T-Mobile Breach~Mobile/Cell Phone Banking Security

I use my cell phone for phone calls when the landline is down and to exchange texts and photos with immediate family.  I do everything else on my laptop that I have always felt was far more secure than a cell phone and as of this week it looks like my instincts were correct.


I am pasting an email I sent to my family members below warning of the definite and possible consequences of the T-Mobile Breach that has not been fully investigated yet. The pasted message has links to the articles and the main excerpts from the article with the most damaging information. And I did get a text from T-Mobile today saying my the four family members on my account are involved in the breach. So far it is socials and drivers licenses. Time will tell if my USAA checking account or credit card was negatively impacted.


Of particular concern is how IMEI and IMSI numbers can be used to clone and infiltrate a phone. I have pasted the details below. I have never nor will I ever do banking over a phone or any other business, file storing, or shopping, etc. for that matter. From what I have learned you have to click on a link in a computer to invite the hackers and scammers in, in a phone they go in uninvited and you don' even know they are there. 


So Corporate America can push their cell apps like drug dealers all they want but I have no interest in this inferior high tech mayhem.



Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.


Definition for IMEI#

An IMEI stands for International Mobile Equipment Identity. Think of it as your phone's fingerprint — it's a 15-digit number unique to each device. Phone carriers and manufacturers share IMEI numbers to enable tracking of smartphones that may be stolen or compromised.

https://threatpost.com/t-mobile-40-million-customers-data-stolen/[removed sensitive data]/

Its investigation is ongoing, but so far, it doesn’t look like financial data, credit card information, debit or other payment information was in the stolen files, T-Mobile said. The wireless carrier said that it located and “immediately” closed the access point in its servers that it believes granted access to the attacker(s).

Forrester Analyst Allie Mellen told Threatpost on Wednesday that this attack wasn’t exactly rocket science.  “According to the attackers, this was a configuration issue on an access point T-Mobile used for testing,” she said via email. “The configuration issue made this access point publicly available on the Internet. This was not a sophisticated attack; this was not a zero day. T-Mobile left a gate left wide open for attackers – and attackers just had to find the gate.”

Over the weekend, the threat actor who was offering to sell the records on an underground forum told BleepingComputer and Motherboard that they’d also stolen physical addresses, unique IMEI numbers and IMSI numbers. The attacker told BleepingComputer that T-Mobile’s “entire IMEI history database going back to 2004 was stolen.” IMEI (International Mobile Equipment Identity) is a unique 15-digit code that precisely identifies a mobile device with the SIM card input, and an IMSI (International mobile subscriber identity) is a unique number that identifies every user of a cellular network.


Hackers use messages normally exchanged between mobile operators, which make SS7 attacks very difficult to detect. By sending seemingly normal requests they can obtain the International Mobile Subscriber Identity (IMSI), a unique number associated to every SIM card. Using the IMSI, the hackers can target their attack on a single mobile phone, sending only a couple of SS7 messages per targeted IMSI. The few “untypical” messages sent by hackers are quite difficult to spot among the billions of SS7 messages handled by a mobile operator every day. They are like drops of red ink in a blue sea. they are there but almost undetectable.


What can hackers do?
Once an IMSI number is retrieved, hackers can target individuals’ simply through their phones. They can start collecting sensitive information, like the mobile phone location or the numbers called from that specific device. Even more, all calls made to or received from the device can be recorded. All this information and recordings can be obtained without the mobile subscriber noticing anything.


The potential problem is even bigger. The hacker could gain full control of your calls. Apart from call recording, they could change your identity (caller ID) when making calls and redirect your call to another number. For instance, when Angela Merkel tries to call Barack Obama, hackers could redirect the call to Putin and change the caller ID so it appears Obama is calling. You can imagine everyone’s surprise when Putin answers. Of course, this is not a real life scenario, Angela Merkel does not use standard GSM when making top secret calls.

But real-life scenarios could potentially be equally insidious. A hacker could redirect a call you make to your bank and, pretending he is a bank representative, ask for your personal information, including your secret password. Then, he could call your bank pretending to be you and get access to your account by providing all the bank authentication details you gave him earlier.


By redirecting the calls you make, hackers could provide you with false information that you would easily trust. For instance, your call could be redirected when calling the local tax authority to check if you need to pay a tax, as an e-mail you received stated. This could take Nigerian Letters (or 419 scams) to the next level.

In addition, hackers can also use the same flaws in SS7 protocols to deny the GSM service for its target. They could block all your calls, SMS, and mobile data. And this can be done in combination with the location information, making your mobile phone unusable when you are in a certain location.

The examples listed above are only some of the things that hackers could do once they have access to the network. Having full control over your calls and having access to your location, the options are limited only by the hacker’s imagination.


Stealing smartphones has become big business in recent years with one study from Consumer Reports suggesting that in 2013 about 3.1 million Americans found themselves on the losing end of this trend. This was close to double what the organization previously estimated had been stolen the year prior.But the advancement of technology is such that it’s possible for your phone to be stolen from you even if it remains in your possession, like a credit card. And a common way that this scenario can play itself out if is your IMEI number has been hacked.

Hacked IMEI Number?

Unfortunately, it is possible for someone to hack your IMEI. There are various problems you'll face if this scenario plays out. For instance, if someone has the IMEI for your smartphone or cell phone, he or she can clone your mobile device.The problem? Should your phone and the cloned phone both be on at the same time -- while both attempt to access the same network -- your wireless service provider could automatically disable both your device and the cloned device. As well, apps such as WhatsApp use your IMEI as an identifier, so someone could potentially gain easy access to your WhatsApp account if he or she has your IMEI number.

It’s said that ‘power corrupts’, but actually it’s more true that power attracts the corruptible.

The sane are usually attracted by other things than power. When they do act, they think of it as service, which has limits.
The tyrant, though, seeks mastery, for which he is insatiable, implacable.” ~ David Brin, 'The Postman"
"Be charitable before wealth makes thee covetous." ~ Sir Thomas Browne


Please sign-in to reply


I've been telling them this since they announced the end of Deposit@Home, but they don't care.  They just get abusive and hang up on you.



@Inquiring_Inquisitor, I'm sorry to hear of the experience you've had with your phone calls. We never want any of our members to feel like they've had poor service, or have been hung up on. I've elevated your feedback to the appropriate team. Thank you for bringing this to us. ~Holland