Couldn't T-Mobile send their own SMS's to their employees pretending to increase the payout to $600, then fire any employee that replies?
Or maybe change the terms of use for the employee line discount to allow monitoring SMS content or metadata for security threats to the companies users?
T-mobile could do many things (not sure it’s legal to pretend you want to pay for simswaps, but that’s beside the point), but first we need to establish why they would care.
I haven’t seen much evidence in the past they would.
They don't care. Source: got swapped on TMo, front-line CSR fixed it but no one else at the business cared; would not even refund my final bill. Solution: move to Google Fi. It has a word-of-mouth reputation for being resistant to this, which I believe if nothing else because Google has almost no human support to bribe/phish.
Google Voice too. No human tech support. It's kind of weird how having no human to talk to can be a good thing in these high security matters. No social engineering attack surface.
Imagine making a mean comment on YouTube and losing access to your bank account (everything runs on SMS 2FA)
No human to talk to, no appeals process. Don't trust Google, they are indifferent.
That’s a real reason I don’t comment on YouTube or risk using any other Google services except Gmail and Voice.
God forbid I chargeback a purchase on Google Pay (or whatever their PayPal is this year) and trip some anti-fraud system that locks me out of my 20 year old email account. We all know their support is either automated or nonexistent, so it’s not worth the risk.
And you effectively can't even run your own system, as has been discussed here many times.
But there‘s many providers that you pay actual money to (Like Fastmail) and if something goes wrong you, as a customer and not a potential ad target, are their top priority and you can call a human on the phone.
Exactly, vote with your dollars. Email is important and worth paying a few bucks a month for solid service.
Oddly enough, the EU isn’t racing to bust down the door of these “gatekeepers” and require third-party interoperability with this socially-critical service.
Pretty much just an apple thing as far as I can see.
switch to Fastmail or literally anything else :)
It's crossed my mind, but would require more effort than not commenting on YouTube or using Google Cash
Today it's commenting, tomorrow it might be watching a few bad videos
My class read a science fiction story in CS about a guy getting executed on death row for a late library book in a comedy of errors where a series of automated systems glitch out and a detached bureaucracy is slow to react. Or something like that.
I feel like it should be required reading to protect against "automate all the things" hubris.
Do you remember what it was called?
I had a fuzzy memory of this story from years back, and recently stumbled across it recently on Wikipedia: https://en.wikipedia.org/wiki/Computers_Don't_Argue
Sounds somewhat reminiscent of the Terry Gilliam film Brazil. Basically a fly dies and gets caught in a teletype machine, causing the name on an arrest warrant to be misprinted. This snowballs into all sorts of darkly humorous and depressing hijinks.
Literally a bug in the system.
Basically a modernized version of the premise of "The Trial" by Franz Kafka. An unknown authority charges the character with a unstated crime and bureaucracy chugs along on errors and assumptions.
I think this is one of the reasons that Google Plus failed. It's like if North Korea set up a social network. Nobody would post cause post the wrong thing and get executed.
If you see what people post with their real name on newspaper comments, Instagram or Facebook it‘s clear that people don‘t care, or don‘t think that far ahead.
Google Plus failed for many reasons but I doubt that one was a big factor.
You can have multiple Google accounts. Just make sure you use app-based 2FA on each so you don't get locked out.
I've just realized that, even though I've used Google Voice as my primary phone number since before it was Google Voice -- for about 18 years now -- I have never really had a problem with it[0], and I've also never paid a dime for it[1].
It seems like a well-oiled machine.
0: Well, some places don't like using GV for 2FA (and demand a "real" cell phone number), and some other places don't think it can do short-code messages at all, but those aren't issues that anyone at GV could ever solve even if those people did exist.
1: Yeah, sure. I'm the product. Blah blah.
GV numbers are in some database as being VOIP. If there was some there that could do something, they could get the numbers out of that database.
Do these databases see through number portability, or are they just verifying that the area code + prefix is assigned to a traditional telco?
Because you can port a landline to Google Voice for $20, and, in my experience, random Internet "phone number lookup" sites still show it as a landline years later.
