T-Mobile Website Hacked Using Customers Phone Number

M

monkeymagick

[H]News
Joined
Jun 22, 2008
Messages
480
Motherboard reports that up until last Friday, there was a vulnerability in T-Mobile's website that allowed hackers to access accounts from knowing a customer's phone number. Due to a flaw in the wsg.t-mobile.com API, anybody can query another phone number and receive the personal data of the request.

"T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users," Saini, who is the founder of startup Secure7, told Motherboard in an online chat.

You would expect that there were security measures taken to prevent information stolen from such flaws.

There was no mechanism to prevent someone from writing a script and automatically retrieving everyone's account details abusing this bug, according to Saini...
 
Cool. Equifax and also some criminal in Philadelphia leaked/sold my identity already and I had to freeze credit and am just waiting for issues. Glad my phone provider jumped in, since phone numbers are like a "soft SSN" really. Oh well, I hate the lottery and still have to play it every day :(
 
Ouch. And lollerwaffle that sucks. I was lucky that mine wasn't among hacked equifax entries, but I think there was almost a 50/50 chance. They deserve to get sued and should have to pay for all attacks against compromised accounts. Hope they didn't screw you up too much.
 
lollerwaffle said:
Cool. Equifax and also some criminal in Philadelphia leaked/sold my identity already and I had to freeze credit and am just waiting for issues. Glad my phone provider jumped in, since phone numbers are like a "soft SSN" really. Oh well, I hate the lottery and still have to play it every day :(
Click to expand...

On the flip side, you have a pretty nice computer :)

Yeah - you really had a 50/50 chance at being fucked by Equifax and the fuckery didn't just stop there...
 
yeah, so, this internet thing...it seemed like such a good idea...
 
jojo69 said:
yeah, so, this internet thing...it seemed like such a good idea...
Click to expand...

Hacking isn't just limited to internet thing. Heck, you don't need a computer to really hack something - Social Engineering is one of those ways to hack without being on a computer.
 
RogueTadhg said:
Hacking isn't just limited to internet thing. Heck, you don't need a computer to really hack something - Social Engineering is one of those ways to hack without being on a computer.
Click to expand...

You still need computers/internet to be effective. The offshore scammers probably aren't as successful in their local markets, and the door/door salesman bothering you at 6pm just can't cover enough ground.
 
The original definition of the word "hacker" means a hobbyist, one who "hacks" away at something in their spare time as a hobby, etc. Work on cars in you spare time tricking 'em out with new parts and whatever? Car hacker. Into sports of various kinds? Sports hacker. Stamps? Stamp hacker, and so on and on.

It's kinda pathetic that over time the term has taken nothing but a negative connotation, really, but that's just another one of those things that gets ruined because people are fucking stupid. :(
 
Tiberian said:
The original definition of the word "hacker" means a hobbyist, one who "hacks" away at something in their spare time as a hobby, etc. Work on cars in you spare time tricking 'em out with new parts and whatever? Car hacker. Into sports of various kinds? Sports hacker. Stamps? Stamp hacker, and so on and on.

It's kinda pathetic that over time the term has taken nothing but a negative connotation, really, but that's just another one of those things that gets ruined because people are fucking stupid. :(
Click to expand...

White Hat vs Black Hat.
 
nilepez said:
Ouch. And lollerwaffle that sucks. I was lucky that mine wasn't among hacked equifax entries, but I think there was almost a 50/50 chance. They deserve to get sued and should have to pay for all attacks against compromised accounts. Hope they didn't screw you up too much.
Click to expand...

Going by what, their website that flips a coin and tells you either "you may have been compromised" or "you may not have been compromised"? That website is designed to sell protection services. Everyone should assume that if you are in Equifax's records (and you are, if you have ever taken out a loan, signed up for or used a credit card, etc.) you have been compromised.
 
"IT is just an expense and doesn't generate any revenue. Cut as much budget as you can."
How many more times does this have to happen before the above statement dies? Fucking stupid Business Executives.
 
