a bank to flag (paying an individual via PayPal | and multiple charges at a single gas station). I wasn't in a | position to verify it at the time (I don't do bank stuff on my | phone, and I certainly wasn't going to click the link), so I | switched to using another card while I was out. A few hours | later, I got another phishing message about the card I had | switch to. | | I don't get many phishing attempts on my phone and they've | always been for banks or other services I don't even use. I'm | really hoping it's just coincidence that I got 2 semi- | believable attempts in a row because the alternative is that | they're able to see what I'm doing in real-time. | janvdberg wrote: | This tweet explains how they might have gotten in (i.e. unpatched | ssh servers) | https://twitter.com/damienmiller/status/1427195852011937797?... | tyingq wrote: | From the picture: | https://pbs.twimg.com/media/E848JkGUUAIhIq5?format=jpg&name=... | | _" Audit Flags: NO_PCI NO_SOX"_ | | Ouch. | | Also, _" IBM 9117-MMD"_ would be a POWER7+ server that was EOL | in December of 2020. | barbarthjdj wrote: | If I believe my data (SSN, name, address) has been breached, what | should I do? How should I prevent identity theft? | dang wrote: | Recent and related: | | _T-Mobile investigating claims of 100M customer data breach_ - | https://news.ycombinator.com/item?id=28192423 - Aug 2021 (183 | comments) | [deleted] | hamburgerwah wrote: | This should result in the corporate death penalty but won't so | will keep happening. If you zeroed out all of the investors this | type of mass compromise would immediately cease. | | As long as -- cost of compromise < cost of security -- on and on | this will go. | chrisbolt wrote: | Just because the problem is that cost of compromise < cost of | security, the solution is not to raise the cost of compromise | to infinity. That's treating it in a very black and white, | binary way. It also increases the incentive to spend more on | covering up any compromise. | [deleted] | gruez wrote: | I agree with the principle of raising the cost of compromise, | but disagree with your proposal of raising it to infinity | (which is effectively what happens when you wipe out the | shareholders). Getting hacked sucks, but surely consumers | aren't experiencing _infinite_ losses when that happens? | dave5104 wrote: | Feels like a better idea might be legally forcing some top X | levels of management out as a form of corporate death, | invalidating any golden parachutes on the way out too. | [deleted] | refurb wrote: | Couple that with making engineers liable for what they build. | Just like we do with physical engineering - build something | that knowingly harms people? Get sued. | bpodgursky wrote: | Executing one of the few large US mobile providers will do | nothing except raise prices by eliminating even the marginal | remaining competition. | notJim wrote: | I'm curious for folks who like solutions like this, have you | ever had a vulnerability in production? I would be shocked if | most software engineers haven't had at least one outdated | package, or one line of poorly-escaped javascript or similar at | some point. It seems like luck (and maybe being a poor target) | that these things are usually found before they are exploited. | Should the companies we all work for cease to exist? | | I agree broadly with regulations designed to raise the cost of | security flaws and so on, but I feel like there's this | expectation that if we make the punishment extreme enough, | people will begin writing perfect software and operating | perfect servers, and I just don't buy it. It seems sort of like | saying if someone causes a production issue or accidentally | leaks a database, they should be summarily fired. More likely | it was a mistake, and we should understand why it happened so | we can prevent it in the future. | amelius wrote: | Being a large company, they should at least demonstrate that | they took appropriate measures. E.g. show the reports written | by the pen-testers they hired. | koolba wrote: | If you're billion dollar company's application architecture | is such that any one compromised system leaks the entirety of | your customer data then you're definitely doing it wrong. | It's not just a matter of one compromised package being able | to wreak havoc, it's the scale and blast radius of the havoc. | koheripbal wrote: | It's just victim blaming and anti-corporation rhetoric. | | No one over 30 takes this position seriously. | vlovich123 wrote: | I don't know. I'm over 30 & I think the punishments aren't | severe enough for repeat offenders (maybe T-Mobile falls | here?) or in the face of egregious violations of best | practices & incompetence (Equifax). I think firing the | board of directors & instantly selling off the shares of | the majority stock holders on the open market might be | better measures, but it requires the government bringing | lawsuits & that's not popular in the US anymore. | mdoms wrote: | > If you zeroed out all of the investors this type of mass | compromise would immediately cease. | | It absolutely would not. Yes we would see greater investment in | cyber security and it would pay dividends, but the idea that we | can totally eliminate data breaches if we just try really super | hard is unrealistic. | Teever wrote: | This is absurd. There is a simple way to eliminate data | breaches -- Don't keep data. Humans have been conducting | businesses for thousands of years without the need to hoard | large quantities of personal data. | | If there was sufficient regulatory force to induce companies | to make the choice between not hoarding data or not existing | then I'm sure that business would carry on as it has for | millennia. | yzmtf2008 wrote: | This doesn't make any sense. Capital punishment has existed | since forever - yet the fact that they are still carried out | means that they are not stopping all of the crimes punishable | by death. | dstick wrote: | It does make sense. You're confusing corporate liability with | personal liability. The parent's point is that if the | investors / shareholders would be responsible. Stuff like | this would be severely reduced because resources would be | allocated to prevent it. Right now, the only damage is a | financial one. And as long as the damage is lower than the | cost of prevention, hacks like this will continue to happen. | ghayes wrote: | So isn't the solution here to up the penalties, | specifically with codified minimums ($X per leaked phone | number, $Y for leaked SSN, etc)? The corporate death | penalty would end up hurting the consumers significantly | more than this method, which would primarily hurt the | share/debt-holders, which is the intent. Corporate | dissolution seems like a concern when fraud or malfeasance | is specifically involved. | | For context, I'm very likely in this breach, but it | wouldn't make me any happier to hear T-Mobile was shut-down | tomorrow. | Zelphyr wrote: | A lot of people fear losing their money more than they fear | death. I think corporate capital punishment, in theory, could | work. The other side of that coin, however, is the number of | people put out of work if that were to happen. | | Either way, there needs to be far stiffer penalties levied | against companies who don't secure their systems better and | lose sensitive customer data. | cortesoft wrote: | If any compromise wipes out a company automatically, you | suddenly increase the incentive to hack a company by a huge | amount. That doesn't seem like a good way to increase security. | gruez wrote: | 1. short company | | 2. hire cyber-mercenaries to hack company | | 3. ??? | | 4. profit | polka_haunts_us wrote: | I had 5 spam calls this morning from various suspicious phone | numbers, including one from Europe. That's more than I've gotten | since I first got this phone number _total_. | | I guess it's unreasonable to expect the good times to last like | that but man, I'm still deeply unhappy with T-Mobile right now. | S_A_P wrote: | Don't feel bad- Im on AT&T and Ive noticed a HUGE uptick in | spam sms messages. Pretty sure my number was leaked in some | breach. | gruez wrote: | >Pretty sure my number was leaked in some breach. | | Why do spammers need leaked phone numbers? Can't they just | call/message every number? | easrng wrote: | They can and do, but it's cheaper if they have a list so | they can just text numbers they know get SMS. | pininja wrote: | Calling, while cheap, isn't free or infinitely fast. They'd | likely pay for knowing "active" or "lucrative" numbers. | | Jim Browning videos are a fantastic resource to learn more | about the inner workings of scams | https://youtube.com/c/JimBrowning | yuy910616 wrote: | Calling isn't zero cost, and that spammer time isn't zero | cost, so in this case, there is a incentive from the | spammer to weed out people who costs the most. | | So isn't the popular idea that you should NOT answer spam | calls wrong? Logically, you should answer every spam call | and try to get them to stay on the line for as long as | possible, therefore maximizing their cost. | | This is assuming they have some CMS software on the | backend that allows them to categorize numbers. | Nzen wrote: | There are systems to waste telemarketer time, ex lenny | troll [0] (which acts like a senile person). While I used | to answer in bad faith, I stopped given the realization | that I am hurting people of lower economic standing more | than the company