> The seller told Motherboard that 100 million people had their data compromised in the breach. In the forum post, they were offering data on 30 million people for 6 bitcoin, or around $270,000.
Is it possible that one day the market for SSNs and other private data will become so saturated that exfiltrating such data becomes unprofitable?
On a slightly more serious note, is anyone aware of a compilation of prices paid for such data? I'm imagining something like a Consumer Price Index [1], but for stolen private data. Maybe far in the dystopian future inflation will make life harder for hackers.
That's one way of looking at it, the other is that the financial system itself begins to fail under the volume and price of fraud.
Ransomware ransoms have increased massively. They were often a few thousand dollars only a few years ago, now often hear about $50m+.
On the smaller scale SMS/email phishing has got absolutely enormous too in volumes. Banks and credit card providers are refunding 100s of millions (if not more) in fraud, in actually a very low margin business (retail banking). It genuinely could threaten the ability of banks to continue operating retail banking services if it continues to almost exponentially grow.
> It genuinely could threaten the ability of banks to continue operating retail banking services if it continues to almost exponentially grow.
Preventing this kind of fraud is a solved problem. The reason it still happens is that banks are forced, through competition, to minimise "identity proving" burden for consumers, in a "get credit now with instant approval!" kind of way.
At the moment we're stuck in a "marketing armageddon" of banks competing with each other by not properly verifying identity before granting credit or transferring away money. This seems to me like a Tragedy of the Commons.
If, across the board, people were required to prove their identity properly before banks rely on them, then the problem would go away overnight. It'd be a bit more tedious for consumers, but I don't see how that would cause banks to fail. The cost would merely move from fraud to identity verification.
Perhaps some people wouldn't be sold credit that they can't afford, but I don't buy that such people are keeping the banks afloat. Before banks stop operating retail banking services, I'm sure they'll just start actually verifying identity properly to keep that market.
As someone in the banking industry, this is the "right" answer. When I got started in banking I was pretty shocked about how easy it was to "authenticate" yourself to open a bank account. For example, this breach has pretty much all the things needed to open an account in someone else's name: Name, SSN, DoB, Address. That's pretty much all the KYC services use for validating an account application.
There are, of course, easily added forms of additional verification - for example, Stripe just added their Identity service which lets you take a picture of your driver's license and then match the image against a selfie. But that puts "friction" in front of the application process, so most banks don't do something like this unless other signals make them think the application has a high fraud risk.
If basically everyone's Name, SSN, DoB and Address is easily viewable public info, this will all change.
On the other side of that, there is such thing as too much friction.
Shortly before BBVA closed them, I was in a back-and-forth to open an account with Simple.
First, my ID was too shiny, then it wasn't black and white, then it wasn't color, then they wanted a picture of my apartment building, then ...
it was just on and on and on for three weeks. It got to the point where I asked what exactly they wanted and they literally told me that they cannot tell me because it would allow me to commit fraud. I asked if I could talk directly to their fraud team to figure out what exactly: nope. Can't do that, they can't talk to you.
So I was expected to either read their minds or play infinite whack-a-mole with them where they say one thing in one email then say the opposite in the next.
Yes, no problem with that. Eventually a long standing established digital identity is needed. Provided by anyone, state, bank, etc. Opening a new one should be easy though, but risk assessment should be done at every step (as the account gains new trust in whatever system).
Security doesn’t appear on a balance sheet, but security expenditures and related depreciating assets certainly do appear. A classic example of measuring the wrong thing.
If you can explain to me how a monthly service where payment is required in full every month requires a credit agreement, I'll (don't know, do something crazy like eating my hat) - this is the standard service provider contract, for some reason it is considered a credit instrument and can land on your credit report.
That being said, you are right, there are prepaid options and postpaid with a deposit ($50) that can put you outside of this SSN requirement on T-Mobile. I guess you have to know to ask for them. It is for credit, that's the only reason they can ask for your SSN.
Everything is credit based now, and for some people their phone bill might even be their first positive (or negative) mark on a credit score rating.
It's credit because, regardless is you pay in full every month, you receive the service before you make the payment. That opens up the service provider to the risk that you'll ring up a huge bill and then skip out on the payment, and all of the rules around credit are designed to mitigate this fact.
The standard service provider contract you mention (in the US) is "postpaid": you pay at the end of the month for the usage you had during that month. This is credit: you use the service, then pay after for what you used. That's opposed to "prepaid" service, where you buy "minutes" or "data" before use, and must manually buy more if you run out.
I have been through many phone sales and the postpaid model does not always have to account for price variability. There are plenty of fixed cost plans with unlimited calling. They will still ask for your social security number and try to make you a new credit account before they tell you there is a deposit option possible.
I have no idea why it would be to the advantage of a business like T-mobile to get you on a postpaid plan when there is no possibility of running up your bill. It's still the option they push on hardest when you walk up to the storefront.
The credit model is the default model. That was my point. I don't know that I had a point.
You shouldn't need to maintain a credit account just to keep a phone number, but I guess it's real estate and that's valuable, they will put it back into the pool if you ever stop paying the bill. I haven't had to deal with these kind of problems myself for a long time, but the pain is still fresh.
> The reason it still happens is that banks are forced, through competition, to minimise "identity proving" burden for consumers, in a "get credit now with instant approval!" kind of way.
The best solution would be if the US introduced mandatory passports or other forms of ID cards with smartcard capability, similar to the German Personalausweis. It has a secure cryptoprocessor with key vault, meaning it can be used to sign documents (if the bureaucracy to get a signature CA wouldn't be completely stuck for years now, SIGH), but especially companies willing to use authenticated data can fetch them securely over any NFC enabled terminal. Quite ingenuous.
This would entirely kill ID fraud at the source. The problem only seems to be an aversion in some parts of the US population against ID documents.
I don’t think you’ll see this happen in the US any time soon, literally because of a Bible verse; Revelation 13:16-17 (King James Version):
16 And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:
17 And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.
It’s not talked about a lot here, but this verse is the go-to for many flavors of Christian politics in the context of federal law and national identity.
The pathetic irony is that intelligence services and dozens of corporations have already done this. So we citizens, err consumers, have all of the downsides and none of the benefits of authenticity.
In addition to the sky faerie grifters, the anti-rationality mentats categorically oppose allowing government to govern.
The problem is the US would first need to grow the political will to ban most businesses from demanding and then long term storing that ID. As it stands right now, for needlessly invasive things like supermarket discount cards you can just give them a bunch of fake info, and get a new nym every year or so to make your history less useful. But with an unrestricted smartcard ID, there would be no escape from the commercial surveillance web. Something like the GDPR is a hard requirement before stronger identification is palatable in the US.
> The best solution would be if the US introduced mandatory passports or other forms of ID cards with smartcard capability, similar to the German Personalausweis. [...] This would entirely kill ID fraud at the source.
