Couldn't T-Mobile send their own SMS's to their employees pretending to increase the payout to $600, then fire any employee that replies?
Or maybe change the terms of use for the employee line discount to allow monitoring SMS content or metadata for security threats to the companies users?
T-mobile could do many things (not sure it’s legal to pretend you want to pay for simswaps, but that’s beside the point), but first we need to establish why they would care.
I haven’t seen much evidence in the past they would.
They don't care. Source: got swapped on TMo, front-line CSR fixed it but no one else at the business cared; would not even refund my final bill. Solution: move to Google Fi. It has a word-of-mouth reputation for being resistant to this, which I believe if nothing else because Google has almost no human support to bribe/phish.
Google Voice too. No human tech support. It's kind of weird how having no human to talk to can be a good thing in these high security matters. No social engineering attack surface.
I've just realized that, even though I've used Google Voice as my primary phone number since before it was Google Voice -- for about 18 years now -- I have never really had a problem with it[0], and I've also never paid a dime for it[1].
It seems like a well-oiled machine.
0: Well, some places don't like using GV for 2FA (and demand a "real" cell phone number), and some other places don't think it can do short-code messages at all, but those aren't issues that anyone at GV could ever solve even if those people did exist.
Its more of a recent thing, but I am a little worried about how common it is becoming. I've used my GV number since atleast 2007 for everything.
My bank accounts at banks I like have never complained about my Google Voice number and still don't. My bank account at Bank of America had some security check I needed to complete at some point and my Google Voice number that had been in their system for a decade I was told was not eligible anymore and I needed to actually use my real phone number.
I could almost put up with it if it was for things that need to be secure, but my 7-11 rewards account rejected my phone number at the gas pump a few years ago and Target rewards also started blocking my GV number.
I use Google voice as my main number on my Pixel, but also on a burner phone to harass overly aggressive recruiters. When I set up Google voice in the burner it made me load it with credit but surprisingly all the calls and texts I've made with it are free.
Things are pretty stable because Google Voice has barely changed in the past decade, but when things do go wrong there's no one around to look into it.
There was a time many years ago when Google Voice would intermittently fail to ring or even forward calls to another number when I tried that, and then give no indication that a call was ever made to your number that you missed (I verified it by asking when people I knew called me and said I never got back to them), which is pretty bad when you're expecting to receive important calls sometimes. This went on for months. I received bare minimum support which didn't even come close to helping the issue even though my issue was voted to the top of the support boards because many other people were having the same issue at the time. I'm glad you personally haven't had an issue but you should be prepared to have one at some point and get essentially no help.
Do these databases see through number portability, or are they just verifying that the area code + prefix is assigned to a traditional telco?
Because you can port a landline to Google Voice for $20, and, in my experience, random Internet "phone number lookup" sites still show it as a landline years later.
The number gets classified differently in the "official" phone number database when you port it to a new carrier, including Google Voice. I used to have my US number in GV but ran into a lot of the 2FA issues as as well as trying to use it overseas extensively. Eventually, Google will figure it out to the point where it is no longer tenable to try and keep working around it. I caved and bought a $5/mo eSIM plan from Tello. They don't seem to care that I'm not in the US 10 or 11 months out of the year. I can use wifi calling to send/receive texts for 2FA for free, and iOS even supports using the data of one SIM/eSIM as the "wifi" for a different phone line also present on the device. So even if I'm out, I hop into settings, turn on the second line, it uses my EU data plan to fetch new messages via "wifi calling" and then I get my 2FA code or whatever. Takes about 30 seconds in total.
Is it the most convenient thing ever? No. I have an older iPhone because I'm a cheap bastard so I turn off the other line when I'm not using it, otherwise it will constantly look for a compatible roaming signal which it will never find because I have not authorized any international charges on that account (battery drain).
My class read a science fiction story in CS about a guy getting executed on death row for a late library book in a comedy of errors where a series of automated systems glitch out and a detached bureaucracy is slow to react. Or something like that.
I feel like it should be required reading to protect against "automate all the things" hubris.
Sounds somewhat reminiscent of the Terry Gilliam film Brazil. Basically a fly dies and gets caught in a teletype machine, causing the name on an arrest warrant to be misprinted. This snowballs into all sorts of darkly humorous and depressing hijinks.