that employs them. | | [0] https://lennytroll.com/about.php | | On the tangential topic of war dialing (calling every | number as an exploration) I recommend checking this | discussion https://news.ycombinator.com/item?id=27602383 | gruez wrote: | >Logically, you should answer every spam call and try to | get them to stay on the line for as long as possible, | therefore maximizing their cost. | | You also have to factor in your costs as well. I checked | a random VOIP service and they charge a penny per minute, | or $0.60 per hour. The federal minimum wage is an order | of magnitude higher at $7.25/hour. Therefore it's more | expensive for you to stay on the line to mess with them. | bbarnett wrote: | Or leaked once, when your phone number appeared on a phone, | with an evil app installed. | judge2020 wrote: | For what it's worth I've continued to report these to both | AT&T[0] and Safe Browsing[1]. | | 0: https://www.att.com/support/article/my- | account/KM1051831/#:~.... | | 1: | https://safebrowsing.google.com/safebrowsing/report_general/ | dwighttk wrote: | I kinda wish Apple would let me mark voicemail as spam. They | wouldn't even really need to do anything with that info. Just | delete the voicemail and maybe keep track of the number and | if I mark the same number three times then block it. | | I know I can block a caller, but I don't know enough about | how these scams work to know if blocking a number slows them | down at all. | | I just don't let my phone ring ever so I don't deal with too | much of the spam. Every once in a while I open the phone app | and see I have like 15 new voicemails. I'm guessing I do that | once a month so they are just calling every other day. | ASalazarMX wrote: | The amount of unwanted calls has skyrocketed this last year. I | was forced to automatically reject calls that weren't in my | contacts. Anyone important already can email or message me. | | Big email providers are very good at filtering spam, so if | enough people blocks calls, the only spam venue left would be | instant messaging. | heisenbugtastic wrote: | Set my voice mail message to a modem carrier tone. Does not | help too much with the spam calls, but no political calls | anymore. | yuy910616 wrote: | I've actually been answering each spam call - and try to get | them to stay on the line for as long as possible. | | My assumption is that they have some sort of CMS software and | that it costs money to call. If you don't answer - they'll | keep trying you. But if you do answer and costs them money - | they'll put you in the 'do not call' list. | | Just my guess - but so far it has worked for me personally. | ASalazarMX wrote: | It's a good strategy. They feed the autodialer with a list | of phones, and when it hears human voice, it transfers the | call to an operator. If you didn't answer it will call you | several more times. If you answered but didn't speak, it | will (probably) not insist for that day. | | My record is a call of around 14 hours. The autodialer | called me after 10:00pm (supposedly illegal here), and | there were no operators to take the call. I left my phone | charging with the call active, and went to sleep, since the | caller pays the call. Kept the call until I needed to go | out, and I like to think that even if the call wasn't | expensive because it was bulk price, maybe having a line | busy helped slow down spam for others. | | I don't do that anymore because spam calls have multiplied, | it would mean answering more spam than I'd like. | mwint wrote: | I can confirm answering calls and using as much of their | time as possible totally works. I've been doing this for a | year or more now; I get excited when a spammer calls me | now. It's about a monthly affair. | | I have a bookmark for https://www.getcreditcardnumbers.com/ | - I happily give them all the credit card numbers they want | (the ones from that site pass the checksum, but of course | isn't valid in combination with a made up expiry and CVC). | | After a couple card numbers fail, they cuss me out, | sometimes threaten my life, and never call again. | | My theory is they get flagged by their payment processor if | they submit many bogus credit card numbers. | | It's about a 10-minute investment once a month. Less time | than I used to spend answering and hanging up on spam | calls. | ASalazarMX wrote: | This is brilliant. I don't know what a pissed off spammer | with who knows how many of your info could do, though. | The last time I made one angry for wasting her time, I | received even more calls from other spammers. | nerdponx wrote: | I would love to run SpamAssassin (a least the Bayesian text | analysis part) SMS/IMs. I suspect it would do pretty well. | | Is there a way to tell if a