The number gets classified differently in the "official" phone number database when you port it to a new carrier, including Google Voice. I used to have my US number in GV but ran into a lot of the 2FA issues as as well as trying to use it overseas extensively. Eventually, Google will figure it out to the point where it is no longer tenable to try and keep working around it. I caved and bought a $5/mo eSIM plan from Tello. They don't seem to care that I'm not in the US 10 or 11 months out of the year. I can use wifi calling to send/receive texts for 2FA for free, and iOS even supports using the data of one SIM/eSIM as the "wifi" for a different phone line also present on the device. So even if I'm out, I hop into settings, turn on the second line, it uses my EU data plan to fetch new messages via "wifi calling" and then I get my 2FA code or whatever. Takes about 30 seconds in total.
Is it the most convenient thing ever? No. I have an older iPhone because I'm a cheap bastard so I turn off the other line when I'm not using it, otherwise it will constantly look for a compatible roaming signal which it will never find because I have not authorized any international charges on that account (battery drain).
CNAM is the database you're looking for, maybe LIDB too. Once you port the number the CNAM should change.
Many services won't even text 2FA codes to voip numbers, google voice included.
Some may call, most not even that.
Its more of a recent thing, but I am a little worried about how common it is becoming. I've used my GV number since atleast 2007 for everything.
My bank accounts at banks I like have never complained about my Google Voice number and still don't. My bank account at Bank of America had some security check I needed to complete at some point and my Google Voice number that had been in their system for a decade I was told was not eligible anymore and I needed to actually use my real phone number.
I could almost put up with it if it was for things that need to be secure, but my 7-11 rewards account rejected my phone number at the gas pump a few years ago and Target rewards also started blocking my GV number.
Sometimes, it's like neither loyalty nor consistency nor history actually mean anything.
"I have cheerfully been using your service in this exact same way for seventeen years."
"FUCK YOU! GET OUT!"
I've still got my .10 Grand Central introductory credit.
I use Google voice as my main number on my Pixel, but also on a burner phone to harass overly aggressive recruiters. When I set up Google voice in the burner it made me load it with credit but surprisingly all the calls and texts I've made with it are free.
Things are pretty stable because Google Voice has barely changed in the past decade, but when things do go wrong there's no one around to look into it.
There was a time many years ago when Google Voice would intermittently fail to ring or even forward calls to another number when I tried that, and then give no indication that a call was ever made to your number that you missed (I verified it by asking when people I knew called me and said I never got back to them), which is pretty bad when you're expecting to receive important calls sometimes. This went on for months. I received bare minimum support which didn't even come close to helping the issue even though my issue was voted to the top of the support boards because many other people were having the same issue at the time. I'm glad you personally haven't had an issue but you should be prepared to have one at some point and get essentially no help.
what if you lose access to google voice yourself?
There is usually a way to get into your own account. It’s just harder than fibbing to a customer support agent in a chat box.
The downside of course is if you do run into a problem, you have nor recourse.
Still seen swaps with Google Fi. Efani is a much better option if you actually want protection. I am a cyber lawyer and that’s our recommendation to any clients who care. I can’t recall if Efani is throttled on AT&T or Verizon as MVNO, but one isn’t. Easy to ask them.
Their website says it's $99/month. That seems a bit steep to me considering all they're providing over a regular provider that charges $29/month is that they do a bit more verification when you claim that you lost your sim. It's not even clear whether they protect against a port-out attack, which is probably worth worrying about as well.
Presumably Efani accomplishes that additional protection by maintaining a human support staff they put more resources into training than the average carrier. That's expensive, especially when you consider that it's a relatively niche service (so small user base to amortize that cost over) and presumably only used by people that really care about sim swaps, likely because they are frequently targeted for sim swaps, and thus the training needs to really work. They also have no other lines of business like device sales/financing that could help cover those human operational costs.
That, plus the fact that it's a premium service that is mostly only useful to higher net worth / higher income people, makes it seem reasonable that it would be quite expensive relative to a regular provider.
According to the BLS "Computer User Support Specialists" get paid $30 on average[1]. Whatever training they give to staff to resist sim-swap attacks, I can't imagine they can't be more complicated than the certifications that "Computer User Support Specialists" have to get through, so I think it's reasonable to model their support costs at $30/hr per person. With the premium they're charging over a budget MVNO they can afford two support people per customer. How many fraudulent sim swap attacks could the worst client possibly attract? Is it really that hard to train someone to deny sim swaps until they go through 11 steps of verification like their website says?
[1] https://www.bls.gov/oes/current/oes_nat.htm
I mean yeah that's the more reasonable answer. It's a luxury product and priced accordingly.
T-Mobile blocks my Google Voice calls. They have to run inside a VPN.
