T-mobile broke the law and they broke their terms of service contract which binds them to protect the privacy of their customers digital information. T-mobile’s policies (some of which violate the law) resulted in their failure to secure my account. Afterward their failure to properly investigate this incident and respond with additional customer protections resulted in other people’s accounts being compromised. Even months prior to my hacking incident Jered Kenna was hacked. Had a proper investigation been conducted with regard to his incident it is reasonable to assume that T-mobile’s policies would have been changed which could have prevented my hacking.
Together these actions constitute gross negligence which have resulted in hundreds of hacked t-mobile accounts. In most cases these incidents lead to the theft of personal property. It took more than a year before T-mobile began to seriously address the issue. Many of us felt this was a ridiculous amount of time to leave a gaping security hole open. If they merely did a proper investigation after each hack they could have changed their policies to protect consumers shortly after the first few attacks.
Thanks to the following who have covered this issue
Laura Shin (see also here, here), Kevin Roose, Nathaniel Popper, Pete Rizzo, Olusegun Ogundeji, wicketr, H3Hproductions, Adam B. Levine, and many others who have done an excellent job bringing attention to these issues and educating the public. Without their reporting I would not have been able to put together a clear picture as to the events affecting me and many other victims.
“All your accounts are belong to us”
Nearly a year and a half ago on Friday 11/18/2016 I was hacked. Someone called into T-mobile and pretended to be me. After using only the last four digits of my Social Security Number to authenticate as me a T-mobile representative graciously reassigned my phone number from my SIM in my phone to the attackers SIM in the attackers phone. Later I would learn how easy it is to use social engineering to gain access to anyone’s cell phone account. This was at 4 am, by 4:15 am the hacker had used account recovery methods on my Yahoo mail and Gmail to gain access (and lock me out) of my email accounts. By 6am they had successfully bulk downloaded all of my emails, reset the passwords on other accounts (social media, cloud storage, cryptocurrency services), and downloaded other valuable data stored online.
When I woke up at 8am I saw “phone not registered on network” and instantly I had a knot in the pit of my stomach. By the end of the day I had regained access to most of my accounts but the damage had been done. 4,214 Ether was stolen. Later by contacting other victims I learned that the same entity had hacked numerous other people. Most of the people who were hacked never publicly admitted it but I am aware of more than 30 people who were hit by the Bo Shen hacker.
I can’t convey to you how bad this feels even after you regain access to your stuff and take stock of what happened. A copy of your digital identity is still being held hostage somewhere and you can’t be certain that the steps you are taking to re-secure your accounts are sufficient since the hackers have access to so much information about you at that point. Later that same evening the hacker called attempting unsuccessfully to blackmail me. Our conversation went something like this:
HACKER: I can hack you at any time. I can open up credit cards or apply for loans in your name.
ME: I am going to the reporting agencies right now to lock unauthorized access to use my credit for those things.
HACKER: I have enough information to unlock those accounts.
ME: Not without access to my email.
HACKER: I can just hack you again and regain access.
ME: T-mobile stated that they placed my account on lockdown. No further changes would be authorized without someone showing a physical ID in the store.
HACKER: With the information I have it’s easy for me to create a false ID with my picture and your name on it.
That’s when you realize that the majority of mechanisms we have in place to verify and protect our identities only work when people don’t know who we are. As soon as someone can connect our name to our SSN, DOB, mailing address, email, or phone number then given a few other pieces of information it doesn’t take much for them to find a weak link and exploit it. At best our digital identity is weakly protected using security through obscurity. With the advent of sites that advertise services attractive to criminals targeting potential victims it’s clear that no one should use a SSN or DOB to verify someone’s identity. Unfortunately T-mobile has failed to heed warnings from the FTC that the use of SSNs to verify a person’s identity is a bad idea.
But thankfully the person who hacked me only wanted cryptocurrency. It would be too much effort for him to commit credit card fraud and there were other victims that were easier to fleece. To gain access to my online identity the easiest thread for the hacker to unravel was to gain access to my phone number. Google, Yahoo, Dropbox and others had all told us that registering a recovery phone would provide us with additional security when in reality the opposite was true. Registering a recovery phone made us more vulnerable.
Why 2 factor using Google Authenticator couldn’t protect us
The use of a phone number to secure an online account is called 2 factor authentication. This method should in theory provide greater security because it should require an attacker to have physical access to your phone. In reality however it merely outsources the responsibility of securing your account to another party, the cell phone carriers. As this article makes clear this is a very bad idea. Unfortunately for me this article had only been published 3 days prior to my hack and I hadn’t had a chance to read it yet. Using this simple 39 step method however could have certainly protected me from this threat. Simply turning two factor off would have also worked.
