About a week ago, some hackers called T-Mobile pretending to be me. Armed with only name, phone number and the last four digits of my social, these hackers were able to reassign my phone number to a SIM card that they controlled.
After taking over my phone number, they proceeded to use two-factor authentication to log into all of my email accounts, data storage accounts and nearly all of my social media accounts. After they had changed my passwords and deleted my recovery options, their next step was to call my wife (the last number to text me) and attempt to extort bitcoin from me in order to recover my accounts.
I was shocked by how vulnerable I was through this single point of failure. I have always taken security (somewhat) seriously. I do more than the bare minimum, including setting up 2FA on all of my important accounts. The problem with that approach, I learned, is that with a base level of knowledge about me and an unwitting T-Mobile employee, hackers were able to quickly do a tremendous amount of damage in a very short period of time.
As soon as the hackers called my wife, I had a sense that the problem had something to do with my SIM. I called T-Mobile and told them what happened, and they sent me on a wild goose chase for the next week. To date, T-Mobile has refused to admit that this happened, is refusing to investigate the issue or provide me with any information. They’re denying all of it.
When I called them to try to roll back the SIM card change, T-Mobile’s first step was to dump me onto Apple. On my first call, they said the issue was probably on my device and they connected me to Apple. The folks at Apple were incredibly responsive and helpful. They helped me recover my iCloud account in minutes, and set me up to do a full restore of the software on my device.
After the software reset, I still didn’t have my phone number back. I called T-Mobile again and was completely stonewalled. I explained what happened to about seven different people that they transferred me to, and the last person I spoke to told me that they would not roll back the SIM card change because whoever called had the last 4 of my social and was able to read a PIN that they sent the phone.
What I’ve learned is that there is a vibrant community of people who have figured out how to intercept SMS traffic. This is information that T-Mobile absolutely knows, but refused to consider during any of my calls with them. For whatever reason, they were willing to believe hackers in Europe, but completely unwilling to believe me when my identity was stolen.
After six different call sessions over about seven hours, I finally spoke to someone in tech support who rolled back the SIM card change. After this, I was able to quickly recover all of my accounts.
I’m not going to list out specifically what I’ve done to prevent this from happening again, but here are a few tips that I’ve learned through conversations with people far better qualified than me to discuss this:
- All carriers are susceptible to this type of hacking, so use alternatives for 2FA. I’ve gotten a 3rd party authenticator app and a physical device for 2FA. I’m splitting out my online accounts using a varied chain of these solutions for 2FA moving forward. The basic rule here, is if you’re using SMS for 2FA, you are absolutely vulnerable.
- I’ve started using 3rd party password generators and storage solutions, and set calendar invites to update my passwords every few months.
- I’m back to using physical paper storage for a number of documents, and I’ve deleted them from online storage.
- I created new email accounts to use exclusively as recovery options for some accounts, and I’m using phone numbers of friends and family as recovery options. This will hopefully remove more major points of vulnerability like my phone number.
- I’m getting off T-Mobile as soon as humanly possible. Their handling of this was appalling.
Good luck on the interwebs, people!
** This was originally published on medium.coom