[21CW]killerofall said:
"IT is just an expense and doesn't generate any revenue. Cut as much budget as you can."
How many more times does this have to happen before the above statement dies? Fucking stupid Business Executives.
Click to expand...

Until we pass some of those pesky regulations that make the fine for not securing user data so high, it doesn't make sense to cheap out on IT/Security.... Kinda like HIPAA, which is supposed to have a crazy fine for each record you lose. Which was the exact same data equifax lost btw. Name, birthdate, SSN is enough for a HIPAA violation. Although, our government only seems to rape the little guys for these breaches, because I don't recal aetna getting hit with a multi-100million $ fine for the huge breach they had early last year.
 
[21CW]killerofall said:
"IT is just an expense and doesn't generate any revenue. Cut as much budget as you can."
How many more times does this have to happen before the above statement dies? Fucking stupid Business Executives.
Click to expand...
Until, legally, we treat confidential data like money, this will keep happening.
 
Biznatch said:
Until we pass some of those pesky regulations that make the fine for not securing user data so high, it doesn't make sense to cheap out on IT/Security.... Kinda like HIPAA, which is supposed to have a crazy fine for each record you lose. Which was the exact same data equifax lost btw. Name, birthdate, SSN is enough for a HIPAA violation. Although, our government only seems to rape the little guys for these breaches, because I don't recal aetna getting hit with a multi-100million $ fine for the huge breach they had early last year.
Click to expand...

HIPAA is defined very poorly, but is essentially about an organization not disclosing protected info deliberately or erroneously. Someone coming in and stealing it is a different matter. I leave HIPAA data in an unsecured mongo db as seems popular, that's on me, and I'll likely lose in short order. If I take measures to secure it that are in compliance with what HIPAA guidelines, but someone breeches my systems anyway, the odds of me being found in violation are a lot less.

The only Aetna thing I found for breech was them and their stupid HIV letters last year. There's no money amount attached yet because the paperwork was just filed back in August to sue the shit out of them. They will lose. What happened although not identical, fits solidly within some of the few concrete examples provided in the regulatory guidelines. To not be record setting lenient, it should result in a very, very large fine. If it was record low per individual and treated on par with book keeping operations with no indication of a leak, they should still hit nearly $400 million for that. If they discounted a typical HIV based HIPAA violation settlement, it should be north of $2 billion.
 
raz-0 said:
HIPAA is defined very poorly, but is essentially about an organization not disclosing protected info deliberately or erroneously. Someone coming in and stealing it is a different matter. I leave HIPAA data in an unsecured mongo db as seems popular, that's on me, and I'll likely lose in short order. If I take measures to secure it that are in compliance with what HIPAA guidelines, but someone breeches my systems anyway, the odds of me being found in violation are a lot less.

The only Aetna thing I found for breech was them and their stupid HIV letters last year. There's no money amount attached yet because the paperwork was just filed back in August to sue the shit out of them. They will lose. What happened although not identical, fits solidly within some of the few concrete examples provided in the regulatory guidelines. To not be record setting lenient, it should result in a very, very large fine. If it was record low per individual and treated on par with book keeping operations with no indication of a leak, they should still hit nearly $400 million for that. If they discounted a typical HIV based HIPAA violation settlement, it should be north of $2 billion.
Click to expand...

Yea I'm not finding the new article on it either.... Wonder how much they paid to have it deprioritized from search engines (Anti-SEO?).... It was the biggest breach in the healthcare industry at the time. I worked at a company that worked with PHI, so it was a big deal and prompted an internal 3rd party security audit.
 
PaulP said:
Until, legally, we treat confidential data like money, this will keep happening.
Click to expand...
Will never happen. Right now, that money is harvested by huge conglomerates like Facebook et al. You are never going to benefit financially from controlling your data.
The argument can be made that you pay Facebook nothing while using their services, but when I look at the money facebook makes with your data, it seems.. somewhat lopsided.
 
eh, this hack wasn't so bad. Just an email address and phone number, no big deal.
 
So far nothing appears to have been compromised, they patched it fast, and paid the guy $1,000.
Better handling than other companies.
 
You must log in or register to reply here.
Back
Top