phone number is from a VoIP | service? It'd be great if I could just block those wholesale, | as well as any text message that's sent from an email | address. | mwint wrote: | Having worked in products using VoIP stuff, you'll hit | issues with 2FA requests from some apps. The big names have | their own shortcodes, but many smaller apps use a generic | VoIP number from Twilio or similar. | aaaaaaaaaaab wrote: | Is this a US thing? I've never received unsolicited spam calls | here in Europe... | ASalazarMX wrote: | Mexico too. Before the pandemic I had a few spam calls a | month, but now there were days when I received 20-50 from a | misconfigured call center automatic caller. | | It forced me to silence all calls from strangers. We have | laws and a system to block and report spam callers, but it | seems they don't work anymore. | stordoff wrote: | I get spam texts fairly often in the UK, and I almost never | give out my number, so no idea where they come from. | | I also occasionally get calls from unknown numbers, which I | don't answer, but if I look them up are usually associated | with spam calls. My grandmother also gets them fairly often | on her landline, usually of the "there is a problem with your | computer" scam variety, but sometimes trying to sell her | insurance for a random appliance. | g_p wrote: | Fingers crossed, but I've not really had any spam issues on | a few UK numbers. | | I have even been quite generous in giving out one (i.e. | using for any online stores that insist on a phone number), | and I've yet to really have any unsolicited call that I can | think of. | | Phone numbers do get recycled by operators, so there's | definitely some luck - I've seen some issues with landline | numbers, specifically people trying to trace former users | of the number. I imagine if you get "unlucky", you might | really have little option beyond call blocking or trying to | get a new number. | | I did find it interesting that, at least for N=1, giving | out your number fairly freely, including when you shop | online (but not opting in to marketing etc) didn't seem to | result in any issues, even after 8 years or so. | njovin wrote: | Yes, it's pervasive. I get 4-5 calls per day, most of them | scams trying to sell auto warranties or cheap vacations. All | of them spoof the caller ID of the caller so it looks like | somebody from my area. We have a national do-not-call list is | a joke but that only holds legitimate businesses accountable. | There's almost no enforcement for these fly-by-night | companies. | | There are initiatives in the works to prevent this behavior | but they keep getting delayed, presumably because the telcos | will have to do some work that doesn't fill their pockets so | they're dragging their feet. | skissane wrote: | I get them frequently in Australia. Calls claiming (but | likely faked with VoIP) to come from various places overseas, | and from within Australia. I get a few different types: | | a) Recently it has been computer voices leaving me voicemails | claiming I've ordered thousands of dollars of stuff on | Amazon, and I need to call some number to cancel the order | | b) I got one guy claiming to be from a major ISP and saying | my Internet was broken and he needed to help me fix it. I | knew it was nonsense because I don't even use that particular | ISP | | c) Recorded messages claiming the Australian government is | going to prosecute me for tax evasion, and if I just wait for | the call centre operator to come online, they'll fix the | matter for me by accepting payment of unpaid taxes | | I think they are just dialling random numbers, looking for | easily-tricked people. | brnt wrote: | Got it in France too all the time. Never in Switzerland or | the Netherlands though. | BrandoElFollito wrote: | I got maybe two calls in France in the last 10 years, from | companies I am with (but still unsollicited) | paulddraper wrote: | I've gotten lots of scam calls over the past 12 months, and | lots more over the last 30 days. | dheera wrote: | I get about 10+ spam calls a day, I just block all calls except | for a couple of whitelisted numbers, and forward the rest to | something that plays a hold song endlessly. | capitainenemo wrote: | Sometimes I get calls from people I forget to whitelist or | who might actually be important (workmen for example). So, I | have my default phone ringtone set to a 0.1s, 200 byte mp3 of | silence. Anyone in my address book gets my standard address | book ringtone. Then I just check the emails of the voicemails | once a day. | ARandomerDude wrote: | In before a 20yo culture warrior says "allowlist." | samstave wrote: | I get numbers from EU as well -- and I get some at ~3AM PST as | well... | abawany wrote: | Google Voice (GV) and Voip.ms have fairly sophisticated | screening that tends to get the 'vehicle warranty' bots to hang | up quickly. I wish our phone carriers offered such methods to | ensure that their 'services' remain relevant in an increasingly | spammy world. Edit: for GV, you will need to enable screening | by going to https://voice.google.com/u/0/settings and setting | "Screen calls" and for Voip.ms, you will need to setup a IVR so | that callers have to enter in a code before they are allowed | through. | rPlayer6554 wrote: | The Google Pixel has this built in as well. | saxonww wrote: | I'm on Google Fi and get car warranty calls all the time. | | The only technique that works is to not answer the phone | unless it's from a known contact. Most spam stuff won't leave | a message, or it will be a consistent ~4 seconds of silence. | Fi (or Android? IDK) has a call screening function which 9/10 | if I send something to it, they will hang up before the | automated preamble finishes. | samstave wrote: | I think we need an automated Invoice Filing System for | "warranty calls" billed directly to the auto companies. | | In addition to the Hilton and Marriott Hotel Chains for | their "You recently stayed at the [Hotel]" calls... | | I was an elite member at Marriott for years, and I am | convinced that my numbers were released in their breaches. | brandonhorst wrote: | Google Fi and Google Voice are not the same thing - Fi has | no such built-in protection. | [deleted] | samstave wrote: | I get MANY GV spam calls | | https://i.imgur.com/jKEA3Tw.png | | I NEVER use my GV number... I just don't know how they get my | number to begin with.... | | But the numbers that are super spam are all the ones with ~4 | second VM. | | I keep hearing from this weird New Jersey Jewish Accent where | he tells me "I am under attack for someone who is causing my | pain and attempting to steal money from me and if I pray and | send him money he will take care of this attack against me" | | This spam call is really good at avoiding number blocking - | and I get ~2 calls per month from this recording... (The | accent is like if Mel Blanc attempted to do an over-the-top | Jewish accent... its really over the top. I recommend | everyone listen to it and picture "The Producers" with Mel | Blanc singing it... | | I actually listen to it every few months or so because how | comical the message is. | abawany wrote: | Consider enabling screening in GV settings | https://voice.google.com/u/0/settings . | r00fus wrote: | I use GV and call-screening. Much less spam. Callers hate | it, but it's kinda like a verbal captcha. | | Oh and my cell phone area code is different than the local | area code - so I ignore all calls from my (xxx) - xxx range | regardless. | | My family/friends have my direct#. | abawany wrote: | BTW, you can go into 'Legacy GV' interface and into | Groups to whitelist contact groups (e.g. 'All Contacts') | who will get straight to you without this screening. | sosborn wrote: | > I just don't know how they get my number to begin | with.... | | They don't need to get it. They can just take random | guesses with valid area/country codes. | dopamean wrote: | I've been using google voice for 7+ years and I get a TON of | those vehicle warranty calls. At least one almost every day. | abawany wrote: | You need to enable screening by going to | https://voice.google.com/u/0/settings . | criticaltinker wrote: | _> The seller told Motherboard that 100 million people had their | data compromised in the breach. In the forum post, they were | offering data on 30 million people for 6 bitcoin, or around | $270,000._ | | Is it possible that one day the market for SSNs and other private | data will become so saturated that exfiltrating such data becomes | unprofitable? | | On a slightly more serious note, is anyone aware of a compilation | of prices paid for such data? I'm imagining something like a | Consumer Price Index [1], but for stolen private data. Maybe far | in the dystopian future inflation will make life harder for | hackers. | | [1] https://www.bls.gov/cpi/ | throwawayboise wrote: | I can't imagine that it already isn't. | | SSNs were never secret until fairly recently. | | I guess an up-to-date cross-reference of SSNs and current | active accounts of other types might always have some value to | certain buyers. | Overton-Window wrote: | Not your keys, not your data. These compromises only strengthen | the argument for decentralisation and pseudonyms. | 73r7fudhdjduru wrote: | Considering almost 1/3 illegal immigrants use stolen identity | information and the Democrats aren't eager to fix the border, | since children of illegal immigrants slant blue, this seems | unlikely barring another situation