T-mobile data breach: it continues to be what you don’t expect
Earlier I wrote about data breaches and the false assurance we are given. In that article, I was warning about personal data and sim-card porting. E.g. someone calls your phoneco, pretends to be you, gets a sim card w/ your number, then calls the bank and pretends to be you forgetting your password and they SMS you for confirmation.
Well, T-Mobile just lost ~2M users personal data. Their assurance “None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised.“. Well, your financial information is about to be compromised using this stepping stone. The hackers didn’t do it for fun, they did it for profit. They will sell this information on the market, multiple times, and, each of the buyers will find a way to profit.
By focusing people on what didn’t get taken we do a disservice. “Don’t worry, its just your mothers maiden name, your home address, the name of your first pet, the type of car you drove to prom, your phone number, that sort of thing. There’s no way to get something valuable from that!”.
Its time we start demanding that our banks etc use multi-factor authentication. That Yubikey I posted about. Its stupidly simple to use. Or an app on your phone (like Google Authenticator, yes it works on your iOS device too).
Yes its hard to educate people on. But really, that Yubikey, you press a button. The Authenticator? You type in the number it shows you each time. Google was able to do it for 85K employees (roll out the Yubikey). And, none of their work accounts was taken over after the change (presumably some were before).
The insurance companies should start ratcheting this up too. If you have consumer accounts, and you:
- Have MFA and force it, your premium for cyber-risk is X
- Have MFA, and its optional, your premium for cyber-risk is 2X
- Have no MFA, your premium for cyber-risk is 10X
Let the invisible hand do the work.
Also, I think we need ‘disposable, traceable’ identities. Years ago some folks would, when giving out their physical address, mispell their name slightly to see which companies sold it for junk-mail purposes. We could do the same digitally, e.g. make an identity unique to each company we share it with, and then trace how they get out. And then start taking action.
But for now, I recommend you call your mobile company and put some sort of ‘port-out’ protection on. Add a note to your file in the CRM if that is all they have. Because your SMS is not only untrustworthy, but, companies you need to deal with trust it.