Massive T-Mobile hack...what now?
August 22, 2021 8:10 PM   Subscribe

As a T-mobile customer, what should I be doing to protect my online security?

I've been reading how the T-Mobile breach can greatly increase the likelihood of a SIM swap attack. I've changed my pass and pin at T-Mobile and set up Google Authenticator. Today I logged into my account and of several two-factor options, one is SMS texting. The company that just got pwned in a big way is going to text me to confirm my identify.
When I think about the many platforms that text me for two factor authentication, it's really a lot if not most of the sites I frequent.
Should I bail on T-Mobile? is there any cellular service with good defenses against SIM swaps exploits?
posted by diode to Technology (7 answers total) 2 users marked this as a favorite
 
I've changed my pass and pin at T-Mobile and set up Google Authenticator.

That's good. And probably sufficient at this point.

Should I bail on T-Mobile?

Probably not? I mean, the hack's already happened, and you've taken steps to protect yourself at T-Mobile, so you're probably fine staying put if you're happy with T-Mobile overall.

When I think about the many platforms that text me for two factor authentication, it's really a lot if not most of the sites I frequent.

Yes? I'm a little confused as to what this has to do with the T-Mobile hack specifically, but it is, in general, a good idea to set up 2FA wherever possible. Particularly on sites where you do any sort of financial transactions. I'm not one to shy away from doing financial stuff online, but when I do, I make damn sure I use as much security as is humanly possible.

Also, here's a plug for using a password manager, with which you can both audit all your passwords (to find easily guessed ones/duplicates across sites, and change them to unique, complex ones) and regularly change passwords, both of which are good steps to keep you safer in your online interactions. The two most popular ones are KeePass and LastPass, but there are several options, and they're all worth exploring.
posted by pdb at 8:37 PM on August 22, 2021 [1 favorite]


I think the point the asker is making is that if their sim can be hacked or duplicated, the bad guys can intercept the 2FA from any site that uses texts
posted by AugustWest at 9:42 PM on August 22, 2021 [1 favorite]


Response by poster: TMobile has a service to protect against SIM swap attacks which I signed up for. Guess that's about all i can do for now.
posted by diode at 6:07 AM on August 23, 2021 [1 favorite]


I went to my credit reports and put a freeze on them. I'm not applying for any loans or cards right now so that is a good precaution for me. It's free. I also changed my password and so on.
posted by emjaybee at 7:41 AM on August 23, 2021


the bad guys can intercept the 2FA from any site that uses texts

Ah, that makes sense. And it's why you shouldn't use SMS as a 2FA factor, but should where possible use Authy/Google Authenticator or some other app (I don't know if T-Mobile offers 2FA options other than SMS or not, I'm not a customer).
posted by pdb at 2:22 PM on August 23, 2021


t-mobile offers an email option for 2FA
posted by suelac at 3:56 PM on August 23, 2021


From what I've seen (but I could be wrong), when you log into T-Mobile it asks you if you want do do 2FA for that session via text or Google Authenticator. If my understanding is correct and there's no way to just do Google Authenticator only, then it largely defeats the purpose of having it because a hacker who has control of your phone from a SIM swamp would just choose to do it via text. Apparently Verizon has better built-in protection against SIM swaps. T-Mobile says they have something called Account Takeover Protection but if you call them to ask about it, they don't know what it is.
posted by Dansaman at 8:13 PM on August 23, 2021


« Older How to keep my tattoo pretty (at the beach)??   |   Best material for hanging/suspending shelves... Newer »
This thread is closed to new comments.