where the Republicans | control the House, Senate, and Presidency (and don't screw the | time away arguing amongst themselves). | fingerlocks wrote: | T-mobile has roughly 105 million subscribers, as per cursory | Google search. So that's everyone? | 8ytecoder wrote: | If all the leaks accumulate we'll just have one giant global | lookup table with SSNs, names and addresses. | vngzs wrote: | From Flashpoint's analysis [0], in 2019 a SSN is $5. | | [0]: https://go.flashpoint-intel.com/docs/pricing-analysis-of- | goo... | criticaltinker wrote: | Very informative, thanks for sharing. | | Here are a couple excerpts I found interesting: | | _> FULLZ: Slang for a full package of personal information | connected to an individual, fullz provide enough information | for a criminal to steal and profit from a victim's identity. | Fullz generally include the victim's name, Social Security | number, date of birth, account numbers, and more._ | | > REPRESENTATIVE SAMPLE OF 2019 FULLZ PRICING IN USD | | _> 2018 credit card and fullz from service industry $10 _ | | _> Cashing out bank accounts and fullz empty it $4 _ | | _> EU /Asia/UK credit cards / fullz $860 _ | | _> $20,000 bank loan cashout using fullz $30 _ | | _> Fullz SSN - DoB $5 _ | | > REPRESENTATIVE SAMPLE OF 2019 IDENTIFICATION DOCUMENTS AND | PRICES IN USD | | _> U.S. passport PSD template $18 _ | | _> Driver's license template, passport, certificates $1,000 _ | | _> UK driving license, passport pack, PSD photo $3-$26 _ | | _> Australian passport PSD template $18 _ | | _> Canadian passport PSD template $26-$46 _ | | _> France passport PSD template $45 _ | | _> Germany passport PSD template $46 _ | | _> Netherlands passport PSD template $50 _ | | _> Spain passport PSD template $45 _ | | _> Sweden passport PSD template $5 _ | | _> Turkey passport PSD template (fully editable) $45 _ | whoomp12342 wrote: | no, because people who get compromised will eventually put in | place anti-fraud measures, effectively making stale data have a | halflife and at the same time creating new targets | twistiti wrote: | You can get an rough idea using | https://www.privacyaffairs.com/dark-web-price-index-2021/ | report | | A valid US valid social security number is estimated at 2$, a | USA selfie with holding ID is estimated at $100 $2 | SkyMarshal wrote: | Note to self, never take a selfie while holding my ID, | negotiate some other means of remote identity verification. | onion2k wrote: | _Is it possible that one day the market for SSNs and other | private data will become so saturated that exfiltrating such | data becomes unprofitable?_ | | The revenue isn't 6 BTC. It's 6 BTC * however many people are | willing to buy at that price. More suppliers would surely drive | the price down, but at this point there are probably tens of | thousands of people who'd buy if the data was cheaper, so it'll | remain profitable for a _long_ time. | paulddraper wrote: | True. Increased supply offset by increased demand. | trimbo wrote: | If there's a large enough market, why doesn't someone buy it | and then undercut the original seller by selling it for 3 | BTC? Or 1? (Or maybe they do?) | bbarnett wrote: | There will be a licensing agreement, of course. | | (Napoleon Dynamite 'Gawd!') | [deleted] | vngzs wrote: | The price goes down as a target is in more breaches. If | your SSN is previously leaked, it's worth less. | martinald wrote: | That's one way of looking at it, the other is that the | financial system itself begins to fail under the volume and | price of fraud. | | Ransomware ransoms have increased massively. They were often a | few thousand dollars only a few years ago, now often hear about | $50m+. | | On the smaller scale SMS/email phishing has got absolutely | enormous too in volumes. Banks and credit card providers are | refunding 100s of millions (if not more) in fraud, in actually | a very low margin business (retail banking). It genuinely could | threaten the ability of banks to continue operating retail | banking services if it continues to almost exponentially grow. | rlpb wrote: | > It genuinely could threaten the ability of banks to | continue operating retail banking services if it continues to | almost exponentially grow. | | Preventing this kind of fraud is a solved problem. The reason | it still happens is that banks are forced, through | competition, to minimise "identity proving" burden for | consumers, in a "get credit now with instant approval!" kind | of way. | | At the moment we're stuck in a "marketing armageddon" of | banks competing with each other by not properly verifying | identity before granting credit or transferring away money. | This seems to me like a Tragedy of the Commons. | | If, across the board, people were