Basically a modernized version of the premise of "The Trial" by Franz Kafka. An unknown authority charges the character with a unstated crime and bureaucracy chugs along on errors and assumptions.
That’s a real reason I don’t comment on YouTube or risk using any other Google services except Gmail and Voice.
God forbid I chargeback a purchase on Google Pay (or whatever their PayPal is this year) and trip some anti-fraud system that locks me out of my 20 year old email account. We all know their support is either automated or nonexistent, so it’s not worth the risk.
But there‘s many providers that you pay actual money to (Like Fastmail) and if something goes wrong you, as a customer and not a potential ad target, are their top priority and you can call a human on the phone.
Oddly enough, the EU isn’t racing to bust down the door of these “gatekeepers” and require third-party interoperability with this socially-critical service.
Pretty much just an apple thing as far as I can see.
I think this is one of the reasons that Google Plus failed. It's like if North Korea set up a social network. Nobody would post cause post the wrong thing and get executed.
If you see what people post with their real name on newspaper comments, Instagram or Facebook it‘s clear that people don‘t care, or don‘t think that far ahead.
Google Plus failed for many reasons but I doubt that one was a big factor.
I've mentioned this a few times and don't feel like restating it but if you're curious about my "i was locked out of every single Google service for "fraud" that I didn't commit, don't know what they were talking about, and never got a single response even after sending them my drivers license multiple times to prove my identity" story it's somewhere in my comment history.
It's probably a tiny chance it happens to many people but it's something to consider. I had nobody to talk to. No store to go to. I lost cell service for a week until I migrated everything off of google.
Just something to be wary of.
edit: I tried to dig it up it's about a year old and .. oof yeah i'm not going through pages and pages of paginated yn comments. Moral of the story is what I said above
Lazier than you think! You almost nerdsniped me into seeing how fast I could whip up a crawler but then I checked the search and found out it can find comments and use a custom date range.
My main problem with google fi is that I also use gmail heavily, and if the algorithm decides to cut me off one day for some reason, I don't want to lose access to my primary phone number and primary email address at the same time.
Still seen swaps with Google Fi. Efani is a much better option if you actually want protection. I am a cyber lawyer and that’s our recommendation to any clients who care. I can’t recall if Efani is throttled on AT&T or Verizon as MVNO, but one isn’t. Easy to ask them.
>Efani is a much better option if you actually want protection
Their website says it's $99/month. That seems a bit steep to me considering all they're providing over a regular provider that charges $29/month is that they do a bit more verification when you claim that you lost your sim. It's not even clear whether they protect against a port-out attack, which is probably worth worrying about as well.
Presumably Efani accomplishes that additional protection by maintaining a human support staff they put more resources into training than the average carrier. That's expensive, especially when you consider that it's a relatively niche service (so small user base to amortize that cost over) and presumably only used by people that really care about sim swaps, likely because they are frequently targeted for sim swaps, and thus the training needs to really work. They also have no other lines of business like device sales/financing that could help cover those human operational costs.
That, plus the fact that it's a premium service that is mostly only useful to higher net worth / higher income people, makes it seem reasonable that it would be quite expensive relative to a regular provider.
>Presumably Efani accomplishes that additional protection by maintaining a human support staff they put more resources into training than the average carrier. That's expensive, especially when you consider that it's a relatively niche service (so small user base to amortize that cost over) and presumably only used by people that really care about sim swaps, likely because they are frequently targeted for sim swaps, and thus the training needs to really work.
According to the BLS "Computer User Support Specialists" get paid $30 on average[1]. Whatever training they give to staff to resist sim-swap attacks, I can't imagine they can't be more complicated than the certifications that "Computer User Support Specialists" have to get through, so I think it's reasonable to model their support costs at $30/hr per person. With the premium they're charging over a budget MVNO they can afford two support people per customer. How many fraudulent sim swap attacks could the worst client possibly attract? Is it really that hard to train someone to deny sim swaps until they go through 11 steps of verification like their website says?
>That, plus the fact that it's a premium service that is mostly only useful to higher net worth / higher income people, makes it seem reasonable that it would be quite expensive relative to a regular provider.
I mean yeah that's the more reasonable answer. It's a luxury product and priced accordingly.
Same goes for Mint mobile. They are/were an MVNO now owned by T-Mobile. I have no reason to go into a store since the service just works and I never do much but confirm auto-pay is working. Looking at the site now, it's been T-mobilized with stuff like carrier-locked phones but otherwise I've seen no meaningful changes.
