Blog

You are currently viewing The T-Mobile Data Breach and Phone Scamming

The T-Mobile Data Breach and Phone Scamming

A few days ago, news stories appeared about a huge data breach that occurred at T-Mobile. The first reports of last Sunday stated that someone on the dark web was claiming to have the data of 100 million US subscribers/ex-subscribers from T-Mobile servers and was selling a portion of it on an underground forum for 6 bitcoin which is over 220K€. The information that was stolen didn’t only include names, phone numbers and physical addresses but also social security numbers, driver’s license information and IMEI numbers (a unique phone device number you can see as a sort of phone’s social security number).

I’m pretty sure that T-Mobile will come with a statement that the stolen data didn’t contain any payment details of customers *great sigh of relief*. And after that statement, many people stop reading/worrying at this point and completely forget the story within hours. The reason for this is that it doesn’t immediately have financial consequences. Without payment details, no cash can be stolen right?  Wrong!

Obtaining customer data is just a first step for cybercriminals in their journey towards their end goal: financial benefits. With the data obtained, a lot of steps can be taken to make it financially worthwhile for a cybercriminal. 

It seems that data leaks are not a “big deal” anymore to a lot of people if it doesn’t immediately lead to sensitive financial details like credit card numbers or numbers of bank accounts. 

In this post, I would like to provide one of the most annoying things that can happen after your phone number (combined with your identity) has been a part of a data hack: SMS phishing and phone scams. For some people, a phone that is leaked might be a very minor incident but with this T-Mobile example, I would like to show that leaked phone numbers can cause a lot of damage to customers that were part of the data breach, especially in combination with other details like names, addresses and other information. 

Can cybercriminals do damage with just a phone number?

The answer to this is “no”. A cybercriminal can’t do anything with just a phone number. There are no software programs that give cybercriminals access to accounts or devices by just entering a phone number.  

However, when cybercriminals have access to your phone number a victim can be tricked into performing certain actions to get access to a device or an account. And the more information an attacker has about a possible victim, the more reason a victim has not to doubt the attacker because of all the correct information he discloses as proof that it’s a request/question of a legit organization because it provides correct details. 

“Anti” anti-spy software

It is a common practice by cybercriminals to advertise on the internet that devices can be hacked by just a phone number. Cybercriminals promote/sell “anti-spy software” that mitigates this so-called risk. These advertisements have one thing in common: the promotion of a spyware tool that requires more than just a phone number to install the program. It also requires physical access to the device or iCloud login details. By installing these spyware tools, a cybercriminal can get access to your device. Instead of securing your device, the opposite happens.

Smishing

Cybercriminals can send fake messages by SMS to targets to gain their personal information (full names, addresses, credit card numbers, usernames, passwords, etc.). This is called “Smishing”. Smishing is a form of phishing that uses text messages by phone to trick a victim to perform certain actions. These messages can be very credible and it can be very hard to distinguish fake from real text messages. Text messages are also used to link targets to malicious apps. By clicking on the link, malicious software is installed on your device, opening up access to your device to the cybercriminal without your knowledge.

Vishing

A target can be directly approached as well by being called on their mobile phone. This form of phishing is called “vishing”. In the past, vishing was pretty uncommon. However with new techniques like “deep fake vishing”, this form of phishing is used more often nowadays. There has been quite some noise in the media about deep fake videos that are looking incredibly real and are hard to distinguish from reality. Additionally, some programs focus on deep fake audio instead of deep fake video. Deep fake audio can be used when people don’t use a visual medium but only an audio medium.

Deep fake vishing allows cybercriminals to reproduce audio that sounds convincingly like a specific individual. This is done by using special AI software. With vishing, the victim is called by phone and the caller pretends to be someone else (for instance a representative of a company, bank or governmental institution). The goal of the cybercriminal is the same as with Smishing: obtaining the personal information of the target (full names, addresses, credit card numbers, usernames, passwords, etc.).

Deep fake audio increases the credibility of a visher when calling a victim. Calling in broken English will immediately lead to doubts but if you hear someone in fluent English with maybe even a UK accent, many people will not doubt its credibility and fall for the trick of a visher.