required to prove their | identity properly before banks rely on them, then the problem | would go away overnight. It'd be a bit more tedious for | consumers, but I don't see how that would cause banks to | fail. The cost would merely move from fraud to identity | verification. | | Perhaps some people wouldn't be sold credit that they can't | afford, but I don't buy that such people are keeping the | banks afloat. Before banks stop operating retail banking | services, I'm sure they'll just start actually verifying | identity properly to keep that market. | 8ytecoder wrote: | Doing that has "economic costs" too. I have seen both the | models. In the US, you can walk in to a dealer and walk out | with a car. Elsewhere, you usually get your preapproval | before you start car shopping. Then usually you have to go | to the bank to close the paperwork and get the car in a few | days to a week. It's for the best in general. But it'll | make people make more informed decisions and that'll reduce | the spending. | | And proper identify verification - like looking at the | document in person - also has downsides. It still can be | forged. Just a little harder than what we have. (Other | countries with mandatory physical KYC and a wet signature | still have fraud issues) | | Overall I think it's a lot of added cost and inconvenience | for a slightly better benefit. | hn_throwaway_99 wrote: | As someone in the banking industry, this is the "right" | answer. When I got started in banking I was pretty shocked | about how easy it was to "authenticate" yourself to open a | bank account. For example, this breach has pretty much all | the things needed to open an account in someone else's | name: Name, SSN, DoB, Address. That's pretty much all the | KYC services use for validating an account application. | | There are, of course, easily added forms of additional | verification - for example, Stripe just added their | Identity service which lets you take a picture of your | driver's license and then match the image against a selfie. | But that puts "friction" in front of the application | process, so most banks don't do something like this unless | other signals make them think the application has a high | fraud risk. | | If basically everyone's Name, SSN, DoB and Address is | easily viewable public info, this will all change. | toast0 wrote: | The US system of credit reporting and associated ease of | establishing credit is like super convenient. But it's | largely based on trust. There isn't a whole lot of identity | verification, and there are a lot of parties in the system | that take identifying information at face value and run with | it. | | This is nice when it's actually you, but it's a giant PITA to | unravel when it's not. My spouse's name and SSN was used to | rent an apartment in Oakland, as well as attempts to open | credit cards at the apartment address (thankfully they tried | to open an account at Amex but she already had one there and | they called to confirm; at least one issuer said they were | likely to approve). We were able to get all the credit | applications denied/cancelled, but the rental lease is | harder; the leasing office says they can't do anything | without a criminal complaint and Oakland PD won't talk to us. | nerdponx wrote: | Good! Maybe then the government will actually start to care | once the lobbyists start to ask for help. | | The downside is that the "help" will probably just consist of | funneling more taxpayer money to large shareholders and | execs, while banks figure out ways to dodge liability without | actually solving the problem. | vosper wrote: | Is the government required here [0]? Could commercial | operators not improve their own security through their own | investment and taking it seriously? If ransomware hits them | in the chequebook where stolen customer data didn't, then | they might find that quite motivating? | | [0] It obviously is for government departments. | tialaramex wrote: | The government is the final arbiter in a bunch of cases | you care about. Whether you are (for example) a US | citizen is not a decision for T-Mobile, or Amazon, or | Walmart, or Delta, that's up to the US government+ | | The government (and not private corporations) tracks | births, deaths, immigration, emigration, and of course it | chooses to issue identity paperwork. | | In general the closest commercial entities like banks can | do is identity matching. So e.g. maybe Bank A asks you | "Hey, do you have, like, a mortgage? Who with?" and you | pick Bank X from the list of six options and OK, either | that's a lucky guess or you know that "you" have a | mortgage with Bank X. | | This is pretty poor, it's something, but it's not very | much, it's up there with