Data reportedly includes SSNs, driver license numbers and more for 100 million people.
Read the whole story
Read the whole story
T-Mobile has been hacked yet again—but still doesn’t know what was taken
- Thread starter JournalBot
- Start date
Wow, if I were T-Mo I'd be seriously worried... that my next check to the relevant government suits might not clear soon enough to avoid a nasty look!
Upvote
118
(121
/
-3)
Tmobile doesn't need this data. Here's a story about how we all learned to stop collecting too much data and just keep it to the bare essentials..........right
Upvote
117
(119
/
-2)
ChocoboGuy
Smack-Fu Master, in training
Both can be required for a credit check if the customer is signing up for post-paid service.
Upvote
145
(149
/
-4)
Many carriers require it for equipment delivery like a 5G router.
Upvote
80
(82
/
-2)
I think the idea is so phone calls can always be attributed to an individual. The disposable pre-paid phones of yesteryear were often employed by criminals and KYC laws required phone companies to collect certain information. Are there anonymous VOIP and spoofing services? absolutely!
Upvote
30
(35
/
-5)
current state of credit checking is ridiculous and unethical, and any system that follows its lead, like narxcare or employment credit checking equally so. Bottom line, it looks like the risk is too great to check peoples' credit, better to stick to the basics. This is so fundamental, but nobody seems to have figured out that scarcity, or lack of post-scarcity is the root of the issues... /sigh
Upvote
41
(54
/
-13)
Well if Equifax sets any precedent... nothing will get better and affected users shouldn't expect even an apology
Upvote
174
(174
/
0)
T-mobile was adamant that I had to provide both these numbers during enrollment. I refused due to a fear of breach, exactly as delivered. In order to open an account without this info I had to provide 3 months deposit on service (it was not for a prepaid account). After about a year they refunded my deposit.
But without that effort (and I was told several times that I could not open an account without these data before finding a phone rep who called the branch to explain how to do it), who would know it's even avoidable. .
Upvote
148
(148
/
0)
I'm not a T-Mobile customer but I've been hit by so may similar breaches over the past number of years that I have somewhere around 7 more years of free credit monitoring services from multiple providers. I know they work because I've had attempted fraud detected & prevented thanks to them. I'll take that over an apology any day of the week.
Upvote
-9
(12
/
-21)
If PII like drivers license numbers and social security numbers were included in the breach as the article indicates then those people can expect attempts at credit card fraud and similar things. That's exactly what happened to me at least 4 times after my SSN was compromised in another unrelated breach.
Upvote
42
(42
/
0)
At this point, everyone should have their credit lines frozen because privacy has long been lost
Upvote
79
(80
/
-1)
100 million huh? Is that pre or post Absorbing Sprint data? Sure it’s the latter, but …
Upvote
15
(15
/
0)
If you needed to verify for EBB or Lifeline this info was often required . I have TMobile but used my credits for ny ISP. Also if I remember right Metro required a driver licence for various trade in and free phones like the Nord.
Upvote
13
(13
/
0)
I start to believe that the whole system of identification, personal information etc. needs to be re-thought with the assumption that all your information is effectively public, and any secrets could be temporary at best.
I am not sure if it is possible to design such system, but it might be.
It is clear at this point that securing information is just not viable for most players; it does not matter whether the reasons are technical or economical.
Am I a defeatist? Or a pragmatic? What do you think?
I am not sure if it is possible to design such system, but it might be.
It is clear at this point that securing information is just not viable for most players; it does not matter whether the reasons are technical or economical.
Am I a defeatist? Or a pragmatic? What do you think?
Upvote
51
(54
/
-3)
The fact that the entire credit industry operates on plain text which is essentially in the public domain (SSN, address, DOB, DL number) either through data leaks or even more nefarious, shady data aggregators is absurd.
Govt needs to regulate this to the 21st century. Smart IDs with encryption chips (like they have in other countries) would be a good start.
I also love the screenshot of the Twitter thread linked in the article stating how TMobile monitors their computing environment and prosecutes computer fraud and crime to the fullest extent of the law. Good thing it scared away that hacker!
Edit: ha, ninja’d one post above!
Govt needs to regulate this to the 21st century. Smart IDs with encryption chips (like they have in other countries) would be a good start.
I also love the screenshot of the Twitter thread linked in the article stating how TMobile monitors their computing environment and prosecutes computer fraud and crime to the fullest extent of the law. Good thing it scared away that hacker!
Edit: ha, ninja’d one post above!
Upvote
79
(80
/
-1)
I think you have it exactly right. Any identifiers are by definition just as public as your name. They need to be secured with things only you know (essentially a password, cryptographic key, etc), and that won't be stored on the provider side.
Unfortunately, this will require rethinking pretty much every security system in the US, as it has defaulted to "SSN is your password" for nearly everything. Which means that it won't happen for a very, very long time. If at all.
Upvote
55
(55
/
0)
..right, however that information should either be discarded or salted/hashed (and the original discarded) after activation.
It seems like the right approach here is outlawing the long term storage of PIID, but that will never happen.
Upvote
20
(21
/
-1)
I mean, you are right, there's other providers that get by just name/phone/address, but they must have some sort of undisclosed product using them that they're monetizing that just came home to bite them in the arse.
Upvote
-4
(1
/
-5)
It's a pretty bad solution for most people, but man I'd love to have an official keypair for my ID. Let me give my public key to some official, government keyserver, keys could have a lifetime so I wouldn't have to worry about outdated keys that leaked somewhere, and I could revoke keys when there's a leak. That's a hell of a lot more appealing than a literal serial number that was never meant to be used as an ID.