There is a form of 2 factor authentication that doesn’t use text messages to authenticate you, it’s called Google Authenticator. The app is able to generate codes that provide access to online services without ever sending a text message to your phone. The video on google play which explains how the app works implies that the app still uses text messaging to authenticate users. It highlights a practice google and many other online services had in place previously. Users were not allowed to secure their account with Google authenticator unless they also provided Google, Yahoo, and others with a phone number. This number could then be used to perform account recovery. This allows people to regain entry (or hack) an account without requiring a user’s password or the use of the Google Authenticator app. This was the critical vulnerability the hackers exploited. Google Authenticator could in theory remove the risk associated with trusting the phone companies but how it was actually implemented by Google and others negated its effectiveness. This is why many of us believed we were more safe when in reality we were made more vulnerable by this technology.
What was really protecting our identities?
Companies such as Google, Yahoo, Twitter and others have policies in place which nominate a cell phone provider as the de facto gatekeeper of our online identities. Many of them told us on numerous occasions that 2 factor authentication would protect our account and keep us safe from bad guys. This meant that the digital identities of everyone who is using 2 factor authentication are resting only upon the bedrock of our cell phone provider’s identity verification policies. If this bedrock is compromised then our digital identities are revealed to be an unstable house of cards. A single mistake made by a T-mobile or Verizon employee could allow any email accounts using 2 factor authentication to be compromised. By extension this meant that any cloud storage or social media accounts which permit passwords to be reset using emails would also be compromised.
According to T-mobiles response to my FCC complaint this meant that anyone who knew the last four digits of my SSN was entitled to my entire digital identity. Others have reported similar experiences. If I had know this I certainly would never agreed to using two factor identification. So indirectly the FCC being the main governing body which regulates cell phone providers became nominated (by Google, Yahoo, Twitter, and others) to be the authority protecting consumers from digital identity theft. Since Dropbox chooses to allow password resets using an email account they are indirectly nominating cell phone providers because the de facto protection of access to email accounts are provided by cell phone providers.
And just what policies are in place by the FCC that would protect consumers? There are numerous documents but some of the important ones are linked here:
What specifically went wrong
The first document makes it clear what is required to authenticate a user over the phone:
“Your telephone company may only release your customer information to you upon request, with certain protections: Password for phone or online requests”
Unfortunately that’s not what T-mobile said here:
“If the customer does not remember the password, then Customer Care will request that the caller verify the last 4-digits of the Social Security number or tax ID number listed on the account”
But wait is T-mobile even permitted to use our SSN for identity purposes?
“If you use a password when contacting your service provider to obtain your customer information, avoid using any sensitive or readily apparent information, such as your social security number.”
Hmm wow not looking good for T-mobile and we haven’t even progressed to the other documents on our list yet. I can’t get into details in this post but T-mobile violated no fewer than 6 FCC regulations which are supposed to protect consumer privacy and allow consumers access to their CPNI upon request.
So what do I hope to gain from all this?
T-mobile not only violated the law they also violated their own policies and procedures thus breaching their ToS and nullifying our contract. Their breach of contract means that I feel I am not bound by any arbitration clause and I have the full right to use the court system to get my funds returned to me. Although I feel this way the legal system may not agree with my POV. In any case they did break the law and their ToS such that my privacy was violated and my personal property was stolen.
T-mobile was negligent and in their failure to follow the law or enforce their own policies they took actions which directly lead to a financial loss in excess of 1.2 million USD in present value.
Its all your fault you have no one to blame but yourself
It’s a free country I can’t change anyone’s mind about these issues. I don’t feel that in my case I made a mistake since my files were stored in an encrypted state and Dropbox support restored them in a decrypted state as I explain below. I should have immediately re-encrypted those files but I had a false sense of security which meant I didn’t immediately fix the problem caused by Dropbox’s restoration procedure. Many times our understanding of security is incomplete. We can think we are safe when in reality we are not. I was vulnerable to this attack for less than one month.
The night before I left for Devcon 2 in Shanghai someone spooked me into thinking that when I’d pass through customs the Chinese government would try to access my files. In response I copied my hard drive, I uninstalled dropbox and deleted out the sensitive folder which held 7zip encrypted copies of my private keys. I must have done something wrong because when I deleted out that folder it deleted the folder off of Dropbox’s servers. When I returned from my trip all copies of the folder were gone as soon as the original copy of my hard drive synchronized with their servers.
Only by contacting Dropbox support did I get my files back but not in the state I left the folder in previously. I got back ALL of my files i.e. any file deleted from that folder over several months. This was not the state that the folder and its associated files had been in prior to its deletion. When I needed to access certain files I would unzip encrypted protected files to that folder and then after using them I would delete the files from that folder. Which means that files which were normally encrypted with a secure password were exposed until the folder could be cleaned up.
