T-Mobile Sued for Crypto Loss on Port-Out Scam

[FrgMstr]

We talked about T-Mobile pushing security to keep from having your phone number stolen through port-out scamming last week. Now it has come to UberGizmo's attention that T-Mobile is being sued by a man that is suggesting that it is T-Mobile's fault that he lost "tens of thousands of dollars" worth of cryptocurrency last November.


Carlos Tapang, a resident of Washington state, has accused that T-Mobile “improperly allowed wrongdoers to access” his wireless account on November 7th, 2017. They were then able to cancel his number and transfer it to an AT&T account under their control.

This enabled them to change the password of his cryptocurrency accounts and steal 1,000 OmiseGo tokes and 19.6 BitConnect coins, according to Tapang. “T-Mobile was unable to contain this security breach until the next day,” Tapang alleges, which is when it was able to get the number back from AT&T.

Those who had hacked him exchanged all of his coins for 2.875 bitcoin which were transferred out of the account and possibly sold when the price was around $7000, thus netting them just over $20,000. It merits mentioning here that bitcoin briefly touched highs of almost $20,000 in December last year.

 

[illram]

I'm advising all my clients to invest heavily in North Korean hackers at the moment, very hot market with solid ROI.

 

[ymer]

The whole world needs to get rid of SMS password verification/overriding, if you get your phone stolen you're open to having all your passwords reset.

Even though T-Mobile has some blame here, stupid banks shouldn't have password resetting through a SMS.

 

[SticKx911]

The whole world needs to get rid of SMS password verification/overriding, if you get your phone stolen you're open to having all your passwords reset.

Even though T-Mobile has some blame here, stupid banks shouldn't have password resetting through a SMS.

I can see it valid as part of 2 factor, but I never knew they’d let you do full reset via sms.

I always figure if they hacked my account name and pass and spoofed my sms, I was their target and wasn’t getting away from it. Luckily I’m poor so they’d do all that work for like $20. Lol

 

[kju1]

The whole world needs to get rid of SMS password verification/overriding, if you get your phone stolen you're open to having all your passwords reset.

Even though T-Mobile has some blame here, stupid banks shouldn't have password resetting through a SMS.

It make sense to use it as part of 2FA. It shouldnt be the sole method of verification. I believe thieves dont need to port your number, they just need to spoof it. I have seen where they can spoof on the sending side, so I bet its possible on recv as well. I am not a telecoms expert though...so dont ask me how

 

[InorganicMatter]

2FA is great, and SMS is better than nothing, but these stories are getting more common. Scammers just call the cell phone companies until they find an untrained rep who ports the number without verifying the account PIN.

 

[kju1]

2FA is great, and SMS is better than nothing, but these stories are getting more common. Scammers just call the cell phone companies until they find an untrained rep who ports the number without verifying the account PIN.

Which is why we need to eliminate people and have some rules for an AI to follow. You cant social engineer an AI.

 

[WhoBeDaPlaya]

I'm advising all my clients to invest heavily in North Korean hackers at the moment, very hot market with solid ROI.

Till they piss us off enough for us to toss a nuke at them.
Then that market will really have overheated!

 

[Exavior]

2FA is great, and SMS is better than nothing, but these stories are getting more common. Scammers just call the cell phone companies until they find an untrained rep who ports the number without verifying the account PIN.

That isn't how porting works. I work for a telco and porting is one of the departments that I am in charge of. How number porting works is that the company taking the number puts in the request with the releasing company. So lets say that you have T-Mobile today and really do want to go to AT&T. You to go AT&T, and tell them that you want to sign up for service and bring your T-Mobile phone number you then give them 2 pieces of information. Your phone number, name on the account, and your account number. The information that gets mailed to you every single month and anyone could easily get. At that point AT&T puts in a request with T-Mobile telling them that they are taking their customer's phone number away from them on such and such a day. Unless they have a valid reason (port freeze is on the account requiring special pin, customer has an active service order or trouble ticket on the account, account info is completely incorrect, contract terms might prohibit this from going through also..) the order goes through and AT&T gets the customer. Legally at no point once the request is sent to T-Mobile is there to be any communication between T-Mobile and the customer. They can't call to verify the port is valid or anything like that. They have to give up the number to AT&T.