Breaking Two-factor authentication

Two-factor authentication (2FA) is a form of authentication that uses two different authentication factors that identify a person. Two-factor authentication relies on a user providing a password and on top of that an extra factor (a security token, an authenticator, phone number, biometric factor, etc.) to be able to gain access to a secured environment.

If you have set up two-factor authentication by receiving an SMS code or by an authenticator on your phone, a cybercriminal could access this code if they have spyware installed on your device. This way they can get full access to the account of the target, including full access to the authenticator of the victim.

In this case, more steps need to be taken to get access to an account. The target first needs to click on a link that has to be sent by SMS after which it will install spyware. Then the target needs to execute a two-factor authentication action on the device.

Tips to prevent these attacks

Below tips can arm you against this form of cybercrime:

  • Never respond to SMS numbers that are not on your contact list. Not even when you need to text “STOP” to unsubscribe yourself from a service. It can be a trick to identify active phone numbers. 
  • Never call the SMS number that has send the message. Also do not check its authenticity. By doing this you automatically trigger/confirm that your phone number is an active number. There is a big chance you won’t be attacked if your number is not confirmed as an active number. 
  • Legitimate institutions (like banks, merchants and governmental institutions) never request account updates or log in by text. So never reply to them and never click on any links to confirm something or to download an update of specific software (for instance a bank app). Call your bank, merchant or governmental institution directly in case of doubt. Use a known phone number for this and not the phone number of the text message or (in case you are being called) the number that is provided from the other side of the line.  
  • Never sent a password or account recovery code with text. Not with SMS but also not in other communication apps like MS Teams, What’s App, Telegram, etc. 
  • Download a State of the Art anti-malware app. There are great anti-malware apps available. Also for mobile devices. Make sure to use anti-malware from a reputable supplier. Always research if the app is to be trusted. Always inquire with a professional cybersecurity specialist in order to get advice and a reliable link. 
  • Never keep credit card numbers and PIN numbers stored in your phone. Not in a note app on your phone and also not in your phone contact list. 
  • Use Two-factor authentication (2FA)/multi-factor authentication (MFA). Even if this is not fully “bulletproof”, it still is an extra security layer that will make it more difficult for a cybercriminal to gain access to personal information. An exposed password is in most cases still useless to a cybercriminal if you use 2FA/MFA.  
  • Never click on SMS links from phone numbers that are not in your contact list. Simply delete the message immediately without opening it. Don’t get tempted by, for instance, messages from a bank or a governmental institution. Companies, banks and governmental institutions never send general messages by text with links to websites to (for instance) confirm data details. In case of doubt, visit the company, bank or government institution and inquire about this message. You can also get in touch with them by phone but be aware to call the general phone number and not a phone number in the text. It can be that someone is answering who is part of the criminal organization. 
  • Never answer a phone call from an unknown number. Just ignore it. You can always return a call after you are completely sure that the number is legit. 
  • Try to find a phone company that offers a spam blocking service (both for Smishing and Vishing).  
  • Block SMS from unknown numbers. This can be done on iPhones and on Android phones. 
  • Numbers with “5000” are almost always scam numbers because this is the number used by messages that are sent by e-mail. These numbers are likely to be malicious. 
  • If you are bothered a lot, get a new phone number. This is the last resort option but in some cases, this might be the best option.  

Conclusion

I know that a lot of people have been harassed by this kind of scamming at a certain point in time (myself included). These people all have been the victim of a situation like what happened with T-Mobile which means that private data was stolen and/or sold by cybercriminals. In the case of T-Mobile, I expect that some of their customers at some point in time will start to be confronted with one or more incidents as previously described.

I hope that this article will contribute to improving the awareness of people. This kind of cybercrime in combination with social engineering happens on a very regular basis and there are ways to remedy these kinds of attacks. The target plays a critical part in the success rate of these attacks.

A data breach is just the beginning. It’s up to us to get as many potential victims on the winning side in the battle against cybercrime as possible by teaching them how to deal with these kinds of situations.

Feel free to ask me any questions or give me additional tips/advice on (phone) scamming by contacting me and if you want to keep in the loop when I upload a new post, don’t forget to subscribe to receive a notification by e-mail

Tags: , , , , , ,

Gijs Groenland

I live in San Diego, USA together with my wife, son, and daughter. I work as Chief Financial and Information Officer (CFIO) at a mid-sized company.

Leave a Reply