Upvote
43
(44
/
-1)
I'm a former longtime Sprint customer who's now with T-Mobile phone and Internet. The only thing they know about me is my auto-pay credit card number. From previous data breaches at Anthem Insurance and Eqifax I have more than one "free" monitoring service, plus from AAA too, so I'm all set. Ha!
Upvote
-8
(4
/
-12)
T-Mobile should shift some of their budget dollars from marketing to IT security. Those bullshit 5G speed claims that compare to LTE speeds with other carriers don't mean anything if customers are getting hacked on annual basis.
Upvote
6
(10
/
-4)
It's not just a credit industry problem. Even the US Office of Personnel Management was hacked by the Chinese, exposing not just the personal details of millions of federal employees and contractors, but also those of innocent bystanders like family members who were subjected to background checks.
Upvote
18
(18
/
0)
Free credit monitoring for 2 centuries will be offered to insure offspring will not need to worry.
Upvote
14
(14
/
0)
Don’t worry. This mess is nothing that can’t be fixed with another 12 months of free credit monitoring… /s
Upvote
23
(24
/
-1)
Buy unlocked phones from the manufacturer and use a MVNO. No credit required.
Most people these days have owned a few phones and don't need hand holding from a carrier store. There is no shortage of information about phones on the interwebs. Why do these stores even exist?
What I don't like about the carriers selling phones is the constant churn of promotions to lock in customers via EIP. Those "deals" from the carriers result in higher costs for the service. There is no free lunch.
Upvote
3
(7
/
-4)
One point of consideration is that any sane national level identification system in the United States is and, so long as evangelical christians remain a powerful voting bloc, will continue to be effectively impossible to implement.
The "mark of the beast" from evangelical dogma is explicitly tied to the ability to buy and sell; the sociopaths who manipulate the authoritarian follower evangelicals for fun and profit have attached the mark of the beast to astonishingly ludicrous things, vaccinations being a particularly salient example.
An effort to actually uniquely identify all individual Americans would be an irresistible fundraising opportunity for the garbage people who lead evangelical christians.
Upvote
21
(31
/
-10)
Since they accessed the misconfiguration of 2G/3G network, does that mean it only affected accounts that used those networks? Or did they just use that to get into the servers that held costumer data?
Upvote
-3
(1
/
-4)
Maybe companies that can't secure customer data shouldn't be allowed to hold it anymore.
Upvote
24
(24
/
0)
Data security is a joke in 2021. Why the hell are customers details are stored online? Convenience or laziness?
There is no reason whatsoever for these companies to store data like social security numbers and driving licnese numbers. Once a customers application has been accepted delete it it FFS. There is no reason whatsoever for the companies to hold on to this information.
There is no reason whatsoever for these companies to store data like social security numbers and driving licnese numbers. Once a customers application has been accepted delete it it FFS. There is no reason whatsoever for the companies to hold on to this information.
Upvote
14
(17
/
-3)
[climbs onto smug horse]
And this is why, when they told me they REQUIRED my SSN (which only my bank, the IRS, and my employer can LEGALLY require) in order to setup international service on my phone number -- I told them to get bent, and switched to Google Fi (I am not a Google lover, but DAMN is their phone service (while it remains unkilled) is nice!)
The smartass sales jackass actually had the nerve to imply I was trying to hide my poor credit (it's stellar, for the record) when I told him no.
I think I will call them up and ask them how that whole demanding SSNs from their customers thing is going -- and also why they felt the need to FUCKING SAVE those things (unencrypted) after they ran their little credit checks.
Seems I was right.
[...STAYING on my smug horse for a while, not gonna dismount just yet
]
--
Edit: spelling
And this is why, when they told me they REQUIRED my SSN (which only my bank, the IRS, and my employer can LEGALLY require) in order to setup international service on my phone number -- I told them to get bent, and switched to Google Fi (I am not a Google lover, but DAMN is their phone service (while it remains unkilled) is nice!)
The smartass sales jackass actually had the nerve to imply I was trying to hide my poor credit (it's stellar, for the record) when I told him no.
I think I will call them up and ask them how that whole demanding SSNs from their customers thing is going -- and also why they felt the need to FUCKING SAVE those things (unencrypted) after they ran their little credit checks.
Seems I was right.
[...STAYING on my smug horse for a while, not gonna dismount just yet
]--
Edit: spelling
Upvote
15
(23
/
-8)
Maybe it's time we stop using numbers meant for social security as a way to verify identity and check credit worthiness.
The number used to apply for credit should be private and the number used for identity verification should be public. Similar to PKI or something. Neither should be the same number used for SS
The number used to apply for credit should be private and the number used for identity verification should be public. Similar to PKI or something. Neither should be the same number used for SS
Upvote
19
(20
/
-1)
I wonder how far back the information goes. I was a T-Mobile customer up until about 10 years ago.
Upvote
6
(6
/
0)
This is part of why I use a TM prepaid account; I had to tell them almost nothing about me. However, I use a credit card to pay the fee, so any details associated with that could be in their system.
Sigh. Maybe next phone I'll do a new SIM and then just buy gift cards instead of giving them a CC#.
Sigh. Maybe next phone I'll do a new SIM and then just buy gift cards instead of giving them a CC#.
Upvote
4
(5
/
-1)
It's time to ditch SSNs. Some better system needs to replace it.
Yes it will be a PITA and no the replacement won't be perfect either, but this shit simply has to stop.
Yes it will be a PITA and no the replacement won't be perfect either, but this shit simply has to stop.
Upvote
15
(15
/
0)