A Pinocchio pupett

REALLY?

REALLY Wireless is a new cell carrier backed by significant venture capital funding. The carrier aggressively touts its focus on privacy. One of the first visuals on REALLY’s homepage makes the pitch:

Trackers, Trackers Everywhere

On that same homepage, I find a bunch of trackers from companies like:

  • Fullstory
  • Google
  • Facebook
  • LinkedIn

Not only is REALLY collecting a bunch of data in the “what they keep” section of its diagram, but it’s also giving the data to third parties.

Spy-Proof?

Not all data collection by cell carriers is nefarious. Information about a device and its location is necessary to make cell service work. Further, laws often compel carriers to share specific information with certain entities. When a 911 call is placed from a cell phone, carriers must help emergency services locate the caller.

In 2022, a company called INVISIV launched PGPP (Pretty Good Phone Privacy). The idea was to prevent tracking of users’ locations via their phones’ IMSI numbers. The product got some press since it was technically and intellectually interesting. It narrowly focused on just one type of data collection. INVISIV didn’t pretend the product was a perfect remedy for even that single type of data collection.

REALLY, however, is happy to make audacious claims. Here’s another visual from the homepage:

Screenshot from REALLY's website with the text 'spied on by no one'

Come on. If REALLY came up with technology that made users immune to spying, security researchers and federal agents would be knocking on REALLY’s door (or perhaps breaking it down).

Be Better

Here’s one last visual from REALLY’s homepage:

Screenshot from REALLY's website with the text 'better for the planet'
I have some advice for REALLY if it’s trying to make the planet a better place.

STOP LYING.

Picture representing the concept of a security breach

TracFone Security Breach

TracFone is experiencing a security incident. Some customer data was compromised, and attackers sometimes managed to port out phone numbers. TracFone put up a webpage with details about the incident:

We were recently made aware of bad actors gaining access to a limited number of customer accounts and, in some cases, fraudulently transferring, or porting out, mobile telephone numbers to other carriers. These bad actors may have had access to your name, address, PIN code, account number, secret question (but not answer) and email address to the extent you provided us with such information.

It sounds like TracFone tried to contact affected customers but may have been unable to in cases where numbers were ported out:

We may have made an attempt to contact you, but given the nature of this activity, messages to impacted mobile telephone numbers may no longer be accessible by some customers.

I’m unsure about the scope of the issue. In a brief search, I couldn’t find any direct reports from affected customers. That may suggest the breach was minor. On the other hand, the incident seems serious since it spurred TracFone to run a banner drawing attention to the incident across TracFoneWirelessInc.com:

Screenshot of a banner drawing attention to TracFone's security incident

I don’t know which TracFone brands are affected. I didn’t see a similar banner on the websites for TotalWireless or StraightTalk.


Hat tip to Dennis Bournique, who drew my attention to this story.

Update icon

Visible Security Update

Earlier today, Visible shared a few tweets with updates on the security issue I posted about yesterday. Here’s the important bit:

Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts.

Taking Visible at face value, it looks like the attacker is exploiting information leaked in an unrelated data breach.1 Consequently, I’m not sure it’s entirely accurate to say Visible was hacked.2

I’m not sure what end game the attacker has planned. It sounds like many people are seeing fraudulent phone orders charged to the billing information on file in compromised accounts. Even if the fraudulent orders are fulfilled, it should be easy for Visible to track down the culprit. After all, the company knows where each phone is sent. Maybe I’m missing something.

Spitballing, I came up with a few possibilities:

  • Fraudulent orders could be a red herring to distract from the attacker’s real goal.
  • Multiple attackers could be working independently with the same compromised data.
  • An attacker could compromise numerous accounts and send phones to a large number of addresses. If only a small portion of the addresses were under the attacker’s control, it would be difficult and expensive for Visible to track down the attacker.

I don’t find any of these possibilities particularly likely. It’ll be interesting to see how this plays out.

Picture poorly representing the concept of identity theft

T-Mobile Admits Customers’ Personal Data Was Hacked

Today, T-Mobile shared another press release about its recent security breach. In today’s release, T-Mobile finally acknowledged that customers’ personal data was definitely compromised.

T-Mobile shared details about the scope of the breach:

Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile.

While sensitive information was compromised, it looks like financial details, including credit card numbers, were safe:

We have no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information…Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information.

My biggest question now is whether T-Mobile has a good justification for keeping former customers’ SSNs on file.

Image reading "system hacked"

Huge Data Breach At T-Mobile

Yesterday, Joseph Cox at Motherboard reported that a hacker was trying to sell stolen data from 100 million T-Mobile customers. The compromised information isn’t trivial:

The data includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said. Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers.

The hacker allegedly downloaded all of the data locally before losing access to T-Mobile’s servers.

Today, T-Mobile issued an evasive press release and acknowledged that its systems were compromised (emphasis mine):

We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed…We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed…Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.

Bullshit. Customers’ personal data was compromised. T-Mobile knows it.

I won’t be surprised if this data breach ultimately ends up looking similar in magnitude to the infamous 2017 Equifax fiasco. T-Mobile’s stock closed today about 3% down from its closing price on Friday.1

Update:
Lawrence Abrams at BleepingComputer shared an article with additional information and rumors. Here’s one interesting bit:

The threat actor claims to have hacked into T-Mobile’s production, staging, and development servers two weeks ago, including an Oracle database server containing customer data…’Their entire IMEI history database going back to 2004 was stolen,’ the hacker told BleepingComputer.

