How attackers could exploit breached T-Mobile user data

T-Mobile has confirmed a data breach that impacted nearly 50 million people, including current, former and prospective subscribers. The exposed details differed across different types of customers, so the level of risk users are exposed to varies.

Victims of the T-Mobile or any other breach where personal data is stolen should be aware of follow-on attacks and take steps to mitigate them. These include SMS/text-based phishing, SIM swapping and unauthorized number porting.

The T-Mobile data breach

On Sunday, Motherboard reported that hackers were advertising for sale a data dump that they claimed contained the Social Security numbers (SSNs), phone numbers, names, physical addresses, International Mobile Equipment Identity (IMEI) numbers, and driver’s license information for 100 million T-Mobile subscribers. On Monday, T-Mobile confirmed that it investigated the claims and found evidence of unauthorized access to some of the company’s data, but did not specify what type of data was impacted. On Wednesday, the mobile operator revealed that the compromised data included full names, dates of birth, SSNs and driver’s license/ID information for 7.8 million current T-Mobile postpaid customers as well as over 40 million former or prospective customers who had applied for credit with T-Mobile. No phone numbers, account numbers, PINs, passwords, or financial information were exposed for these users. However, names, phone numbers, and account PINs were exposed for 850,000 active T-Mobile prepaid customers.

The account PIN is important security information that T-Mobile’s customer support representatives use to authenticate account holders during customer care calls. It is mandatory for all accounts and is between six and 15 digits long. If an attacker is in possession of a user’s personal information, phone number, and PIN, they can call customer support and potentially impersonate the account owner to make modifications on their accounts enabling various attacks.

SMS phishing and victim profiles

One common threat after any data breach is phishing, a form of social engineering where attackers use the stolen private information to construct believable messages impersonating companies or brands. In the past, attackers have used data leaked from a breach to impersonate the same company where the breach occurred, sometimes even using the breach itself to get users to perform actions that exposed additional information or led to malware infections.

In the case of mobile communications, such phishing attacks could be launched over SMS messages, impersonating the mobile operator. At first glance, in the case of the 48 million current, former, and prospective T-Mobile customers whose personal details were exposed, attackers can’t target them directly with SMS phishing because their phone numbers were not exposed. However, many leaked data sets on the internet from numerous other breaches include phone numbers, and attackers could potentially cross reference the data from the T-Mobile breach to previously leaked data to discover the phone numbers for at least a subset of the affected individuals, since people don’t change their phone numbers often.

This also works in reverse. For the 850,000 prepaid customers who had their names, phone numbers, and PINs exposed, attackers could use data from past breaches to complete profiles that were missing phone numbers, for example. The more breaches occur, the easier it is for attackers to build complete victim profiles and launch attacks that are increasingly hard to detect by both companies and users.

SIM swapping and mobile number porting

Another type of attack that is specific to phone users is SIM swapping. This is when an attacker manages to convince a mobile operator to associate a victim’s phone number with a SIM card under their control to receive all their phone calls and text messages. Switching a phone number to a different SIM card is a legitimate service that mobile operators use when a subscriber’s device is lost or stolen or when their existing SIM card stops working or needs to be upgraded or changed for technical reasons.

SIM swapping attacks have gained popularity with attackers in recent years because it allows them to bypass security systems that rely on one-time use codes sent over SMS or communicated via a phone call by automated systems. Phone-based verification is often the default option offered by online services for two-factor authentication, account identity verification and recovery, bank transaction authorizations and more. Moreover, even when users enable a mobile app authenticator to generate one-time codes for an online service, SMS or voice still remain enabled as a failover option and can be abused unless explicitly disabled.

SIM swapping is generally a targeted attack, where the attacker has built a profile of the victim and has identified a valuable asset worth compromising and the attack vectors required to do so. In 2019, the FBI’s San Francisco office issued an alert that criminals were using SIM swapping attacks to target users who held considerable cryptocurrency assets. They described the attack chain as follows:

• Identify the victim: Identify a victim likely to own a large amount of digital currency, particularly cryptocurrency. Identify the victim’s mobile telephone number and the mobile phone carrier.
• Swap the SIM card: Socially engineer a customer service representative from the mobile phone company to port the victim’s phone number to a SIM card and phone in the control of the attackers.
• Password resets: Initiate password resets on the victim’s email, cloud storage, and social media accounts (password resets are usually accomplished by text messages to the victim’s telephone number).
• Access accounts: Gain access to the victim’s accounts and identify digital currency keys, wallets, and accounts that may be stored in them. Defeat any SMS-based or mobile application-based two-factor authentication on any accounts with control of the victim’s phone number.
• Steal currency: Transfer the digital currency out of the victim’s account into accounts controlled by the attackers.

Last year, the US Congress sent a letter to the FTC urging the agency to force wireless carriers to take action to protect users against SIM swapping attacks.

A variation of this attack is mobile number porting where attackers impersonating the victim convince their carrier to port their number to a different SIM card on a different network. This is a legitimate service that allows mobile subscribers to retain the same phone number when they switch to a different service provider. In February, T-Mobile sent some of its customers a data breach notification letter informing them that their accounts were compromised and attackers ported their numbers to a different carrier without authorization.

T-Mobile account PINs are explicitly meant to prevent SIM swapping or number porting as they serve as an additional method to verify the account holder is the person making the request. Following this new breach, the company reset the PINs of the 850,000 prepaid customers who had their numbers and phone numbers exposed and encouraged the other 48 million current, former, and prospective postpaid customers to change their PINs, even though so far there’s no evidence their PINs were not compromised. That doesn’t exclude the possibility that attackers could use the data leaked in this breach to craft credible phishing attacks to ask victims for their new PINs or to direct users to spoofed pages that ask for their PIN.

Mitigating risks from breached data 

T-Mobile is offering all impacted customers a free two-year subscription for McAfee’s ID Theft Protection Service, which includes credit monitoring, full-service identity restoration, identity insurance, dark web monitoring, and more. Business and postpaid customers can also enable T-Mobile’s Account Takeover Protection service for free and all T-Mobile users can use the company’s Scam Shield app that enables caller ID and automatically blocks calls flagged as scams.

More generally, all mobile subscribers should check with their carriers what options they have to secure their accounts against SIM swapping or number porting and they should enable that additional verification. Using text messages or phone calls for two-factor authentication should be disabled where possible in favor of two-factor authentication via a mobile app or a dedicated hardware token, especially for high-value accounts. Email accounts are high-value accounts because they are used to confirm password reset requests for most other online accounts. Finally, be wary of email or text messages that ask for sensitive information such as passwords, PINs, access tokens, or that direct you to websites that ask for such information; especially if those messages follow a highly publicized data breach. If you receive a suspicious message from a service you have an account with, access the company’s website by typing it directly in the browser or call their customer support department to confirm the legitimacy of the message before acting on it.