Sure, fake or stolen passports and (often preliminary) ID Cards from public offices exist and are traded on the darkweb but ID fraud is so rare it´s almost unheard of compared to the rampant fraud in the US
I think part of it is deregulation in the USA too. As has been mentioned it is sooo easy to sign up for credit cards because banks want citizens drowning in debt. When I lived there I got like 4 credit card applications in the mail per day; every store has its own credit/rewards card; every company has the same idea to extract as much wealth from citizens at the expense of their good health.
All of this fraud is an extension of that deregulation, which leaves people exposed. Frankly a slower moving economy is probably BETTER in the long run, but it’s all numbers and figures nowadays. People are reduced to an SSN number.
No. Doing so in a way that is intentionally designed to be more difficult for disadvantaged groups to fulfill so that they do not participate in the democratic process--that is not "considered" racism, it is racism.
But you know that. It must be hard to be so aggrieved.
> intentionally designed to be more difficult for disadvantaged groups
Why is obtaining an ID "intentionally designed" this way. Don't you need to get a driving license to drive? A passport to re-enter the country? Do disadvantaged groups not get driving licenses?
> Why is obtaining an ID "intentionally designed" this way.
Because when you make the places to get them few in number and difficult to get to, then make the lines to get them very long, you create hurdles for people who have jobs that are not overly friendly towards long or variable absences.
This is intentional, much as many places in the United States have reorganized voting locations to themselves be difficult to get to. Disenfranchisement is intentional.
> Don't you need to get a driving license to drive? ... Do disadvantaged groups not get driving licenses?
Many in the United States live in urban areas where they're not required and where they may not be economically feasible. (These folks tend not to vote for the people who are pushing ID requirements.)
> A passport to re-enter the country?
The set of Americans who never have cause to leave the country is very large.
I've never seen the problem explained this way. Thanks for helping me to understand. Seems like we could "fix it" if there was some way to make obtaining the IDs easy and quick. I doubt there's a solution for that, however...
There are ways, but they would require the cooperation of the political actors who don't want people whose votes they do not have--and, more generally, who they appreciate being at the mercy of the police in very actionable ways, which is the other issue with a lack of identification.
I'm still kinda shocked that it took so long to get chipped credit / debit cards in the US, and the fact that credit cards still don't have pins...
Most of the online transactions I do with my credit card in Europe require me to verify them via some approval app (often the bank's own app) before they're submitted.
But I guess it's more profitable to just let US folks spend spend spend and rack up huge debt burdens. The interest is probably higher than whatever anti-fraud efforts cost them at the moment.
I think you would be surprised how much fraud still happens with strong identity protections.
Here in the UK strong customer authentication and strong proof of identity is a requirement in law, breaching it lands you in significant amounts of hot water. So at the bank I used to work at, identity theft was pretty rare and only made up a tiny fraction of the fraud we saw.
A much bigger share of the pie, and the area that we really struggled with, is customer authorised payments. The customer gets socially engineered into parting with their cash, and as a bank we're expected to reimburse them if we can't prove that we didn't take steps to detect the scam in progress and prevent the customer making the transaction.
Doing that has “economic costs” too. I have seen both the models. In the US, you can walk in to a dealer and walk out with a car. Elsewhere, you usually get your preapproval before you start car shopping. Then usually you have to go to the bank to close the paperwork and get the car in a few days to a week. It’s for the best in general. But it’ll make people make more informed decisions and that’ll reduce the spending.
And proper identify verification - like looking at the document in person - also has downsides. It still can be forged. Just a little harder than what we have. (Other countries with mandatory physical KYC and a wet signature still have fraud issues)
Overall I think it’s a lot of added cost and inconvenience for a slightly better benefit.
As a counterpoint, I recently tried to sign up for a store card to take advantage of promotions on a large purchase. I was not approved- apparently because “my phone number could not be validated”. This even though I had my drivers license, ssn, and spoke personally with a bank representative. Weird.
Can't comment on why the other things weren't enough, but do you have a "real" phone number or is it VoIP? I was unable to verify my Twitter account until I contacted support, nor could I get the IRS website to take my number when doing taxes, and I think the reason is that my (small) carrier uses VoIP: https://help.republicwireless.com/hc/en-us/articles/36002509...
The US system of credit reporting and associated ease of establishing credit is like super convenient. But it's largely based on trust. There isn't a whole lot of identity verification, and there are a lot of parties in the system that take identifying information at face value and run with it.
This is nice when it's actually you, but it's a giant PITA to unravel when it's not. My spouse's name and SSN was used to rent an apartment in Oakland, as well as attempts to open credit cards at the apartment address (thankfully they tried to open an account at Amex but she already had one there and they called to confirm; at least one issuer said they were likely to approve). We were able to get all the credit applications denied/cancelled, but the rental lease is harder; the leasing office says they can't do anything without a criminal complaint and Oakland PD won't talk to us.
I don't want to contradict your experience, I'm sure it's real as you describe it.
Are you aware that California Penal Code sections 530.5-530.8 require the law enforcement agency in the area of an identify theft victim to take a police report?
If you call them, they ask you to fill out a report online. If you fill out a report online, they don't appear to do anything with it.
Also, we're not in California. We reported to our local PD, who did call us to get additional information, but obviously isn't going to spend a lot of time on something they can't do anything about. Oakland PD could presumably visit the apartment and see who's there or something.
Most of the things you're supposed to do revolve around documenting things (which allowing a police report does), so that when these accounts get reported on credit reports later, you can contest them and they'll be dropped. But in the mean time, there's nothing to be done about a fraudulent lease.
Good! Maybe then the government will actually start to care once the lobbyists start to ask for help.
The downside is that the "help" will probably just consist of funneling more taxpayer money to large shareholders and execs, while banks figure out ways to dodge liability without actually solving the problem.
Different parts of government. Legislators, specially, need to care about digital identity. They don’t care enough (see below copy pasta, rest of the FCW piece talks about how identity legislation has been punted to fall Congressional sessions) yet.
Maybe banks have to bleed more (Reg E mostly protects consumers from this fraud exposure) before they’ll come willing to regulators asking for it. If that’s the path to success, it’s a shame but not surprising.
“A draft version of the Senate infrastructure bill, which was obtained by FCW, included $500 million for the Department of Labor to institute a grant fund to supply states with digital identity proofing tools that are compliant with National Institute of Standards and Technology to combat fraud in unemployment insurance benefits.
In addition to the program administered by the Labor Department, the draft legislative language called for the Office of Management and Budget to develop a plan for federal digital identity verification, including an inventory of current efforts and a study of the feasibility of establishing a governmentwide system that provides equitable access to users of government services and protects privacy. There was talk in the administration and in the Senate of adding $3 billion in funding for governmentwide identity solutions as part of the infrastructure bill.
Instead, the entire section on program integrity covering the digital identity grants program and the OMB policy push was removed from the bill before it came up for a vote and was not offered in any of the amendments that came up as the bill was debated on the Senate floor.