SIM Swapping Issues At Mint Mobile

Yesterday, Mint Mobile’s co-founder, Rizwan Kassim, posted to Reddit acknowledging recent security issues. Here’s the key excerpt:

We’ve been reading your inquiries around the recent security concerns. Despite deeply wanting to respond to your questions, we haven’t been able to due to some pretty rigid compliance regulations around what we can share publicly, especially while we engage with law enforcement.

So what happened? We can’t share much, but in short, Mint Mobile was the victim of a social engineering incident last month that impacted a small number of subscribers. We have been in contact with impacted subscribers and quickly restored their services. We also continue to investigate this incident.

The post is sparse on details, and I don’t entirely accept Mint’s claims about being unable to share further information. However, Mint deserves credit for making the post and pinning it to the top of the r/MintMobile subreddit.

As best as I can tell, something happened almost a month ago that led to Mint subscribers becoming victims of SIM swap attacks. At least two reports surfaced to Reddit. I’m suspicious a significantly larger number of customers were affected, and I’ve asked Mint to clarify.

About a month ago, Mint also had an incident where a large number of subscribers received unexpected password reset notifications. I think that incident was unrelated to the recent SIM swapping, but I’m not sure.

Mint’s Ticking Time Bomb

Mint walked into its latest security troubles. I wrote the bit below over a year ago:

A Reddit user suggests Mint Mobile’s policies may leave subscribers vulnerable to SIM-swap attacks. I haven’t dug into it, but it looks like a real issue.

While searching through old Reddit posts this morning, I realized Mint subscribers were regularly talking about this security issue for at least two years. Lots of Reddit posters have asked Mint to implement two-factor authentication or secure PINs for porting numbers. Here’s one notable example from six months ago:

Mint does NOT have pins to protect against SIM swap attacks, sadly. It’s really their only defect, and it’s a massive one.

Mint really, really, really needs to add the ability to have a user-set PIN (that they store in their system as a hash, so no one inside can ever see the PIN plaintext, just confirm that you have the right one)…It is totally mystifying to me and other security professionals why r/rizwank [Rizwan Kassim, Mint co-founder] is setting himself and the otherwise-great company he created up for massively bad publicity and legal expenses when his users get hacked en masse by eastern european mafiosos. As Mint grows this is inevitable as long as Mint refuses to implement PINs.

For quite a while, Mint has claimed to be interested in adding security features. The latest issues may lead the company to prioritize actually releasing something.

Security abstract

Google Voice Call Forwarding And Security

Google Voice makes it easy for users to forward calls and texts from a Google Voice number to other phone numbers. It’s a great feature, but Google Voice users should be sure to disable forwarding on any numbers they don’t maintain possession of.

If you cancel service for a phone line and don’t port the number to another carrier, the inactive number can eventually be reassigned to another person. If someone else is assigned your old number and forwarding is still enabled, Google Voice will forward text and calls to the new owner of the number. Beyond the security and privacy vulnerabilities this presents, it can be a nuisance. The new owner of a phone number may get unwanted calls and texts. The prior owner of a phone number may miss calls—if a Google Voice call connects on a forwarding line, the same call can’t be picked up from the Google Voice app (or on other lines that calls are forwarded to).

In an ideal world, Google Voice would scan a database of phone numbers that recently turned inactive. With that information, Google could automatically stop forwarding anything to the numbers found in the database. Unfortunately, I don’t think the kind of database I’m imagining is available at this time.

Beyond Google Voice, phone number reassignment causes a slew of underappreciated security issues. I don’t think most people consider that numbers they stop using can eventually be picked up by someone else.

Hacked Order Page At Boom! Mobile

The mobile virtual network operator (MVNO) Boom! Mobile was recently hacked. Ars Technica has a good article covering the incident.

A bit of malicious code was inserted in the checkout section of Boom’s website. Hackers used the code to skim payment information and credit card numbers from Boom’s customers. It looks like the malicious code was active for at least a few hours, possibly longer.

Boom’s website was running an outdated version of PHP. At this time, I don’t know what vulnerability the hackers took advantage of. I’m also unsure if this was an isolated incident or if Boom was affected by other security breaches.

I’m not sure Boom should have been handling its own payment processing. The carrier may have violated PCI DSS rules.


Update: A representative from Boom posted the following on Howard Forums:

Hey guys,

Thanks for checking in.

boom MOBILE deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation. We have found that the malware was located only on our shopping cart at boom.us and not on any of our other sites such as myaccount.boom.us which is used by customers to manage their billing. We encourage customers who may have made a purchase from www.boom.us between 9/30/20 – 10/5/20 to take the necessary precautions with their credit card company. This incident did not compromise any boom MOBILE accounts, saved payment or autopay details. Our saved payment/autopay system does not store any bank information and was verified to be safe. The credit card processor provides us with a secure token than can only be used by boom! MOBILE from our secure server. We are committed to protecting your data & privacy. We are PCI compliant and do not store financial data on our servers. Our shopping cart provider has ensured us our site is safe and the malware has been removed.