![]() Because SMS is built into the infrastructure of cellular networks, the security of SMS-based two-factor authentication relies on the security of these networks - which can be compromised, as the recent T-Mobile breach has shown. ![]() Then, by requesting a one-time passcode be sent to the phone number, they can enter their victim’s accounts, transfer money out of their bank accounts, and even lock them out completely.Ĭybersecurity experts have called on consumers to stop using SMS 2FA for years, citing the growing trend of SIM swapping attacks that let hackers read any of their victims’ SMS messages, including those with one-time passcodes. Because IMSI is the unique identifier for a mobile phone’s SIM card, a hacker can use stolen IMSI data to duplicate someone’s SIM card and gain access to their phone number. However, two-factor authentication using SMS messages isn’t as secure as you might imagine. Many organizations in finance, healthcare, and government use SMS-based 2FA as an extra layer of security to prevent unauthorized access with just a username and password. If you have ever received a text message with a one-time passcode to log into your bank or another online service, then you have used SMS-based two-factor authentication, or 2FA for short. What might be more alarming is that the breach also leaked IMEI and IMSI information - the identifier numbers associated with a mobile phone, which compromises the security of SMS-based two-factor authentication. Because these attacks are highly personalized, they are much more effective than more general phishing attacks. Known as “spear phishing,” these targeted attacks use personal information like your name, place of work, and interests to pose as a trusted source, like your boss. With their leaked data available on the internet, it’s only a matter of time until scammers use this data to launch targeted phishing attacks. ![]() In response to the breach, T-Mobile offered two years of free identify theft protection services to affected customers, but for many, it might already be too late. For around 850,000 active customers whose names, phone numbers and account PINs were leaked, T-Mobile proactively reset their PINs and contacted them to let them know. While they confirmed that phone numbers, account numbers, PINs, passwords, and financial information were not leaked, T-Mobile still urged its customers to proactively protect their accounts by changing their account PINs. The company confirmed that the data from approximately 40 million former or prospective customers was also compromised. As of August 17, they found that information from about 7.8 million current T-Mobile customers was compromised. ![]() Another user posted on a cybercrime forum, advertising over 100 million “freshly hacked” records from T-Mobile, claiming that they had the name, date of birth, SSN, driver’s license information, security PIN, address, and phone number of 36 million T-Mobile customers in the U.S.Īfter locating and closing the access point the company believed was used to gain access to their systems, T-Mobile continued to investigate the breach, which they called a highly sophisticated cyberattack, in the following days. The data breach first came to light when a Twitter user started posting about the details of the leaked information. In a statement released on the same day, T-Mobile confirmed “unauthorized access” to their data, but had yet to determine if any personal customer data was involved. On August 16, telecommunications giant T-Mobile announced it was investigating a breach that allegedly exposed sensitive data from millions of T-Mobile customers in the United States.
0 Comments
Leave a Reply. |