The White House and various Senate press offices by and large did not respond to emailed questions from FCW about what happened with the digital identity section of the bill.”
Is the government required here [0]? Could commercial operators not improve their own security through their own investment and taking it seriously? If ransomware hits them in the chequebook where stolen customer data didn't, then they might find that quite motivating?
The government is the final arbiter in a bunch of cases you care about. Whether you are (for example) a US citizen is not a decision for T-Mobile, or Amazon, or Walmart, or Delta, that's up to the US government†
The government (and not private corporations) tracks births, deaths, immigration, emigration, and of course it chooses to issue identity paperwork.
In general the closest commercial entities like banks can do is identity matching. So e.g. maybe Bank A asks you "Hey, do you have, like, a mortgage? Who with?" and you pick Bank X from the list of six options and OK, either that's a lucky guess or you know that "you" have a mortgage with Bank X.
This is pretty poor, it's something, but it's not very much, it's up there with Facebook's "Here are some pictures of people, which of them is your friend?" which of course falls down when either: You "friend" people you don't actually know and wouldn't recognise; or your "friends" don't like Facebook having accurate photo data and intentionally mislabel random other people or things with their name...
And as with the Facebook thing it breaks in surprising and hard to reproduce/ demonstrate ways. Maybe you think of this as your Big Bank mortgage, but if you check the small print it's actually a Different Bank mortgage, that Big Bank are re-branding, and so you just picked wrong.
So yes, in practice government is where this would get solved, if you've any appetite for solving it.
Is it possible that one day the market for SSNs and other private data will become so saturated that exfiltrating such data becomes unprofitable?
The revenue isn't 6 BTC. It's 6 BTC * however many people are willing to buy at that price. More suppliers would surely drive the price down, but at this point there are probably tens of thousands of people who'd buy if the data was cheaper, so it'll remain profitable for a long time.
> FULLZ: Slang for a full package of personal information connected to an individual, fullz provide enough information for a criminal to steal and profit from a victim’s identity. Fullz generally include the victim’s name, Social Security number, date of birth, account numbers, and more.
> REPRESENTATIVE SAMPLE OF 2019 FULLZ PRICING IN USD
> 2018 credit card and fullz from service industry $10
> Cashing out bank accounts and fullz empty it $4
> EU/Asia/UK credit cards / fullz $860
> $20,000 bank loan cashout using fullz $30
> Fullz SSN - DoB $5
> REPRESENTATIVE SAMPLE OF 2019 IDENTIFICATION DOCUMENTS AND PRICES IN USD
Yeah a less liability inducing and common thing to do is that you can use these to make accounts at exchanges and private equity that exclude people from your country
Usually US and China and the OFAC list are excluded due to differing regulations
Nobody knows or cares. The financial institution, the capital raiser, the person with their ID used
You’re just trying to get into some presales or trade derivatives and that doesnt have criminal liability
Tell that to Carvana. This is their method of identification when they deliver a car. I told them I would just show the driver my license when he got here. Nope, they wouldn't do that.
Terrible company IMO. I ended up not doing a transaction with them and they wouldn't delete my data from their systems. Companies are just asking to be hacked when the store all this unnecessary data for people who are not even their customers.
Not to mention that it's somewhat pointless as a method of verification in the first place since you can't exactly check the validity of an ID in a grainy selfie.
> “ Is it possible that one day the market for SSNs and other private data will become so saturated that exfiltrating such data becomes unprofitable?”
Not before the bevy of PII data points can be integrated into larger and larger datasets describing _individuals_.
Right now if you breach one database, you have one ‘snapshot’ of the elephant. Add more and more data, and soon you can make connections between private and public information.
What then? You could model a lot of information.
What street were you born on? First school? Early childhood friend?
no, because people who get compromised will eventually put in place anti-fraud measures, effectively making stale data have a halflife and at the same time creating new targets
Not really. The prices of leaked data are already at rock bottom.
People can do very lucrative things with your identity that dont cause any liability to you. This may be more common than the horror stories, and there is no way to collect the data.
Think about it, someone shut out of the credit system uses your identity and gets a credit card and helps improve your credit score. Many people might see the unfamiliar line and just not bother, many people would never notice.
Think about things which wouldn't get reported: you would never know if someone had opened another checking account in your name, right now.
What about doing ID verification at an exchange merely to pass know-your-customer and anti-money laundering requirements to get greater withdrawals? Innocuous, as all account holders have to do that.
Yeah some people are probably getting framed.
Its more likely that this gets investigated properly and shocks everyone into repealing some money-stigmatizing laws since the wrong people are getting indicted.
Interesting, I had a very well-done phone attempt against my American Express card two weeks ago.
I have to wonder if all that data came from the TMobile hack.
* The caller ID was spoofed (not just the name, the actual number on my phone bill and phone app logs are a real AMEX number).
* The caller claimed to be reporting a fraudulent attempt on my account
* In order to verify my identity, please read back the six-digit PIN they're sending me (~ALARM BELLS GO OFF~)
* SMS 2FA shows up, "Enter this code to add your card to Apple Pay" (Oddly, this message doesn't carry the "WE WILL NEVER CALL YOU FOR THIS CODE" all previous SMS 2FA carried)
* I ask for a call-back number, for security purposes. I'm told "This is AMEX. This is AMEX." every time I ask.
I hung up, and froze the card. Then I called AMEX with the number listed on the back of the card. They acknowledged they did NOT call me at any point that day, that a transaction WAS attempted AFTER I froze the card, and issued a new card.
The caller was calm, call-centery, had my full name, credit card number, expiration, 4-digit CVV, and phone number.
I also learned that AMEX doesn't actually cancel the old card... my regularly billed transactions and new online purchases went through just fine with the old card info. I called AMEX to ask them to unambiguously reject all attempts for all previous card numbers, they acknowledged. Tried a few days later, the old number still works...
I had a very similar pattern happen a year or so ago on one of my bank debit cards. The difference in my case was that they made one fraudulent charge on the card beforehand to lend authenticity to the "we're the fraud team" claim. They knew the card number, and the details about the charge (presumably because they were the ones who made the charge). Then they tried to reset the password for my online banking login and asked me to read the security code I received via SMS to confirm my identity. Luckily the code sent to me was clearly labeled as a password reset code (though not with the "we won't ask for this code over the phone" line), so I froze the card and went down to my bank to talk about it. Apparently it had happened to a lot of my bank's members, and I was one of the few to not fall for it.
This should result in the corporate death penalty but won't so will keep happening. If you zeroed out all of the investors this type of mass compromise would immediately cease.
As long as -- cost of compromise < cost of security -- on and on this will go.
I'm curious for folks who like solutions like this, have you ever had a vulnerability in production? I would be shocked if most software engineers haven't had at least one outdated package, or one line of poorly-escaped javascript or similar at some point. It seems like luck (and maybe being a poor target) that these things are usually found before they are exploited. Should the companies we all work for cease to exist?