I've mentioned this a few times and don't feel like restating it but if you're curious about my "i was locked out of every single Google service for "fraud" that I didn't commit, don't know what they were talking about, and never got a single response even after sending them my drivers license multiple times to prove my identity" story it's somewhere in my comment history.
It's probably a tiny chance it happens to many people but it's something to consider. I had nobody to talk to. No store to go to. I lost cell service for a week until I migrated everything off of google.
Just something to be wary of.
edit: I tried to dig it up it's about a year old and .. oof yeah i'm not going through pages and pages of paginated yn comments. Moral of the story is what I said above
https://news.ycombinator.com/item?id=36336256
This one seems to fit. Happy I've never had reason to write one like it.
lol That's it. Thanks, you're persistent!
Lazier than you think! You almost nerdsniped me into seeing how fast I could whip up a crawler but then I checked the search and found out it can find comments and use a custom date range.
https://hn.algolia.com/?dateEnd=1700092800&dateRange=custom&...
deletes entire account
This is less traumatizing than when I found irclogs of me from 10-14 thankfully.
Doesn't Google Fi use T-Mobile's network as an MVNO? Are they insulated from this kind of thing still?
Same goes for Mint mobile. They are/were an MVNO now owned by T-Mobile. I have no reason to go into a store since the service just works and I never do much but confirm auto-pay is working. Looking at the site now, it's been T-mobilized with stuff like carrier-locked phones but otherwise I've seen no meaningful changes.
My main problem with google fi is that I also use gmail heavily, and if the algorithm decides to cut me off one day for some reason, I don't want to lose access to my primary phone number and primary email address at the same time.
What were they after?
I'm pretty sure T-mobile could legally do that to their own employees. Corporate security teams are always sending fake phishing email to test their employees' gullibility and send them off to Re-education Camp.
Phishing emails don’t usually ask people to do something illegal, though.
what law would the company or the employee be breaking?
The initial claim was that employees were doing something illegal. You can not send employees an email to instruct them to do something illegal.
Yeah, I'm sure a well paid attorney could probably come up with some legal theory that "makes it OK" to attempt to entice an employee into committing a crime for the purpose of rooting out employees who would commit a crime in exchange for money.
A well paid attorney worth their salt will likely tell you that you don't want to test that theory with a court and the various employment watchdogs.
Engaging in such a plan and through happenstance and human fallibility ending up actually creating harm to an actual customer could potentially expose you to a tort claim.
We call it concentration camp here. Because of all the thinking.
I don't see a big difference between this, and sending fake phishing emails to employees to see if they bite, which is a fairly common practice.
In this case though, it doesn't necessarily have to be T-mobile that does it. It could be local law enforcement, and they could potentially trade immunity for information on real bribers.
Clicking on fishing link is not illegal. Therefore, it is ok for corporate to sent fake fishing emails. This would be instructing employees to do something illegal.
Likewise, CEO can not instruct the accountant to steal money from company account as a test.
You could solve this by simply sending out a memo not to respond to such offers or risk termination.
It shouldn’t just be termination, it should be jail time. It’s no better than selling a gun to a person you know intends to use it to commit a crime.
Just so we’re clear: getting shot is quite a bit worse than having your phone number stolen.
A person getting a gun is not the same as someone getting shot.
Well yeah, a person getting their SIM swapped is not the same as someone getting scammed.
Until it is.
Guns have legitimate uses sim swapping does not.
Sure... except the thread you're in started with:
Though I guess you could be making the case that crime is a legitimate use of guns?
Many people--rich or poor--would rather get shot and survive than lose all their wealth.
We talking a grazing, or a colostomy bag and a wheel chair?
I wouldn't, but I think a lot of people would.
Well that could really depend.
If your phone number being stolen causes your savings to get drained for long enough that you run into problems making important payments like rent, taxes, car payments; That can pretty quickly spiral into even worse situations. In a world/country where many people have too few savings to go even a month without being paid, losing even that can get extremely dangerous. Not to mention the stress of such a situation alone will probably take quite a bit of your life expectancy off.
While I absolutely understand the point you're making....
At least in the United States, we also live in a society where the financial ramifications of getting shot could lead to equally bad financial outcomes (whether directly or indirectly).
It's actually significantly better.
T-Mobile should make a few loud examples out of those proven to be doing this. Deterrent is the best medicine. Of course they don't want this kind of attention so they'll do as little as possible.