Facebook's "Here are some | pictures of people, which of them is your friend?" which | of course falls down when either: You "friend" people you | don't actually know and wouldn't recognise; or your | "friends" don't like Facebook having accurate photo data | and intentionally mislabel random other people or things | with their name... | | And as with the Facebook thing it breaks in surprising | and hard to reproduce/ demonstrate ways. Maybe _you_ | think of this as your Big Bank mortgage, but if you check | the small print it 's actually a Different Bank mortgage, | that Big Bank are re-branding, and so you just picked | wrong. | | So yes, in practice government is where this would get | solved, if you've any appetite for solving it. | toomuchtodo wrote: | Different parts of government. Legislators, specially, need | to care about digital identity. They don't care enough (see | below copy pasta, rest of the FCW piece talks about how | identity legislation has been punted to fall Congressional | sessions) yet. | | Maybe banks have to bleed more (Reg E mostly protects | consumers from this fraud exposure) before they'll come | willing to regulators asking for it. If that's the path to | success, it's a shame but not surprising. | | https://www.congress.gov/bill/116th-congress/house- | bill/8215... | | https://fcw.com/articles/2021/08/12/infrastructure- | digital-i... | | "A draft version of the Senate infrastructure bill, which | was obtained by FCW, included $500 million for the | Department of Labor to institute a grant fund to supply | states with digital identity proofing tools that are | compliant with National Institute of Standards and | Technology to combat fraud in unemployment insurance | benefits. | | In addition to the program administered by the Labor | Department, the draft legislative language called for the | Office of Management and Budget to develop a plan for | federal digital identity verification, including an | inventory of current efforts and a study of the feasibility | of establishing a governmentwide system that provides | equitable access to users of government services and | protects privacy. There was talk in the administration and | in the Senate of adding $3 billion in funding for | governmentwide identity solutions as part of the | infrastructure bill. | | Instead, the entire section on program integrity covering | the digital identity grants program and the OMB policy push | was removed from the bill before it came up for a vote and | was not offered in any of the amendments that came up as | the bill was debated on the Senate floor. | | The White House and various Senate press offices by and | large did not respond to emailed questions from FCW about | what happened with the digital identity section of the | bill." | bogomipz wrote: | So they didn't learn their lesson after their customer's SSNs | were stole in 2015? In that Hack they bizarrely claimed that | Experian was storing the SSNs for them.[1] | | For the record this shitty company also had a customer data | breach in 2018[2], 2019[3] and 2020[4]. With this latest hack it | makes 6 data breaches in 5 years. At what point will this | negligence be considered criminal? | | [1]https://money.cnn.com/2015/10/01/technology/tmobile- | experian... | | [2]https://threatpost.com/t-mobile-alerts-2-3-million- | customers... | | [3] https://www.geekwire.com/2019/t-mobile-discloses-breach- | expo... | | [4] https://www.zdnet.com/article/t-mobile-says-hacker-gained- | ac... | aspectmin wrote: | Maybe it's time we invented robust systems to prevent us from | having to share all of our personal data with companies like | these, yet still be able to transact with them. | brnt wrote: | For global companies, can we specify the countries affected? I | don't see any details on this anywhere. | sofixa wrote: | The article mentions social security numbers, so i assume the | US. (Afaik the German and Austrian equivalents aren't usual | referred to as SSN, although i might be mistaken) | brnt wrote: | In the Netherlands and France it's often translated as such. | sofixa wrote: | Idk about the Netherlands, but the French one is absolutely | not used for random identification - it's only purposes are | taxes, health insurance/care, and pensions, so the only | institutions who know it and can ask for it are related | government things, your employer and medical staff. | | So a mobile operator having your social security number | would be extremely weird. | brnt wrote: | Hence my confusion. | Bhilai wrote: | T-Mobile is one of the habitual offenders. I am betting on no | adverse consequences from this breach also. ___________________________________________________________________ (page generated 2021-08-16 23:00 UTC)