I agree broadly with regulations designed to raise the cost of security flaws and so on, but I feel like there's this expectation that if we make the punishment extreme enough, people will begin writing perfect software and operating perfect servers, and I just don't buy it. It seems sort of like saying if someone causes a production issue or accidentally leaks a database, they should be summarily fired. More likely it was a mistake, and we should understand why it happened so we can prevent it in the future.
If you’re billion dollar company’s application architecture is such that any one compromised system leaks the entirety of your customer data then you’re definitely doing it wrong. It’s not just a matter of one compromised package being able to wreak havoc, it’s the scale and blast radius of the havoc.
If you're a billion dollar company, your attack surface is insanely large. Just as per usual work, thousands of people need to have access to the data, hundreds of software developers write code processing it and it's distributed over a lot of places. Plus, if you lock it down too much, things like simple customer service become either insanely expensive or outright impossible (imagine you'd need to iterate all your account details and show your passport just to answer a question about your account in a store!).
That's not to say that breaches like this should just get punished by a slap on the wrist; this clearly must not happen. But especially when the company is so large you simply have an insanely large attack surface that comes with it. And it only takes one weak spot on there for an attacker to get in. People have casually carried out all data from Facebook, LinkedIn and even the NSA (multiple times!) - security at that scale simply is hard.
> things like simple customer service become either insanely expensive or outright impossible
This is true. It is hard to design a CS backend that user user friendly and privacy cognizant at the same time.
However, the other issue is sticky habit of the companies to grab on to as much data as possible and keep it just in case. For example, this breach had SSN next to user's phone number, name and address. Why does it need to store SSN at the first place after initial verification? It is not necessary for most of it's operation. The only reason I can think of is if they want to report defaulted payments to credits bureau. Although, storing SSN can be avoided in a similar way, how payment APIs allow you to minimize handling of credit card number, of course you need support for this from credits bureau. If they aren't cooperative, you can still design the system in compartmentalized way, that simply does not keep an association between SSN and other user info in one place, because SSN is used in very narrow scenarios. There is not enough pressure on the companies right now to do that.
Any time you get compromised, you're doing it wrong. What's discussed here is what should the consequences be for doing it wrong. In legal terms, the question is whether this was ordinary negligence or gross negligence. Gross negligence usually comes with pretty stiff penalties.
What's discussed in this thread is whether the larger a company is, the more likely it's gross negligence. The irony to me is that every large company I've worked with takes security very seriously. The only gross negligence I've seen has come from startups that willfully disregard security practices in the name of moving fast.
>The irony to me is that every large company I've worked with takes security very seriously. The only gross negligence I've seen has come from startups that willfully disregard security practices in the name of moving fast.
Couldn't agree more. I've done security consulting for many companies of varying sizes. The large ones almost universally have massive security budgets, constant pentesting, and security audits/processes out the ass. They still get breached because security is fucking hard, no matter how much money you throw at it.
I don't buy in to the whole "if only those evil MBA manager types would allocate more budget to security and take security more seriously, they wouldn't get hacked". Every company I've worked at is scared shitless of being hacked, and have enormous security budgets. The management chain usually takes it very seriously. IME, a huge part of the problem actually ends up being the individual development teams who skip things like encryption because they think it's too onerous or they just think it's frivolous.
I cannot even begin to tell you the amount of time I have had to spend with developers arguing with them that they do need to do things like encrypt PII or enable HTTPS. "But it's only a small database of SSNs, do we really have to encrypt it? We would rather spend the developer time building something else rather than implementing encryption!" they say, and then spend hours/days arguing about it rather than just doing it.
> I don't buy in to the whole "if only those evil MBA manager types would allocate more budget to security and take security more seriously, they wouldn't get hacked".
This is a corollary to "nine women can't make a baby in a month."
I could follow a far more secure development process than I currently do, but I'd get fired for not producing features quickly enough. Maybe it's impossibly hard to write perfect software, but we'd only find that out if we started actually trying to.
I don't know. I'm over 30 & I think the punishments aren't severe enough for repeat offenders (maybe T-Mobile falls here?) or in the face of egregious violations of best practices & incompetence (Equifax). I think firing the board of directors & instantly selling off the shares of the majority stock holders on the open market might be better measures, but it requires the government bringing lawsuits & that's not popular in the US anymore.
I'm over 30 too, and I believe in not allowing corporations to externalize costs onto customers. If my data is compromised, that should be very, very expensive for the corporation.
When I was young, I wasn't a fan of this sort of policy, since I looked at things less holistically, and on shorter timeframes.
Holistically, higher damages aren't anticorporation, but just shift the ecosystem. Over time, companies who treat data securely will have a market advantage. Different, more secure programming practice will evolve, and companies will innovate and compete in security.
My thinking changed around the time GDPR passed. Before, I thought policies like that were anti-corporate. After, I saw how they changed market forces, but economies did just fine or better. Externalizing costs isn't good for economies.
> I'm over 30 too, and I believe in not allowing corporations to externalize costs onto customers.
They shouldn't be externalized onto the victims. The cost will, by principle, always be externalized to their customers, since that is were the money has to come from.
You're assuming perfect market transparency. That's a false assumption.
Company A has good security, which adds $5 in your costs.
Company B has poor security, which doesn't, which will lead to $500 down-the-line from a security breach and identity theft. It charges $2.50 less and otherwise has an identical product.
You have no way to know that. You will go with company B, and you will split the $5 gain, where you save $2.50 and they take $2.50 more in profit.
Company B externalizes costs onto the customer. Company A's customers have higher initial costs, but they wouldn't be defined as 'externalized.'
> You're assuming perfect market transparency. That's a false assumption.
The situation we have here is clearly company B. So we have two options:
- Let the victim (who is or was a customer) pay the $500
- Let the company pay the $500. They need to get that money [0], so they charge their current customers more money.
Either way, the bill goes to the customer. The only difference in the second scenario is that the company needs to increase prices, which will hurt them in the long run and (hopefully) justify the additional expenses in security. But they can't create money out of thin air [1].
> Company A's customers have higher initial costs, but they wouldn't be defined as 'externalized'.
You're right - I was wrong about the definition of externalized.
[0] Technically, they don't - they could go bankrupt. But that would be the first scenario all over again.
[1] Unless we're talking about a bank, of course ;)
I say charge company B, but I disagree with your analysis of where the money will come from. Companies charge to maximize future profits.
If company B tries to charge customers an extra $500, they'll be more expensive than company A, and customers will go to company A. They'll exactly go bankrupt. If they could have charged customers $500 extra and kept it, they would have done that from the get-go. The money won't come from customers, at least in a market with any competition.
Where will it come from? Well, the money will ultimately come from company B's investors. There are several mechanisms by which this can happen:
- Company B has a billion dollars in the bank. It spends $500 million on damages. It now has $500 million in the bank, and is worth $500 million less.