Or, crazy idea, we do not give minimum wage paid retail sales reps the ability to control access to the online accounts of hundreds of millions of people.
Reps for T-Mobile are not making minimum wage. Almost nobody in the US earns minimum wage at this point, it's less than 1/2 of 1% of labor.
You can make $15/hr as an entry-level cashier - your first job, zero job history - at CVS and Walgreens, with tolerable health/dental/eye insurance.
And if you're not entirely braindead you can trivially become a pharmacy intern (then tech) and start at $18-$20, with benefits. They'll pay for your licensing. You can make $18-$22 to start as a telemetry or video tech, with zero experience. Hospitals are filled with people sitting in rooms watching video monitors making sure patients don't fall over or hurt themselves, it pays 3x the minimum wage and requires zero experience.
If you're making $7.50 /hr at this point, you're either living somewhere very barren (almost zero economic opportunities), or it's your own fault.
Sounds like a great gig! How do the pharmacy techs at Walgreens enjoy working there?
I think you may have missed the point.
Even so, retail sales jobs are often heavily commission adjusted which makes this not so cut and dry.
Sell sell sell, or you are well below the poverty line and quickly replaced by someone more willing to cut corners on the activities that are not profitable like carefully checking ID.
Almost nobody makes federal minimum wage.
It's gotta be at 2%+ making state minimum wage though.
CA for example has a minimum wage somewhere north of $15, and like 10% of the population makes minimum wage or less. That right there pulls the number for the whole country up to at least 1% making minimum wage, because CA is >10% of the population. (Extreme example, since CA also has the highest real poverty rate in the US (SPM, not the hilariously undercounting OPM)).
Red teams do this sort of things all the time. How about you don't accept bribes? Arguably that's a bigger dick move.
audit log tied to the one who authorizes the swap along with guaranteed criminal penalties would be a stronger disincentive I believe.
Is it? It'd be a good way to catch people doing something that's seriously damaging to others for personal gain.
I don't think I have much sympathy if you lose your job for doing something this damaging and probably illegal.
How is knowingly doing sim swapping not already a dick move?
Honestly what the OP suggested is simply a sting operation.
Your reaction to it is ... more scary.
A telling reply.
SIM swapping? No comment. Trying to catch SIM swappers? Suddenly you have feelings about it!
Wow, genius, just tell people not to break laws, why didn't they think of that...
Or pay people enough so they don't get tempted to begin with.
Lol Martha Stewart has $400m and she got done for $230k worth of insider trading.
And Matt Levine every now and then talks about a guy making a few million a year insider insider trading a few thousand and settling.
Bechtolsheim too
That is exactly who I was thinking of but I couldn't remember the name. $16 b and he was fingered for $400k hahaha.
Wasn't it because she lied about it?
The point is that she was already rich. High pay doesn’t stop people from doing crimes.
Billionaires have literally committed financial crimes for more money. Pay has very little to do with it.
Billionairism. Addiction to the accrual of wealth and the power wealth affords. They should be in asylums not boardrooms.
There's plenty of room for them in the Fletcher Memorial Home.
Such a weird song, yet surprisingly memorable.
“And give them a home / a little place of their own…”
What is the dollar value of getting access to a phone number belonging to a celebrity or a billionaire? I don't know the exact amount, but it is 100% more than what T-Mobile can feasibly pay all of its employees. Do you think security guards protecting the federal reserve's gold vault get paid more than the value of the gold in that vault?
They can
1. require two employees PLUS an agent on the phone to do it.
2. call the desired number and speak to whoever answers and ask if they're aware the number will be ported
3. have a 24-hour period to try to reach someone at that number before the swap occurs.
4. Offer a very large bounty ($10,000 or more) for providing evidence that a co-worker is taking bribes
Buried at the bottom of the article is a link to
T-Mobile’s New SIM Protection https://tmo.report/2022/12/t-mobiles-new-sim-protection-is-n...
and it of course doesn't show up in my tmobile account. Though mine is prepaid.
fwiw this series of steps worked for me
I believe there are telecommunications regulations in olved that prevent them from erecting barriers during the sim swap process. This might be one of the mains reasons it's such a juicy vector.
You may be right! They might not be able to do a "24 hour cooling off" period. Even sending text messages to that number once an hour for a day saying "TEXT STOP TO STOP SIM TRANSFER OR CALL 611" would stop a lot of these.
I'll have to google a bit and see if they are restricted.