SIM Swapping Issues At Mint Mobile

Christian Mobile Phone Service

Yesterday, Mint Mobile’s co-founder, Rizwan Kassim, posted to Reddit acknowledging recent security issues. Here’s the key excerpt:

We’ve been reading your inquiries around the recent security concerns. Despite deeply wanting to respond to your questions, we haven’t been able to due to some pretty rigid compliance regulations around what we can share publicly, especially while we engage with law enforcement.

So what happened? We can’t share much, but in short, Mint Mobile was the victim of a social engineering incident last month that impacted a small number of subscribers. We have been in contact with impacted subscribers and quickly restored their services. We also continue to investigate this incident.

The post is sparse on details, and I don’t entirely accept Mint’s claims about being unable to share further information. However, Mint deserves credit for making the post and pinning it to the top of the r/MintMobile subreddit.

As best as I can tell, something happened almost a month ago that led to Mint subscribers becoming victims of SIM swap attacks. At least two reports surfaced to Reddit. I’m suspicious a significantly larger number of customers were affected, and I’ve asked Mint to clarify.

About a month ago, Mint also had an incident where a large number of subscribers received unexpected password reset notifications. I think that incident was unrelated to the recent SIM swapping, but I’m not sure.

Mint’s Ticking Time Bomb

Mint walked into its latest security troubles. I wrote the bit below over a year ago:

A Reddit user suggests Mint Mobile’s policies may leave subscribers vulnerable to SIM-swap attacks. I haven’t dug into it, but it looks like a real issue.

While searching through old Reddit posts this morning, I realized Mint subscribers were regularly talking about this security issue for at least two years. Lots of Reddit posters have asked Mint to implement two-factor authentication or secure PINs for porting numbers. Here’s one notable example from six months ago:

Mint does NOT have pins to protect against SIM swap attacks, sadly. It’s really their only defect, and it’s a massive one.

Mint really, really, really needs to add the ability to have a user-set PIN (that they store in their system as a hash, so no one inside can ever see the PIN plaintext, just confirm that you have the right one)…It is totally mystifying to me and other security professionals why r/rizwank [Rizwan Kassim, Mint co-founder] is setting himself and the otherwise-great company he created up for massively bad publicity and legal expenses when his users get hacked en masse by eastern european mafiosos. As Mint grows this is inevitable as long as Mint refuses to implement PINs.

For quite a while, Mint has claimed to be interested in adding security features. The latest issues may lead the company to prioritize actually releasing something.

Leave a Reply

Your email address will not be published. Required fields are marked *