- Company B has zero dollars in the bank, but an otherwise solid business. It issues new equity, diluting existing equity, to raise $500 million. Existing shares are worth $500 million less.
- Company B has zero dollars in the bank, and a negative net worth. It files for bankruptcy. A court reorganizes it to pay the debtors (e.g. the customers). Old shares are worth $0, and the company is now owned by its debtors -- it's customers. The shares aren't quite worth $500 each, but customers get as much as possible, and the business keeps chugging along. No one loses their job.
Once investors notice, they'll start to include data security into company valuations. Insurance companies will do likewise. Keeping poor security will decrease profits, and security will improve. On the other hand, I don't think many companies will fold -- in the sense of letting customers and employees down -- based on this.
Being a large company, they should at least demonstrate that they took appropriate measures. E.g. show the reports written by the pen-testers they hired.
Just because the problem is that cost of compromise < cost of security, the solution is not to raise the cost of compromise to infinity. That’s treating it in a very black and white, binary way. It also increases the incentive to spend more on covering up any compromise.
This doesn't make any sense. Capital punishment has existed since forever - yet the fact that they are still carried out means that they are not stopping all of the crimes punishable by death.
A lot of people fear losing their money more than they fear death. I think corporate capital punishment, in theory, could work. The other side of that coin, however, is the number of people put out of work if that were to happen.
Either way, there needs to be far stiffer penalties levied against companies who don't secure their systems better and lose sensitive customer data.
It does make sense. You're confusing corporate liability with personal liability. The parent's point is that if the investors / shareholders would be responsible. Stuff like this would be severely reduced because resources would be allocated to prevent it. Right now, the only damage is a financial one. And as long as the damage is lower than the cost of prevention, hacks like this will continue to happen.
So isn't the solution here to up the penalties, specifically with codified minimums ($X per leaked phone number, $Y for leaked SSN, etc)? The corporate death penalty would end up hurting the consumers significantly more than this method, which would primarily hurt the share/debt-holders, which is the intent. Corporate dissolution seems like a concern when fraud or malfeasance is specifically involved.
For context, I'm very likely in this breach, but it wouldn't make me any happier to hear T-Mobile was shut-down tomorrow.
No that wasn’t the point at all. Corporate death penalty was a completely overblown analogy by someone else. What this is about is that a manager / CEO / shareholder can be held personally accountable with punishment that could include jail time. As a deterrent.
Right now only the company is accountable as if it’s some sort of living creature, and the penalty is always money. Which as you aptly put, they have in abundance!
And a corporate dissolution isn't the outcome. The outcome is that T-Mobile goes into bankruptcy, with its customers as the debtors. The outcome of that is that a bankruptcy court divides up the assets to maximize payout to you.
Most likely, this means:
- T-Mobile, as an entity continues to exist, as-is..
- Shareholder value is wiped out...
- And handed to customers, as the customers become shareholders.
T-Mobile has a 180B market cap, which probably means you acquire stock worth a grand or so.
If punishment for murder was sitting in a luxury European prison with a vintage PS3[0] and not death or life, I’d have whacked my former con-artist business partner years ago and likely be out by now.
It depends on the level of incompetence or negligence. There is a difference between premeditated murder and negligent homicide. But there must be a framework, that determines the punishment based on the impact and level of negligence.
> The trove includes not only names, phone numbers, and physical addresses but also more sensitive data like social security numbers, driver's license information, and IMEI numbers, unique identifiers tied to each mobile device.
Now, this seems like a lot. I hope we will see a detailed technical analysis of the break eventually.
I agree with the principle of raising the cost of compromise, but disagree with your proposal of raising it to infinity (which is effectively what happens when you wipe out the shareholders). Getting hacked sucks, but surely consumers aren't experiencing infinite losses when that happens?
Feels like a better idea might be legally forcing some top X levels of management out as a form of corporate death, invalidating any golden parachutes on the way out too.
I’m this case, if the breach data is true, customers need to buy new phones, get new SSN, (and possibly change name) to have any sense of safety in the future. I wouldn’t use a compromised IMEI phone for 2FA anymore but most people would and it is not clear if the potential losses from the selling of this information have any real limit.
That might be prudent to do, but at worse it's a few hours of hassle. I searched around and it looks like all you have to do is fill in a form (https://www.ssa.gov/forms/ss-5.pdf) and supply the required documents. At US median wages it's a few hundred dollars, max.
>the potential losses from the selling of this information have any real limit.
Well not really? Suppose someone crashed into your house, making a hole in the wall that allows thieves to steal potentially unlimited amounts of goods from your house. Should the driver be liable for all thefts from your house in perpetuity? Or only between the time of the crash and when you can reasonably get the wall fixed (or in the case of identity theft, changed your SSN)?
There is a million ways to keep critical data away from public (mostly) data like Name and Address. Seems like they weren't even doing the most basic separation of concerns here.
If any compromise wipes out a company automatically, you suddenly increase the incentive to hack a company by a huge amount. That doesn't seem like a good way to increase security.
> If you zeroed out all of the investors this type of mass compromise would immediately cease.
It absolutely would not. Yes we would see greater investment in cyber security and it would pay dividends, but the idea that we can totally eliminate data breaches if we just try really super hard is unrealistic.
This is absurd. There is a simple way to eliminate data breaches -- Don't keep data. Humans have been conducting businesses for thousands of years without the need to hoard large quantities of personal data.
If there was sufficient regulatory force to induce companies to make the choice between not hoarding data or not existing then I'm sure that business would carry on as it has for millennia.
Couple that with making engineers liable for what they build. Just like we do with physical engineering - build something that knowingly harms people? Get sued.
Knowingly is the key word here. The physical world is much easier to know and account for in engineering. Not so much for digital which is why security is a system of defense in depth via layers and nothing ever is 100% secure.
I had 5 spam calls this morning from various suspicious phone numbers, including one from Europe. That's more than I've gotten since I first got this phone number total.
I guess it's unreasonable to expect the good times to last like that but man, I'm still deeply unhappy with T-Mobile right now.
Google Voice (GV) and Voip.ms have fairly sophisticated screening that tends to get the 'vehicle warranty' bots to hang up quickly. I wish our phone carriers offered such methods to ensure that their 'services' remain relevant in an increasingly spammy world. Edit: for GV, you will need to enable screening by going to https://voice.google.com/u/0/settings and setting "Screen calls" and for Voip.ms, you will need to setup a IVR so that callers have to enter in a code before they are allowed through.
I NEVER use my GV number... I just don't know how they get my number to begin with....
But the numbers that are super spam are all the ones with ~4 second VM.