Many of us were hacked. Many of us lost cryptocurrency. Rather than point fingers at victims we should use our time positively to help educate others so that they don’t get hacked. This has happened recently to even the smartest of people and even a member of the Ethereum foundation so I don’t think that promoting hate is really productive in this situation.
What I really hope happens
The most important thing is that cell phone carriers everywhere come clean and create a transparent policy in cooperation with their customers that customers feel provides a strong standard for securing their identity. Not doing anything will result in more harm to consumers. Only by taking action can I protect others from future harm. I am willing to go on record right now stating that I am willing to drop this lawsuit if the following things happen:
First — all past sim swaps for the last two years and all future sim swaps going forward must be published transparently for anyone to audit. This can be done in a way which provides no violations to customer privacy and still highlights when potential attacks have occurred. I think the following format would readily reveal if an attack occurred without leaking any private information:
Date / Time of sim swap
Phone number swapped XXX-XX#-####
New sim number assigned XXXXXXXXXXXX#######
Old sim number previously assigned XXXXXXXXXXXX#######
Where the # signs highlight revealed information and the X signs highlights masked information. When the same phone number with the last 5 digits is transferred twice within a 72 hour period then it is likely due to a sim swap attack. You can’t begin to address a problem until you understand it’s scope. You can’t know if you’ve solved a problem until you are able to measure the effectiveness of your solution. Without a transparent and publicly verifiable way of seeing some real time details about swaps when they are performed we cannot audit phone companies to see if they are protecting the privacy of consumers.
Cell phone customers should be allowed to not merely read this database but publicly notate it. By allowing them to add information to it on a voluntary basis they can notify the entire cellphone community when an illegal sim swap has occurred. The last round of cryptocurrency thefts was performed by someone who hacked hundreds of people over the span of months. This will provide an early warning system which will alert consumers and prevent identity thieves from going on long term attack sprees. These attacks are still occurring today and we as a community should have a forum where we can help inform and protect one another.
Second — stop using a customer’s SSN or other publicly available information to identify us over the phone. Stop relying on caller ID which is easily spoofed to identify customers. T-mobile already uses text messages and pin codes to thwart caller ID spoofing and establish that a customer is calling from a phone number on the account. They also use strong verifications when providing customer support over Twitter which prevents identity theft. Why not use that method on every call to verify that the caller is physically calling from a device on the account?
Third — create a governing council which is made up of security experts and existing customers. Allow your existing customers to elect people to this council. Grant this council with investigative authorities to research any suspected sim swap attack. Give the members of this council the same level of access to customer information that CSR managers have. Have them review identity verification failures thoroughly to see what went wrong. Have them go through identity verification procedures line by line and give them the unilateral authority to change identity verification policies or procedures which provide attack vectors for identity thieves.
Fourth — notify all US T-mobile users by email that it is their right to limit sim swaps on their account to an in store visit where showing ID is required to make changes on the account. Then give them an easy way to update their account to reflect this change. Recode the software that CSRs use to performs sim swaps to disallow a single CSR to perform a swap without a manager’s approval and train all managers on proper protocol which restricts sim swaps.
If all four of these demands are met then I will consider a lawsuit against T-mobile unnecessary because they have taken sufficient steps to protect consumer privacy going forward. Otherwise the legal system becomes the only mechanism with which to extract damages when cell phone companies fail to provide privacy protections to the fullest extent required by law.
Its been a year and a half why have I not moved forward yet?
My lawsuit is extremely complex. I have worked with other law firms and was unable convince them to file a complaint I felt was suitable. The Tapang vs T-mobile lawsuit is helpful and provides a point of reference for my suit. In addition my lawsuit also involves complex issues surrounding a legal term known as privity. To make matters worse I HATE forced arbitration and would rather take a bullet to the head then waste even one minute with a forced arbitration proceeding. This lead to many heated discussions where I was yelling at my legal team due to no fault of their own. Most lawyers don’t want to overturn the entire system of legal precedent as it pertains to forced arbitration and trying to convince a legal team otherwise is ill advised.
If you want to know how I feel about forced arbitration just look at this link it will make it abundantly clear how I feel. BTW if anyone wants to start a non-profit with the name “My 7th amendment freedoms will not be denied. Eff you mobile carriers and eff you justice Roberts. You all can burn in hell,” then I wish you luck.
If T-mobile was the primary party at fault then why did you also mention Dropbox?
This blog post is already long enough but in this blog post I explain why Dropbox also violated their own ToS and failed to protect consumer data to the standard set forth on their website here: https://www.dropbox.com/terms#privacy
My follow up blog post is already finished. If you’ve gotten this far you should read it as it provides context for the value of the property which was stolen. It also explains why stealing cryptocurrency is equivalent to theft of digital property from a legal perspective. I really hope you enjoy it as I took quite a bit of time to research the topic to be able to discuss it in an informative manner.
#SIM port hack #SIMPortHack