In Australia it's mandated you're sent a message before rerouting or migrating to another provider. Surprised this isn't enforced in the other countries, it costs next to nothing to implement and is just an additional step in the account migration process.
I'd love to see companies allow for opt in additional security measures, like banks or telco's calling me - having a verbal password to confirm things, that level of security seems to only be available to VIPs.
Sakari (and the likes) will complain that government regulation is keeping the food of the hard workers table, and the gov has no right to intervene to the free market!!
In parallel they will 'lobby' (or as we call it in Europe "bribe") the key politicians and ask to a) either change that Bill down to the point that it is rendered useless, or b) cancel it altogether, and stock market will go up!!
Followed by a six month government contractor bidding process, two years of development hell, and a half-based solution that either doesn't work or requires fifty extra convoluted steps.
They do but then the companies pay it forward to their customers. There’s a whole list of itemized fees on a cellular bill. Those aren’t collected “for” the government. The company is just itemizing it for you, probably so that they can neglect to advertise it in their contract sticker price.
I tried to get T-Mobile to stop giving my location to anyone that hits their APIs with a 'Yes I have permission' flag set.
There's no opt-out for it, and no enforcement of the permission requirement. Their support had me snail mail a letter to some PO box. I never got a response.
And now they're going to start outright selling their customer activity after forcibly un-opt-outing* everyone who opted out in their privacy settings previously..
*un-opt-outing -- ??? I don't know what to call this. It's not 'opting-in' since nobody has a choice.. 'resetting user selection without notification or consent' seems too mild and wordy.
T-Mobile has such shitty IT, infrastructure, and security practices.
My last experience with them caused me to switch away from them permanently. I switched away from them after getting SIM jacked, with real money stolen from me. Happened exactly like in this article[0].
Another incident happened where my online account was merged with someone else's in California (I'm in Texas). Our billing information was merged, with the others paying for the whole account. I couldn't make changes online- only after sitting on hold and explaining what happened was I able to get the whole situation unfucked, but there's no telling what amount of my data still lives in that other account.
Come to think of it, my first experience with T-Mobile was as a Radio Shack employee, circa 2010. When a customer came to the store to pay their T-Mobile bill with cash, if I took too long to enter all the data into their awful online portal the money would sometimes go to a completely different person's account. Many hours were spent on the phone with the local and regional rep resolving multiple instances of this happening.
Tmo is pretty shitty, but i'm grandfathered in to 5 lines for $93, so i pretty much can't leave them. Not that much better in the jail cell next door or across from me anyways.
- Vice paid a bounty hunter $300 to track a phone number [1]
- Police have paid these services to avoid warrant requirements, and corrections facilities use aggregator services to track numbers that inmates have calls with [2][3]
Apparently carriers claim to have stopped after getting fined $200m last year [4].
It was typically done through aggregators. EG, services that have similar access to multiple carriers and in turn expose a single endpoint to their own customers.
The aggregators pass on responsibility for obtaining consent to their end customers. Again, with no enforcement or ability for a target to opt out.
The only protection is an authentication requirement. But that just confirms you have a valid credential. Which you get either as an aggregator (to tmobile/other carrier directly), or as the client to an aggregator (to the aggregator's API to query multiple carriers).
Though even that authentication requirement has failed in the past, like when LocationSmart had a public demo page exploited. Inspection of the requests the page sent made it trivial to replay them with any phone number, skipping any consent checking. They just had to add "privacyConsent":"True" to the payload [5].
But yeah, it sounds like that is less of a worry now.
Instead, T-mobile is selling the location data, and basically anything whatever usage data they collect from your phone with their root-privileged app to advertising networks. They say it's a
Although their privacy page has this statement [6]:
> We do not use or share Customer Proprietary Network Information (“CPNI”) or precise location data for advertising unless you give us your express permission.
The 'express permission' here is deceptive. Users default to permit this, so it's hardly 'express'.
Further, they recently mass reset user preferences to clear the opt-out setting for users who previously opted out. Without consent.
So basically everyone is 'consenting' unless they very recently opted-out. Though I have little faith they won't change this from underneath their users again in the future. No doubt in the fine print of one of those 'annual privacy notices' or some such.
Still, if the wording and definition of 'express consent' is questionable above, they word it more explicitly in the more detailed privacy policy [7]:
> We and others may also use information about your usage, device, location, and demographics to serve you personalized ads, measure performance of those ads, and conduct analytics and reporting.
Their privacy page is deceptive about how anonymized their collection is [6]:
> When we share this information with third parties, it is not tied to your name or information that directly identifies you. Instead, we tie it to your mobile advertising identifier or another unique identifier.
Tying it to a mobile advertising id, or any kind of unique identifier, is not de-identification. It is trivial to tie this to an email or a larger profile generated by an advertising network and combine with, say, your desktop web browser. Or any account you login with that is associated to your email..
It's despicable. But sorry, I'll stop ranting now.
T-Mobile has such bad practices -- about 6 years ago they gave my phone number out as a temporary number to someone else. I don't know how their infrastructure is set up, but both me and this other guy had the same number for a time. Incoming calls would be routed to the phone that called out last. At one point I was able to talk to the other guy by using my wife's phone to call my own number. T-Mobile claimed that what was happening was impossible, so I filed a complaint with the FCC and switched my phone service. By the time T-Mobile responded to the complaint (by saying nothing was wrong), I had long since switched providers, so I didn't pursue the matter further. Huge annoyance though.