I keep hearing from this weird New Jersey Jewish Accent where he tells me "I am under attack for someone who is causing my pain and attempting to steal money from me and if I pray and send him money he will take care of this attack against me"
This spam call is really good at avoiding number blocking - and I get ~2 calls per month from this recording... (The accent is like if Mel Blanc attempted to do an over-the-top Jewish accent... its really over the top. I recommend everyone listen to it and picture "The Producers" with Mel Blanc singing it...
I actually listen to it every few months or so because how comical the message is.
BTW, you can go into 'Legacy GV' interface and into Groups to whitelist contact groups (e.g. 'All Contacts') who will get straight to you without this screening.
I am surprised - they are ringing your phone/the app vs. just ending up as 'missed calls'? I presume you are also marking them as spam to prevent recurrence and that these numbers are not in your contacts? (Not being sarcastic, just trying to help.)
Yes, it rings my phone. Most are annoyingly early in the morning, and 90% of the time it comes from random numbers in the same area code as my phone number.
I haven't been marking the numbers as spam, but maybe I'll try to do that to see if the number of calls reduces.
One more thing to check: in the Legacy GV webapp (google.com/voice/b/0/redirection/voice) in the Groups tab, the Screening is On for anonymous callers in addition to the original place that I listed above?
Hopefully marking as spam will help too. One thing I like about Voip.ms vs. GV is that in the former, I can mass block an entire range of number using wildcards, which is rather satisfying especially since I setup the rules to ring as busy vs. just hanging up to keep their systems online a bit longer vs. freeing them to disrupt their next victim.
I'm on Google Fi and get car warranty calls all the time.
The only technique that works is to not answer the phone unless it's from a known contact. Most spam stuff won't leave a message, or it will be a consistent ~4 seconds of silence. Fi (or Android? IDK) has a call screening function which 9/10 if I send something to it, they will hang up before the automated preamble finishes.
I think they do have the same feature, despite being different services. In fact, I believe that the call screen service is offered even on any Pixel phone, regardless of carrier (Google Fi).
i ported my mobile number to them a week ago hoping to only ever need an LTE, 5G or WiFi data connection for cell service.
alas, i discovered that MMS (and therefore group SMS, too) dont't work through SIP protocol. that's a deal breaker for me, unfortunately. looks like i'll have to port it back out to AT&T, Verizon or T-Mobile :(
You are right - the MMS functionality is only supported by their web app so far: https://wiki.voip.ms/article/MMS . Is Google Voice an option for you or are you (understandably) hesitant to use their services for a critical/sensitive/family number? Based on my limited use, GV appears to support MMS including in group texts.
The latest trick is for spammers to send MMS and then see who responds. I am still getting texts from people on the thread to stop responding, although now it devolved into a political fight with two numbers constantly texting "Trump won". There is no way to remove myself either... I had to disable GV forwarding, but apparently this is enough of a problem that they are disabling forwarding anyway.
The amount of unwanted calls has skyrocketed this last year. I was forced to automatically reject calls that weren't in my contacts. Anyone important already can email or message me.
Big email providers are very good at filtering spam, so if enough people blocks calls, the only spam venue left would be instant messaging.
I've actually been answering each spam call - and try to get them to stay on the line for as long as possible.
My assumption is that they have some sort of CMS software and that it costs money to call. If you don't answer - they'll keep trying you. But if you do answer and costs them money - they'll put you in the 'do not call' list.
Just my guess - but so far it has worked for me personally.
I can confirm answering calls and using as much of their time as possible totally works. I’ve been doing this for a year or more now; I get excited when a spammer calls me now. It’s about a monthly affair.
I have a bookmark for https://www.getcreditcardnumbers.com/ - I happily give them all the credit card numbers they want (the ones from that site pass the checksum, but of course isn’t valid in combination with a made up expiry and CVC).
After a couple card numbers fail, they cuss me out, sometimes threaten my life, and never call again.
My theory is they get flagged by their payment processor if they submit many bogus credit card numbers.
It’s about a 10-minute investment once a month. Less time than I used to spend answering and hanging up on spam calls.
Thanks, I've been wasting their time by keeping them on the line (at no cost to me other than the time I used to amuse myself with annoying them) but I didn't know about the credit card generator, weill definitely use that!
This is brilliant. I don't know what a pissed off spammer with who knows how many of your info could do, though. The last time I made one angry for wasting her time, I received even more calls from other spammers.
(1) Usually they think my name is the guy who had my phone number almost 10 years ago. I “correct” them to a fake name, but it shows their record keeping is not good enough to track anyone down.
(2) If they tried to follow through on the death threat, they’d have a hard time getting a visa with “need to kill citizen” as the justification.
Early on, I had a temporary bump in calls after doing this. If you stick with it for a few weeks, eventually you’ll get on enough “real” do-not-call lists that the calls fade away.
It's a good strategy. They feed the autodialer with a list of phones, and when it hears human voice, it transfers the call to an operator. If you didn't answer it will call you several more times. If you answered but didn't speak, it will (probably) not insist for that day.
My record is a call of around 14 hours. The autodialer called me after 10:00pm (supposedly illegal here), and there were no operators to take the call. I left my phone charging with the call active, and went to sleep, since the caller pays the call. Kept the call until I needed to go out, and I like to think that even if the call wasn't expensive because it was bulk price, maybe having a line busy helped slow down spam for others.
I don't do that anymore because spam calls have multiplied, it would mean answering more spam than I'd like.
I always answer, and immediately mute and put on speaker. Some will maintain the connection for 30 seconds; others will never disconnect. If it's a real contact, usually they'll say "Hello? Blisterpeanuts? Are you there???" and then I pick up.
I would love to run SpamAssassin (a least the Bayesian text analysis part) SMS/IMs. I suspect it would do pretty well.
Is there a way to tell if a phone number is from a VoIP service? It'd be great if I could just block those wholesale, as well as any text message that's sent from an email address.
> Is there a way to tell if a phone number is from a VoIP service?
Comment below was written for voice calls, SMS may be more tractable.
(Assuming US numbers) Yes, but it costs money. You can get (free) data from NANPA on which carrier was originally allocated the number, but it may have been ported.
But, the big blocker is a lot of source numbers are spoofed; not sure if a spoofed landline is less spammy than a spoofed VoIP; although an unallocated number is probably more spammy (OTOH, allocation data isn't always timely updated). If you could get the equivalent of Received headers, that would be a lot more useful, but that's not really an option.
Having worked in products using VoIP stuff, you’ll hit issues with 2FA requests from some apps. The big names have their own shortcodes, but many smaller apps use a generic VoIP number from Twilio or similar.
Yes, it's pervasive. I get 4-5 calls per day, most of them scams trying to sell auto warranties or cheap vacations. All of them spoof the caller ID of the caller so it looks like somebody from my area. We have a national do-not-call list is a joke but that only holds legitimate businesses accountable. There's almost no enforcement for these fly-by-night companies.
There are initiatives in the works to prevent this behavior but they keep getting delayed, presumably because the telcos will have to do some work that doesn't fill their pockets so they're dragging their feet.
