2023 is off to a good start. T-Mobile announced in January they detected unauthorized access to approximately 37 million records. Google Fi, who white labels T-Mobiles network also announced at the end of January their subscriber information was accessed too.
Both companies disclosed the types of information accessed. Data types from T-Mobile include names, billing addresses, emails, phone numbers, dates of birth, T-Mobile account numbers and information describing the kind of service they have with the wireless carrier. T-Mobile said no social security numbers, credit card information, government ID numbers, passwords, PINs or financial information were exposed in the hack.
Data types from Google Fi include information for customer support purposes and contains limited data including when your account was activated, data about your mobile service plan, SIM card serial number, and active or inactive account status. Google Fi did explicitly tell most of its customers that the unauthorized access does not contain your name, date of birth, email address, payment card information, social security number or tax IDs, driver’s license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi, or the contents of any SMS messages or calls.
Though some unfortunate few who experienced brief interruption of service because of a SIM swap attack received further communication from Google Fi. “During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.”
WHAT CAN BE DONE WITH THIS INFORMATION
Since the inception of the iPhone, we have increasingly relied on mobile phones to conduct business, stay connected, and share information. Most people have had the same mobile phone number for over 20 years and has become the primary contact phone number in lieu of the traditional land lines.
Mobile phone numbers aren’t completely secure despite most thinking they are because of the attachment we have to our physical devices. Mobile phone numbers can be attacked just as our computers can receive malware or our social media account passwords can be stolen.
Many attacks on mobile phone numbers will require the attacker to socially engineer the mobile service provider to trick them into modifying your account configuration. The data accessed within the Google Fi and T-Mobile hacks could be enough to socially engineer access to your accounts. With some Google Fi users experiencing SIM swap attacks, others were told not much data was affected. Combining any of the data from Google Fi or T-Mobile and enriching it with open source information (OSINT), could enable these attackers to further sound legit when talking with mobile service support personnel.
Phishing: T-Mobile reported emails were accessed in their breach. While Google Fi did not, OSINT repositories could be searched by phone number to find an associated email address. This exposes the subscribers to potentially legitimate looking emails that could include support style information.
Smishing: Similar to phishing, Smishing targets SMS based phishing. Attackers could send messages directly to subscribers of T-Mobile or Google Fi pretending to be support and requesting all sorts of information like passwords, links to harvest credentials or install malware, or request financial information such as credit cards.
Phone Number Spoofing: Obtaining a legit identity and phone number pair could lead to a targeted attack. Attackers and spam operators have the ability to “spoof” phone numbers bypassing security controls on the mobile network. They could spoof legitimate identities and target family, friends or business acquaintances for malicious gain (financial, credential harvesting, etc.).
SIM Swap Attack: SIM swap attacks require the attacker to gain as much information about you as possible, then call your service provider to socially engineer them to change your phone number to a SIM card they control. SIM cards act as an address on the cellular network just like a physical street address does for mail or an IP address does for network access. The attacker would need to trick the mobile service provider that you need the number ported and once complete, the attacker would have access to your SMS and voice phone calls. This could allow them to initiate change password requests, receive SMS based two factor authentication (2FA) codes, or contact personal contacts from your phone number. For many financial accounts, SIM swaps can be deadly because those accounts use SMS based 2FA allowing the attacker direct logins to your accounts (though they would need legit user names and passwords).
HOW TO PROTECT YOURSELF
Security is critical to stay safe when interacting with online accounts. As more data breaches occur, more of our personal information is leaked online. Securing our accounts and maintaining good cyber practices can minimize the devastating affect of social engineering.
Enable multi-factor authentication (MFA) on every account that supports it. If you can opt for an authenticator app or a hardware key, use that method as SMS 2FA can be intercepted should a SIM swap attack occur.
Be aware of phishing and smishing messages. Don’t click links from messages you weren’t expecting. Rather, navigate via a web browser to those sites by typing into the navigation bar the correct URL. Same with phone calls. Don’t call phone numbers that were “messaged” to you. Rather, call trusted numbers from within your account or on the backs of credit cards or financial statements.
Call your mobile service provider or check their security tips FAQ to understand the options to further secure your accounts. Google Fi has released an FAQ specifically about protecting from SIM Swap Attacks. They recommend enabling 2FA on your google account.
CONTROL WHAT YOU CAN
In the event of Google Fi and T-Mobile, lost access to our information is out of our control. However, we do have the ability to setup security within our accounts that will protect us from unauthorized access. Practicing good cyber hygiene along with choosing stronger security controls and configurations will reduce the success and devastation caused by these types of attacks.
