T-Mobile Scam

[kb5zue]

Just read a news story about a scam taking place with T-Mobile and thought I would pass it along.

http://www.wbrz.com/news/new-scam-uses-cell-number-to-access-your-bank-account

 

"T-Mobile alert: We have identified an industry-wide phone number port out scam and encourage you to add account security."

It's called a port out scam and it's affecting cell phone users around the country. Here's how it works. A scammer uses your cell phone number to find out some of your personal information. They use that information to call your cell phone carrier and have them cancel your service, but keep your cell phone number. They transfer your old number to a new phone on a new carrier and now have complete control of all the information tied to it, like your bank account. The scammer then calls your bank, says they've forgotten their password and get a pin number sent to their phone.

There are ways to protect yourself. T-Mobile says to call your cell phone carrier and ask them to enable two-factor verification needed to make any changes to your account.

[Qub3d]

Linus himself has been the victim of this. IIRC, he mentioned once on the WAN show that he had to get a new phone number and reset all of his accounts because of it.

[vanished]

14 minutes ago, Qub3d said:

Linus himself has been the victim of this. IIRC, he mentioned once on the WAN show that he had to get a new phone number and reset all of his accounts because of it.

That wasn't quite the same thing but definitely related

[handymanshandle]

13 minutes ago, Ryan_Vickers said:

That wasn't quite the same thing but definitely related

Well yeah for one, T-Mobile doesn't operate in Canada.

 

I believe he use(s)(d) Bell?

[Canada EH]

how do they get the bank info?

[Suika]

13 minutes ago, Canada EH said:

how do they get the bank info?

They don't need much. As soon as the thief manages to get the account holder's phone number ported to a new SIM, they can call up the bank and impersonate the account holder.

[vanished]

1 hour ago, Suika said:

They don't need much. As soon as the thief manages to get the account holder's phone number ported to a new SIM, they can call up the bank and impersonate the account holder.

that seems like a flaw in the banking system more than the phone system

[Mooshi]

Sounds about as secure as Apple when it comes to celebrity nudes.

 

Wouldn't happen with Verizon. If you don't know your account number to port, you can't do much. If you somehow obtain and don't know the pin to access an account, you're SOL.

 

If you try to reset the pin, it sends information to the account owner's cell via alert. Don't have physical access to the phone to verify a secure pin? You have to go to a store with a photo ID to reset it.

 

With all the cash TMobile throws to bash VZW, they should be using it to actually improve their company.

[Suika]

8 hours ago, Ryan_Vickers said:

that seems like a flaw in the banking system more than the phone system

It's not much different from using 2FA on anything and using your phone number as the second authentication and reset options.

[Lurick]

2 minutes ago, Suika said:

It's not much different from using 2FA on anything and using your phone number as the second authentication and reset options.

I don't know about your bank but mine will ask for driver license number, social, address, account info, and full name before giving up any information.

[Suika]

1 hour ago, Lurick said:

I don't know about your bank but mine will ask for driver license number, social, address, account info, and full name before giving up any information.

If the attack is targeted, chances are, the thief has that info. 

[Canada EH]

12 hours ago, Suika said:

They don't need much. As soon as the thief manages to get the account holder's phone number ported to a new SIM, they can call up the bank and impersonate the account holder.

how do they get the security word?

[Suika]

1 hour ago, Canada EH said:

how do they get the security word?

Not every bank is the same in their requirements, especially smaller local banks, but most of those answers can be obtained through a little social engineering.

[Mira Yurizaki]

15 hours ago, kb5zue said:

The scammer then calls your bank, says they've forgotten their password and get a pin number sent to their phone.

This part bugs me. I'm pretty sure most competent banks don't send PIN to debit cards over the phone. They mail it to you or ask you to come to the nearest branch to have it sorted out. And if you call them saying you forgot your password on what I'm assuming is an online account, they'll just direct you to the actual "I forgot my password" feature on their website.

 

If any bank really goes through with this, they're kind of dumb and shouldn't be used.