I'm pretty sure T-mobile could legally do that to their own employees. Corporate security teams are always sending fake phishing email to test their employees' gullibility and send them off to Re-education Camp.
Yeah, I'm sure a well paid attorney could probably come up with some legal theory that "makes it OK" to attempt to entice an employee into committing a crime for the purpose of rooting out employees who would commit a crime in exchange for money.
A well paid attorney worth their salt will likely tell you that you don't want to test that theory with a court and the various employment watchdogs.
Engaging in such a plan and through happenstance and human fallibility ending up actually creating harm to an actual customer could potentially expose you to a tort claim.
> not sure it’s legal to pretend you want to pay for simswaps
I don't see a big difference between this, and sending fake phishing emails to employees to see if they bite, which is a fairly common practice.
In this case though, it doesn't necessarily have to be T-mobile that does it. It could be local law enforcement, and they could potentially trade immunity for information on real bribers.
Clicking on fishing link is not illegal. Therefore, it is ok for corporate to sent fake fishing emails. This would be instructing employees to do something illegal.
Likewise, CEO can not instruct the accountant to steal money from company account as a test.
I believe there are telecommunications regulations in olved that prevent them from erecting barriers during the sim swap process. This might be one of the mains reasons it's such a juicy vector.
You may be right! They might not be able to do a "24 hour cooling off" period. Even sending text messages to that number once an hour for a day saying "TEXT STOP TO STOP SIM TRANSFER OR CALL 611" would stop a lot of these.
I'll have to google a bit and see if they are restricted.
T-Mobile should make a few loud examples out of those proven to be doing this. Deterrent is the best medicine. Of course they don't want this kind of attention so they'll do as little as possible.
If your phone number being stolen causes your savings to get drained for long enough that you run into problems making important payments like rent, taxes, car payments; That can pretty quickly spiral into even worse situations. In a world/country where many people have too few savings to go even a month without being paid, losing even that can get extremely dangerous. Not to mention the stress of such a situation alone will probably take quite a bit of your life expectancy off.
While I absolutely understand the point you're making....
At least in the United States, we also live in a society where the financial ramifications of getting shot could lead to equally bad financial outcomes (whether directly or indirectly).
Or, crazy idea, we do not give minimum wage paid retail sales reps the ability to control access to the online accounts of hundreds of millions of people.
Reps for T-Mobile are not making minimum wage. Almost nobody in the US earns minimum wage at this point, it's less than 1/2 of 1% of labor.
You can make $15/hr as an entry-level cashier - your first job, zero job history - at CVS and Walgreens, with tolerable health/dental/eye insurance.
And if you're not entirely braindead you can trivially become a pharmacy intern (then tech) and start at $18-$20, with benefits. They'll pay for your licensing. You can make $18-$22 to start as a telemetry or video tech, with zero experience. Hospitals are filled with people sitting in rooms watching video monitors making sure patients don't fall over or hurt themselves, it pays 3x the minimum wage and requires zero experience.
If you're making $7.50 /hr at this point, you're either living somewhere very barren (almost zero economic opportunities), or it's your own fault.
> Almost nobody in the US earns minimum wage at this point, it's less than 1/2 of 1% of labor.
Almost nobody makes federal minimum wage.
It's gotta be at 2%+ making state minimum wage though.
CA for example has a minimum wage somewhere north of $15, and like 10% of the population makes minimum wage or less. That right there pulls the number for the whole country up to at least 1% making minimum wage, because CA is >10% of the population. (Extreme example, since CA also has the highest real poverty rate in the US (SPM, not the hilariously undercounting OPM)).
Even so, retail sales jobs are often heavily commission adjusted which makes this not so cut and dry.
Sell sell sell, or you are well below the poverty line and quickly replaced by someone more willing to cut corners on the activities that are not profitable like carefully checking ID.
What is the dollar value of getting access to a phone number belonging to a celebrity or a billionaire? I don't know the exact amount, but it is 100% more than what T-Mobile can feasibly pay all of its employees. Do you think security guards protecting the federal reserve's gold vault get paid more than the value of the gold in that vault?
Or maybe change the terms of use for the employee line discount to allow monitoring SMS content or metadata for security threats to the companies users?