So when you call AT&T there is no account pin for them to verify as they aren't the account holder for the number that you are trying move. All they can do is gather those 3 things from you and then submit the LSR (local service request) to T-Mobile and as long as the needed info is there T-Mobile would transfer it.

Same works for long distance. That is what is known as slamming (although it isn't common anymore since LD charges have dropped to almost nothing). Years ago you would put a pic freeze on your account to keep some random company from faxing or mailing your telephone company and saying that this list of people want to have us for long distance. Doesn't matter that nobody actually requested them and they were $25 a minute. Telephone companies couldn't argue and had to just switch everyone over. Over time people just started putting freezes on your account if you took their long distance as part of a package and this became a non issue. However for porting, the only real solution is that it was just recently put into play where you could go through and put a port block on every single customer that you have so that you could verify with them that they really did mean to port. Comcast is good at tricking people into this when they sign up for service. Mediacom has done a pretty good job also. They get somebody on the phone and word it so that the person things that they are just paying this cable company and they are going to turn around and pay their local phone bill for them, or they don't listen when the person says no to porting and since they have the person's account information will still put in a port to take the number without the customer having wanted that to happen. On top of all that, you also have it were sometimes companies just take numbers. Again sometimes Comcast decides that it is far easier just to update the national database that they now own a number and take it without going through proper methods. So if you could get somebody inside of a company to assist you, you could easier port numbers away from the true owner without anyone being the wiser till it is too late.

The entire porting process is setup in a way that it is trying to make things fair and allow competition. I can't try to stop you from leaving and going to somebody else. If you want to port then fine, I am to allow you to make the choice that you want. I can't try to bribe you, for force you to stay on my service. So the only way to do that is to prohibit communication. That way it is known that if the customer changes their mind and decides to not port after all, it isn't because I did anything to talk them out of it personally. Even being able to update the national database. That is so that companies that have had numbers ported away that then the personal cancelled service on after X amount of time can go through and change ownership back to them. Or if something goes wrong and you need to fix a number. When used correctly, all of this is fine. However it all also has the ability to allow for every horrible misuse of the system and makes it very easy to fuck with people.

Although that is the problem with most things.

 

[britjh22]

People who don't have offline wallets on cold storage or at least not network connected are just asking for it.

 

[Vader1975]

My dad has his discover card fraudulently changed to a different email address over the phone then they used an ATM after they did a pin request change. Call your card companies and add a security question layer for a custom answer that isn't something searchable. That only you would know.
Reguardless, the ability to steal untraced currency is already starting to have an impact. Some guy had his house robbed for his hard drives with cryptocurrency on them? Now was this real? Or a house insurance fraud scam... how does he prove what was actually on the drives. Records don't exist like that with crypto... so...

 

[sleepeeg3]

Which is why we need to eliminate people and have some rules for an AI to follow. You cant social engineer an AI.

Sounds like a cryptocurrency smart contract...

 

[ianken]

T-Mobile requires you to call them and talk to a person to set the PIN. You cannot do it online. Amazing.

 

[Kdawg]

This is all new to me.

so i did some googling, and shit is scary insecure.

First I saw this article about dude getting his verizon number ported and coinbase emptied...

https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac

Then I find a video about an exploit showing how easy it is to retrieve an email address associated with a phone number...



I guess it helps that I never tied my phone to any email accounts. I've always been low-tech and used a dozen separate email addresses for account recovery, rather than tying all my shit to one phone number.

I've also been reluctant to do any banking on my phone with phone apps.

 

[cageymaru]

Which is why we need to eliminate people and have some rules for an AI to follow. You cant social engineer an AI.

Yes, you can. That's the whole premise of an A.I. where software engineers social engineer the A.I. program to follow a set of rules based on how a human would do it. Now if you're talking about sending customers to a flowchart style menu where if you can't answer the questions then you get zero; it still wouldn't work. Why not? Because there is always going to be that one person that lost the birth certificate, ID got stolen in a robbery on the way to get a replacement birth certificate, and has a baby that can't get medical treatment without a copy of all of the above. As long as there is a supervisor trained to make exceptions to the rule, there will always be social engineering "hacks."