Capitalism doesn't ensure good things for people, just maximized profit for the best marketers. You want good things? The government has to require it. Otherwise it'll only happen if it's under the umbrella of maximized profit.
Meh.. every time an article comes out someone says this. Definately more complex than that. Look at Amazon as a counter example.. the reason they dominate is the combination of better product and maximizing efficiencies of scale. Additionally.. they rolled "profit" into growth, netting consumers on a whole better selection and service.
It is almost always better for the government to create "incentives" than to create "requirements" anyway. Instead of "requiring" a text before transfer. It would be better to hold both companies that facilitate a transfer without the customers autorization to large liabilities. This allows them to create a mechanism to prevent this that is probably better.
When I ported over to Project For a few years ago, it took about 30 minutes. I think there's a "pre-transfer" step that gets everything ready to cutover before you confirm.
Back in the early days of mobile number portability the majority of telcos put in systems to make porting out harder, e.g. getting an unlock code. This gave them a chance to keep the customer when they called up.
Regulators (particularly in Europe) soon put a stop to that to promote competition. While this was good, the majority of regulators failed to put in a consumer protection mechanism to stop identity theft through account stealing.
The article describes a more insiduous attack, as the mobile account is still active (hiding the existence of the attack from the user), but the message destination has been rerouted, making all the linked accounts that use SMS as their 2FA also vulnerable.
I think this particular issue is specific to North America, due to peculiarities of the NANP phone number scheme (inter-provider texts are routed quite differently from voice calls, if I understand it correctly).
In other countries, the two channels are more closely coupled (but SIM swap and/or number porting attacks are still possible, depending on the provider‘s security protocols).
> due to peculiarities of the NANP phone number scheme
I suspect more like due to peculiarities of the United States of America. Such as a disinclination to regulate anything, trusting that somehow this time the most profitable course for corporations will also work out OK for its citizens even if it didn't on previous occasions.
This report lists a long chain of buck-passing companies that have exploited an obvious defect and then escaped any responsibility for the consequences. Notice how the only work they made the hacker do was legal paperwork to cover their backsides, no actual technical countermeasures. Because nobody at these companies cared if it was used this way, they only wanted to make sure if they got sued they would be able to blame somebody else and get away with it.
The regulation seeks to promote competition and consumer choice. An onerous verification process would undermine that goal. Security is not a consideration.
This is sort of the point with regulation. The regulator makes the rules it thinks are best according to the considerations it thinks are important at the time. If someone later shows up with different considerations, they can go to hell.
Pretty sure a hacker would be perpetrating an actual, punishable-by-trial crime in forging those legal documents. That's generally the first regulation that the US imposes.
A disinclination to regulate anything is a good idea in a society that generally punishes bad behavior after the behavior has been perpetrated. I would have doubts for instance about government regulating the process for sending and receiving SMS - would you want every new software or protocol to have to go through some kind of bureaucratic review before it can be used?
> would you want every new software or protocol to have to go through some kind of bureaucratic review before it can be used?
Absolutely yes if said protocol is to be used by an entire population as a basic means of communication. Either by the government or a non-profit not tied to the industry. Protocols should also not be allowed to be secret if used at scale.
I see no reason to make a distinction between computer protocols and in-person safety protocols. The threat level is different, but it covers just as many (if not more) people.
A key part of regulation is placing the onus of solving problems on those best equipped to solve them.
You don’t need the government to mandate what the protocols should be, you just fine carriers for allowing this sort of bad outcome and let them sort things out.
SIM swaps are relatively easy in Australia, requiring only some fairly simple social engineering of staff in a phone store.
Number porting is trickier, requires a name and account number (or DOB in the case of a prepaid account) of the victim and they receive an SMS informing them their number was ported in advance.
Yeah getting thee account ID can be a pain, I've learned that the number in the UI and bill is not the identifier they want. Security by poor implementation.
I couldn't even get my own number ported in Australia (to a new provider on a new SIM). The old provider said the authentication failed. I gave up pretty quickly and just went with a new number.
That requirement is there for new or ported-in services.
But when you Sim swap, it's tied to the same account. So if you can convince the minimum wage hourly wage contract employee at a franchisee that you're the account holder, no worries.
Worse, most of those stores are using generic accounts and/or passwords.
Telstra years ago had a policy along the lines that store accounts could be not tied to a specific employee, so long as the store manager/team leader rotated the passwords and kept records. in reality it's something stupidly guessable that rotates only when required and all the staff know them.
Optus effectively has the same thing - I had an issue getting a SIM established and sat with an employee for about an hour as they re-rolled the account about 10 times. By the end I knew the passwords for all the accounts in the store, plus other identifiers and numbers.
Nice one. My neighbour chaired the Australian inter-carrier roundtable implementing mobile phone number portability. I will send him a note! Other cool hacks of his: automatic video advertising scheduling system once saved Channel 9(?) from airing a gas oven ad during a Holocaust documentary. Scored a bonus for that one.
In Canada with tell you can put a “lock” on your account so there is additional steps like going into a store with is to remove it before you can port a number of sim swap (I think) Still don’t use my phone number on my google accounts thou
I'd love to see companies allow for opt in additional security measures, like banks or telco's calling me - having a verbal password to confirm things, that level of security seems to only be available to VIPs.