Yes, it is a symptom of our collective inability to solve problems-- even trivial ones.
Most people I know get between two and ten calls a day, with Id say 3 or 4 being the median.
There are two sorts of calls-- actual spam calls that try and sell you something. And calls to verify a number is active-- these calls just are just silence, but if you pick up, your number will be added to a list of valid phone numbers and sold to spammers.
The spammers then take phone numbers and try to match them up with data breeches etc, or just cold call.
I don't think most people fall for these fraudulent calls, but the elderly are very vulnerable. I've helped several friends parents get control of their computers back after they willingly gave control of it to someone who who claimed to be from "Microsoft tech support" even though they had a mac.
I get them frequently in Australia. Calls claiming (but likely faked with VoIP) to come from various places overseas, and from within Australia. I get a few different types:
a) Recently it has been computer voices leaving me voicemails claiming I've ordered thousands of dollars of stuff on Amazon, and I need to call some number to cancel the order
b) I got one guy claiming to be from a major ISP and saying my Internet was broken and he needed to help me fix it. I knew it was nonsense because I don't even use that particular ISP
c) Recorded messages claiming the Australian government is going to prosecute me for tax evasion, and if I just wait for the call centre operator to come online, they'll fix the matter for me by accepting payment of unpaid taxes
I think they are just dialling random numbers, looking for easily-tricked people.
Mexico too. Before the pandemic I had a few spam calls a month, but now there were days when I received 20-50 from a misconfigured call center automatic caller.
It forced me to silence all calls from strangers. We have laws and a system to block and report spam callers, but it seems they don't work anymore.
Do you recall that post where a guy was getting multiple scam callers and he was three-way-connecting them so they would spam-eachother-out... it might have been robo-calls... but he would pitt two spam/robos against eachother and have them rap-battle it out...
I tried to find that, but couldn't. The closer I recall was a video where someone put Alexa and other assistant(s), and they kept telling each other they couldn't understand the request.
In France I got one that I can remember of in all the time I've had this number, which is over ten years now. And it was an opinion poll. Also got 5 or 6 scam SMS.
I get spam texts fairly often in the UK, and I almost never give out my number, so no idea where they come from.
I also occasionally get calls from unknown numbers, which I don't answer, but if I look them up are usually associated with spam calls. My grandmother also gets them fairly often on her landline, usually of the "there is a problem with your computer" scam variety, but sometimes trying to sell her insurance for a random appliance.
Fingers crossed, but I've not really had any spam issues on a few UK numbers.
I have even been quite generous in giving out one (i.e. using for any online stores that insist on a phone number), and I've yet to really have any unsolicited call that I can think of.
Phone numbers do get recycled by operators, so there's definitely some luck - I've seen some issues with landline numbers, specifically people trying to trace former users of the number. I imagine if you get "unlucky", you might really have little option beyond call blocking or trying to get a new number.
I did find it interesting that, at least for N=1, giving out your number fairly freely, including when you shop online (but not opting in to marketing etc) didn't seem to result in any issues, even after 8 years or so.
Calling isn't zero cost, and that spammer time isn't zero cost, so in this case, there is a incentive from the spammer to weed out people who costs the most.
So isn't the popular idea that you should NOT answer spam calls wrong? Logically, you should answer every spam call and try to get them to stay on the line for as long as possible, therefore maximizing their cost.
This is assuming they have some CMS software on the backend that allows them to categorize numbers.
>Logically, you should answer every spam call and try to get them to stay on the line for as long as possible, therefore maximizing their cost.
You also have to factor in your costs as well. I checked a random VOIP service and they charge a penny per minute, or $0.60 per hour. The federal minimum wage is an order of magnitude higher at $7.25/hour. Therefore it's more expensive for you to stay on the line to mess with them.
There are systems to waste telemarketer time, ex lenny troll [0] (which acts like a senile person). While I used to answer in bad faith, I stopped given the realization that I am hurting people of lower economic standing more than the company that employs them.
I kinda wish Apple would let me mark voicemail as spam. They wouldn’t even really need to do anything with that info. Just delete the voicemail and maybe keep track of the number and if I mark the same number three times then block it.
I know I can block a caller, but I don’t know enough about how these scams work to know if blocking a number slows them down at all.
I just don’t let my phone ring ever so I don’t deal with too much of the spam. Every once in a while I open the phone app and see I have like 15 new voicemails. I’m guessing I do that once a month so they are just calling every other day.
I get about 10+ spam calls a day, I just block all calls except for a couple of whitelisted numbers, and forward the rest to something that plays a hold song endlessly.
Sometimes I get calls from people I forget to whitelist or who might actually be important (workmen for example). So, I have my default phone ringtone set to a 0.1s, 200 byte mp3 of silence. Anyone in my address book gets my standard address book ringtone.
Then I just check the emails of the voicemails once a day.
I'm not sure if it is coincidence, or if it is really helping, but I play SIT code to indicate a number that is not in service at the beginning of my voice mail message. Since then, the number of spam calls I've been receiving has been steadily decreasing.
Install sox
play -q -n synth 0.2 sin 950;play -q -n synth 0.2 sin 1400;play -q -n synth 0.2 sin 1800
> The data includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver license information, the seller said.
It's insanely easy to change sim cards. A few times I've done it they haven't even asked for ID. I even set up a 'port out pin' that requires me to give a 6 digit pin anytime I want to change something about my service or get a new sim card, it's 50/50 whether they actually ask for it or not.
I've been migrating to a Google voice # over the past 3 years, and there are still a few places that won't send texts to it. It is a huge pain in the ass. I can't imagine the average person going through this...
I don't trust google but I also don't trust any phone carrier. Holding onto privacy is getting harder and harder it almost doesn't even feel worth it anymore.
Not in the US, but here in the UK on O2 I tried to get a new e-SIM packet and I got a text from the network saying "give this code" then a call from them asking which store I was at so I could confirm. Also had to show my ID.
Coincidentally, I heard from a T-mobile reseller that T-mobile is forcing them to reissue new SIM cards to all their customers. Unclear if this is related, but the timing is interesting. This was communicated a few weeks ago, before the breach was publicly known.
Over the weekend, I got 2 phishing text messages about 2 bank accounts, at banks I actually use, one of which is a local bank, not a national chain.
One said my main checking account bank access was locked out due to suspicious activity just minutes after I did something I might expect a bank to flag (paying an individual via PayPal and multiple charges at a single gas station). I wasn't in a position to verify it at the time (I don't do bank stuff on my phone, and I certainly wasn't going to click the link), so I switched to using another card while I was out. A few hours later, I got another phishing message about the card I had switch to.
I don't get many phishing attempts on my phone and they've always been for banks or other services I don't even use. I'm really hoping it's just coincidence that I got 2 semi-believable attempts in a row because the alternative is that they're able to see what I'm doing in real-time.