 

Another flaw I'm seeing is the scammer has a very limited window of time depending on how often the victim checks their phone. I'm pretty certain that the carrier would send a ton of things regarding cancellation of service. And at the very least, the victim will notice they're no longer connected to the cell network, which is a huge red flag.

Edited March 3, 2018 by M.Yurizaki

[Murasaki]

How on earth will they know which bank is it LOL? I've never heard of mobile carriers collecting bank account info or am I missing something here.

If you have your bank's number in your SIM, you must have a lot of problems with them.

[Fire2box]

17 hours ago, Ryan_Vickers said:

that seems like a flaw in the banking system more than the phone system

when you can go up and get some random person in the mall or over the phone to get a copy of someone elses sim card, somethings wrong. 

[Fire2box]

19 hours ago, Ryan_Vickers said:

That wasn't quite the same thing but definitely related

it literally was the same thing. not on t-mobile, but same exact shit in sim card cloning because retail/CC workers don't give a you know what. 

[vanished]

8 minutes ago, Fire2box said:

when you can go up and get some random person in the mall or over the phone to get a copy of someone elses sim card, somethings wrong. 

Yes, very much so

6 minutes ago, Fire2box said:

it literally was the same thing. not on t-mobile, but same exact shit in sim card cloning because retail/CC workers don't give a you know what. 

In his case, someone else got a SIM to access his messages, as you say above, which is a bit different than the situation described in this thread, for one reason because this involves banks in some way.

[Zodiark1593]

7 minutes ago, Fire2box said:

it literally was the same thing. not on t-mobile, but same exact shit in sim card cloning because retail/CC workers don't give a you know what. 

How would SIM card cloning be carried out on an unwitting individual? Would you need the physical SIM card to do so?

[vanished]

10 minutes ago, Zodiark1593 said:

How would SIM card cloning be carried out on an unwitting individual? Would you need the physical SIM card to do so?

My understanding is what happened to Linus is someone went to a Bell store pretending to be him, and asking for a new sim and got it.  There was no canceling his service, no moving to a new carrier, and nothing involving a bank, so related to, but definitely different than what is described in this thread.  As for what info the phone place requires to convince them that it's you, clearly it's not enough.

[Zodiark1593]

9 minutes ago, Ryan_Vickers said:

My understanding is what happened to Linus is someone went to a Bell store pretending to be him, and asking for a new sim and got it.  There was no canceling his service, no moving to a new carrier, and nothing involving a bank, so related to, but definitely different than what is described in this thread.  As for what info the phone place requires to convince them that it's you, clearly it's not enough.

I would probably assume a fake ID was used as well. With T-Mobile, in the actual store, all it took was the ID of someone related to the account holder to change over a number to a different SIM card. Though having the original SIM on hand may have helped as far as "red flags" go when I was switching over a number for my Dad. Doing it over phone seems to require the SSN instead, not exactly the pinnacle of security either 

[Canada EH]

6 hours ago, Suika said:

Not every bank is the same in their requirements, especially smaller local banks, but most of those answers can be obtained through a little social engineering.

That would be interesting to see

[vanished]

2 hours ago, Zodiark1593 said:

I would probably assume a fake ID was used as well. With T-Mobile, in the actual store, all it took was the ID of someone related to the account holder to change over a number to a different SIM card. Though having the original SIM on hand may have helped as far as "red flags" go when I was switching over a number for my Dad. Doing it over phone seems to require the SSN instead, not exactly the pinnacle of security either 

[Canada EH]

yeah minimum wage workers will secure your info

[vanished]

57 minutes ago, Canada EH said:

yeah minimum wage workers will secure your info

That is the problem isn't it.  There is a design flaw: everything is placed on the human, which time and again have been shown to be the weakest link.  Your data should be stored in a way that it simply cannot be changed or accessed without some sort of passcode, not even by the employees.  Then it wouldn't be up to them to remember to check the code or to verify "you" are actually you, it would be an actual inherent necessity of the process.