> Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.
If they are doing all this through phishing and aren't being as successful with other networks there's some serious issue that's being overlooked. It's unclear from the article if this is due to training, lax security on internal tools, lack of two factor (as claimed in the article) or something else (even insiders).
That's too bad, I've been on T-Mobile for years. Whenever I can I'll use yubikeys or OTP. But there's still a large number of sites and services that rely on SMS.
> But there's still a large number of sites and services that rely on SMS.
I avoid using my actual phone number whenever possible and use a Google Voice number. Hacking Google Voice would require hacking my actual Google account instead of just tricking someone at the phone company.
Bingo. Personal phone number for only friends and family. Google voice number from a nearby area code for literally everything else. It's a little more secure than my carrier.
And as an added bonus, I can automatically send all incoming google voice calls to voicemail and not have to worry about missing a family emergency. If I get a phone call on my actual cell number, it's almost guaranteed to be someone I know closely.
why do you think that? Presumably Google Voice uses a phone company downstream, which means if that company is hacked they can reassign your number to someone else and thus you have the classic SIM jacking attack.
they pay-off / trick a T-Mobile employee into re-assigning your Google Voice number to them. It's happened before with Google Fi, but I haven't seen any public information about this happening with Google Voice (yet)
I don't work at Google and don't know if this is possible with Google Voice. However, Google Fi is their paid service, so I would assume that's the one they'd want to protect the most.
>If they are doing all this through phishing and aren't being as successful with other networks there's some serious issue that's being overlooked.
A few years ago I had to regain control of an account that I had lost the credentials for. No problem, Tmo support just needed me to provide one of the last 5 phone numbers dialed. So yes, there are some serious issues overlooked.
If they are doing all this through phishing and aren't being as successful with other networks there's some serious issue that's being overlooked. It's unclear from the article if this is due to training, lax security on internal tools, lack of two factor (as claimed in the article) or something else (even insiders).
That's too bad, I've been on T-Mobile for years. Whenever I can I'll use yubikeys or OTP. But there's still a large number of sites and services that rely on SMS.