 

[lcpiper]

I'm advising all my clients to invest heavily in North Korean hackers at the moment, very hot market with solid ROI.

Can you recommend a Group Fund, preferably one that is offering a nice dividend. I'm in it for the long haul.

 

[Todd Walter]

The whole world needs to get rid of SMS password verification/overriding, if you get your phone stolen you're open to having all your passwords reset.

Even though T-Mobile has some blame here, stupid banks shouldn't have password resetting through a SMS.

Your phone doesn't need to be stolen for that to happen; SS7 "security" sucks balls.

 

[lcpiper]

2FA is great, and SMS is better than nothing, but these stories are getting more common. Scammers just call the cell phone companies until they find an untrained rep who ports the number without verifying the account PIN.

Last time I called T-Mobile it was part of the automated processing to enter my phone number and pin and wasn't about a poorly trained person at all.

 

[mnewxcv]

People who don't have offline wallets on cold storage or at least not network connected are just asking for it.

I keep my millions worth of btc on nicehhash's wallet. What could go wrong?

 

[nysmo]

I dont think you even really need to port a number. There's stories of someone just calling any Tmobile "authorized reseller" which is basically those dumbed down cellphone shops with all the fake phones on display that dont do anything, claim you're Mr. Smith and that you just need a new SIM # and theyll do it.

 

[cyclone3d]

Which is why we need to eliminate people and have some rules for an AI to follow. You cant social engineer an AI.

Ummm... did you miss what happened with the chat AIs not too long ago?

 

[kju1]

Yes, you can. That's the whole premise of an A.I. where software engineers social engineer the A.I. program to follow a set of rules based on how a human would do it. Now if you're talking about sending customers to a flowchart style menu where if you can't answer the questions then you get zero; it still wouldn't work. Why not? Because there is always going to be that one person that lost the birth certificate, ID got stolen in a robbery on the way to get a replacement birth certificate, and has a baby that can't get medical treatment without a copy of all of the above. As long as there is a supervisor trained to make exceptions to the rule, there will always be social engineering "hacks."

The SWEs building it dont count. Im saying you cant force an AI to break the rules ala the flowchart style you said. Also supervisor overrides are NOT social engineering the AI. It would be social engineering the supe.

Ummm... did you miss what happened with the chat AIs not too long ago?

IMO totally different subject. one was meant to respond to generalized input the other is focused on responses to specific questions only.

Perhaps it would be better to say "an automated system" instead of AI since there are so many negative connotations around that. Automated system requires X,Y, and Z to reset password. If you dont have XYZ youre out of luck unless theres a human override possible. IMO if you lock yourself out of your bank account you should have to show up IN PERSON with enough PII to prove its you. No more remote resets if you cant prove XYZ to the automated system. Period, full stop.

 

[Exavior]

The SWEs building it dont count. Im saying you cant force an AI to break the rules ala the flowchart style you said. Also supervisor overrides are NOT social engineering the AI. It would be social engineering the supe.



IMO totally different subject. one was meant to respond to generalized input the other is focused on responses to specific questions only.

Perhaps it would be better to say "an automated system" instead of AI since there are so many negative connotations around that. Automated system requires X,Y, and Z to reset password. If you dont have XYZ youre out of luck unless theres a human override possible. IMO if you lock yourself out of your bank account you should have to show up IN PERSON with enough PII to prove its you. No more remote resets if you cant prove XYZ to the automated system. Period, full stop.

The problem with your solution is that you don't understand the process to know what is in place now or how any of it works.

 

[kju1]

The problem with your solution is that you don't understand the process to know what is in place now or how any of it works.

You must have missed my earlier post when I said "I am not in telecom". Here let me quote it for you.

It make sense to use it as part of 2FA. It shouldnt be the sole method of verification. I believe thieves dont need to port your number, they just need to spoof it. I have seen where they can spoof on the sending side, so I bet its possible on recv as well. I am not a telecoms expert though...so dont ask me how