So they didn't learn their lesson after their customer's SSNs were stole in 2015? In that Hack they bizarrely claimed that Experian was storing the SSNs for them.[1]
For the record this shitty company also had a customer data breach in 2018[2], 2019[3] and 2020[4]. With this latest hack it makes 6 data breaches in 5 years. At what point will this negligence be considered criminal?
Not sure if anyone else can relate but my wife had T-Mobile and was sim hacked. Her bank account got hacked. Her email address got hacked. All because to protect the bank account I put in second factor auth using her T-Mobile number. She talked to her colleagues who reported that their phone was sim hacked too on tmobile. We switched.
It's very frustrating that most banks have not implemented hardware 2FA (Yubikey or Titan support) let alone authenticator based 2FA. Bank of America is still stuck on SMS. SIM swaps are happening on every carrier.
banks are still trying to modernize their legacy main frame infrastructure from the late 80s to mid 90s. at this rate, a hardware 2fa will be ready by 2030.
It's not really related to Linux or the OS at all, just some text in /etc/motd or similar.
"Audit" in this case is the more generic term relating to the company responsibilities to audit systems with sensitive data.
They are saying the system is not subject to governance type controls for either PCI or Sarbanes-Oxley. Which is ironic given what was leaked out of it. And yeah, that probably means they told cybersecurity auditors this system wasn't subject to rules associated with PCI and/or Sarbox.
Maybe carriers will finally start taking identity verification seriously. When everyone's name, address and SSN (or equivalent) is leaked, somebody might finally get the idea that they're rubbish secrets.
My name and address is actually public as a self-employed Czech. My date of birth shouldn't be hard to find and plenty of people even publish it (why shouldn't they?), my mother's maiden name might be somewhere too, and I don't even have her as a friend on any social media platform.
I really think it's time to start accepting no less than a unique password, hardware identification key or a physical visit to a location with a forgery-resistant ID card.
Have any companies had significant fines levied? Certainly nothing large enough to change behavior.
The OPM leak remains the most significant overall of which I'm aware. The Experian leak tops my commercial data leak list, although they get bonus points for then selling people their own data protection service(s).
Maybe it's time we invented robust systems to prevent us from having to share all of our personal data with companies like these, yet still be able to transact with them.
The article mentions social security numbers, so i assume the US. (Afaik the German and Austrian equivalents aren't usual referred to as SSN, although i might be mistaken)
I'm a bit late but I contacted the Austrian equivalent (Magenta Telekom) about the breach and was told that the news about the breach only refers exclusively to the American T-Mobile US and that no Magenta Telekom customers (formerly T-Mobile Austria and UPC Austria) were affected. So the German branch should also be safe I assume.
Idk about the Netherlands, but the French one is absolutely not used for random identification - it's only purposes are taxes, health insurance/care, and pensions, so the only institutions who know it and can ask for it are related government things, your employer and medical staff.
So a mobile operator having your social security number would be extremely weird.
All contract-based telecoms (at least in the US, I can't speak to elsewhere) run credit checks against postpaid customers since they typically involve a financial obligation (2 year contract and/or financing the device)
I think the solution is simple then: The SSN should be used for read-only. Once the credit report is read/accessed, the credit bureau issues a write-only code. The company then deletes the SSN and only retains the write-only code. If the write-only code is leaked later in a hack, it is useless to criminals trying to open new accounts.
That would be similar to the process used by sellers who take cards payment and their PSPs (payment service providers).
Basically, the seller never stores (and ideally never even sees) the buyers' card numbers. Instead, the card numbers are stored by the PSP, which then issues seller-specific tokens associated to each card. The seller can then store the tokens, and use them to process any payments to their verified accounts. If the tokens are ever leaked or stolen they are useless to an attacker, as these tokens can only be used with that specific PSP to perform payments in favour of the seller for whom they were issued in the first place.
Not necessarily, I'm on TMO, grandfathered in to an ancient 'unlimited data/100min talk' pre-paid plan (so they have very little on file for me, luckily).
I think the solution is simple then: The SSN should be used for read-only. Once the credit report is read/accessed, the credit bureau issues a write-only code. The company then deletes the SSN and only retains the write-only code. If the write-only code is leaked later in a hack, it is useless to criminals trying to open new accounts.
Perhaps so they can report you the credit rating agencies if you go into arrears.
If that's the case, it would be an incremental improvement if the credit agencies implemented some tokenization scheme, sort of like credit card gateways do.
Not that anyone should trust the credit agencies either, but you'd still be removing unnecessary points of potential compromise.
I think the solution is simple then: The SSN should be used for read-only. Once the credit report is read/accessed, the credit bureau issues a write-only code. The company then deletes the SSN and only retains the write-only code. If the write-only code is leaked later in a hack, it is useless to criminals trying to open new accounts.
> Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers. The data includes social security numbers...
The parent company's stock price (Deutsche Telekom) seems not to care at all that this happened. The market seems not to see that data breaches are a risk to business.
This is an extremely sad day for humanity. Privacy is a basic human right, People trusted these companies with their most personal identity information (often due to not having a choice since repressive governments won't allow one to operate a base station) and they completely shit all over that trust.
When breaches like this happen, all executives must step down.
For the past year, I've been getting random calls and texts from a lot of unknown sources. Many times the callers even spoofed different numbers. And sometimes people call me because they said I called them.
I suspect phone user information has been leaking probably in many different ways.
Those are likely simple robo scam calls. Robo dialers call an absurd amount of numbers on various schedules in something of a brute force social engineering scam. To keep their dialers from getting permanently blocked or reported easily, they spoof the caller ID (usually with an area code similar to the recipient's area code in the hopes that someone will be more likely to answer a call from an unknown number if they think it's local), which is why you will sometimes get texts or calls from people who ask you to stop calling them. These kinds of people are just other recipients of spam calls and your number happened to be the number the robo dialer was using as a spoofed caller ID for them; that kind of thing doesn't really have anything to do with leaked info.
For cases like that specifically, it's probable. But those are just like the scam emails where they say "hey, I know your password is ${OLD_PASSWORD}, I recently hacked your account on a popular 'adult recreation' site, remotely put Spyware on your computer, and recorded you 'entertaining yourself' while browsing videos (you have good taste lol). Send me x bitcoins or I'll email this to all the email and linkedin contacts my spyware found in your computer."
It's just an old password found in a breach years ago, they don't have anything else that's real. The difference here is that if they call and leave a voicemail with personal info, go to the police. They're not gonna bother tracking down a social engineering email, but they may be more inclined to go after verbal blackmail.
Is it possible that one day the market for SSNs and other private data will become so saturated that exfiltrating such data becomes unprofitable?
On a slightly more serious note, is anyone aware of a compilation of prices paid for such data? I'm imagining something like a Consumer Price Index [1], but for stolen private data. Maybe far in the dystopian future inflation will make life harder for hackers.
[1] https://www.bls.gov/cpi/