Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Communications Privacy Security The Internet

T-Mobile Has a Secret Setting To Protect Your Account From Hackers That it Refuses To Talk About (vice.com) 34

T-Mobile has a feature that gives its customers more protection from hackers trying to steal their phone number, but you probably don't know it exists because the company doesn't advertise it publicly and won't even talk about it. From a report: It's called "NOPORT" and, in theory, it makes it a bit harder for criminals to hijack phone numbers with an attack known as "SIM swapping," a type of social engineering that is increasingly being used to steal people's phone numbers. SIM swapping attackers usually trick wireless providers into giving them control of a target's phone number by impersonating the victim with a company's customer support representatives -- usually on a phone call. T-Mobile's NOPORT feature makes this harder by requiring customers to physically come to a store and present a photo ID in order to request their number to be ported out to a different carrier or a new SIM card.

In theory, this should make it impossible for someone to do a SIM swap (also known as SIM hijacking or port-out scam) over the phone. But it's unclear whether all T-Mobile customers can have NOPORT or how effective it really is. T-Mobile doesn't even inform customers that it exists. I learned about it from a tipster, and then confirmed that it is indeed real. I was able to activate the feature on my own T-Mobile account by calling customer service and asking for it to be put on the account, but the company has declined to answer specific questions about the feature.

This discussion has been archived. No new comments can be posted.

T-Mobile Has a Secret Setting To Protect Your Account From Hackers That it Refuses To Talk About

Comments Filter:
  • Try keeping it a secret and watch it spread like the Amazon fires.

    Caution: It could be an evil bit...

    • Re: (Score:3, Funny)

      Try keeping it a secret and watch it spread like the Amazon fires.

      All of a sudden, Amazon's tablet name seems out of touch. And no, I didn't realize the link until now.

    • I don't see much point in this though, TMobile already requires you to authenticate over the phone with a 6-digit pin, all this will really do is make it so that you have to visit the store each time you need to change out a SIM. Of course, I've got an account with 9 lines and more than one person who has either dunked or lost their phone, SIM card and all, more than a few times.

    • Well, if you were ever the victim of this "feature" and were denied access to your account and forced to show up to a store, it wasn't really that secret. Their website is a train wreck.

  • by mysidia ( 191772 ) on Friday September 13, 2019 @12:15PM (#59191242)

    but the company has declined to answer specific questions about the feature. ....

    T-Mobile's NOPORT feature makes this harder by requiring customers to physically come to a store and present a photo ID in order to request their number to be ported out ...

          Attempting to force customers wishing to Port out to another provider to come visit a physical location in person sounds like JUST the sort of thing that the legacy carriers might try to do in order to put deliberate obstacles in the way of people transferring their service to a competing carrier.

        As a result... while their system might have a "NOPORT" feature: the porting process is the gaining carrier submits a port, and the most that a losing carrier can do is ask for papers proving the customer's authorization.

    It is very likely a potential violation of the intent of the law and FCC Regulations and other rules regarding the number porting systems to impede customers porting out by requiring any kind of physical visit, which might be of substantial inconvenience particularly to rural customers or those more than a few miles from the nearest store.

    I can already imagine the FCC complaints dockets and papers being replete with forms that would be submitted by customers who accidentally enabled that feature, Or claimed they had never requested it, or had that feature enabled by a secondary account user, Or else didn't specifically agree to this kind of lockdown and its consequences.

    • Attempting to force customers wishing to Port out to another provider to come visit a physical location in person sounds like JUST the sort of thing that the legacy carriers might try to do in order to put deliberate obstacles in the way of people transferring their service to a competing carrier.

      I can already imagine the FCC complaints dockets and papers being replete with forms that would be submitted by customers who accidentally enabled that feature, Or claimed they had never requested it, or had that feature enabled by a secondary account user, Or else didn't specifically agree to this kind of lockdown and its consequences.

      Likewise, I can imagine a monkey eating sherbet ice-cream on mars.

      When you call or visit your carrier, and request such a feature to be enabled, they would presumably authenticate you to the extent that they would when you request any other change to your account. So either this is a non-issue, or it's no more of an issue than any other account change. Further, there is no benefit to an attacker to requesting noport be added, and even if someone were attempting to be a nuisance, this would probably go unnot

    • I can already imagine the FCC complaints dockets and papers being replete with forms that would be submitted by customers who accidentally enabled that feature, Or claimed they had never requested it, or had that feature enabled by a secondary account user, Or else didn't specifically agree to this kind of lockdown and its consequences.

      Wouldn't they just delete them like they did with all the public comments about net neutrality?

    • Attempting to force customers wishing to Port out to another provider to come visit a physical location in person sounds like JUST the sort of thing that the legacy carriers might try to do in order to put deliberate obstacles in the way of people transferring their service to a competing carrier.

      This isn't a story about a carrier forcing the visit. It's about the customer requesting that the visit be required. It's all about who is making the decision.

      • by mysidia ( 191772 )

        It's about the customer requesting that the visit be required. It's all about who is making the decision.

        That may be true, but Two things:

        You forget that companies have a way of causing customers to make a decision
        without even being aware they've made it.... its called "Opt-In By Default",
        and essentially large corporations cannot be trusted with such power, so it
        is smart when the regulators ensure they DONT have the flexibility to add
        willy-nilly programs like "Consumers can suddenly have special
        porting

    • And yet carriers deny ports all the time for the littlest of issues, like the name having a slight misspelling, or the address doesn't match, or the bill didn't have the right total on it. I see these all the time at work, and it's annoying as anything.

  • by Cid Highwind ( 9258 ) on Friday September 13, 2019 @12:19PM (#59191258) Homepage

    ...probably because it's just a note that says "NOPORT" in a comment field on your account, and if one phone CSR can add it, another can remove it.

    • by tlhIngan ( 30335 )

      ...probably because it's just a note that says "NOPORT" in a comment field on your account, and if one phone CSR can add it, another can remove it.

      And customers being customers will likely forget all about it except when they attempt to move from T-Mo to someone else, at which point what was supposed to be a 10 minute operation turns into a 3 days nightmare because they followed some "how to avoid getting your cellphone hacked" video on YouTube a decade ago.

      There is no way to win. The law as worded pretty m

  • It seems possible they might not be allowed to advertise it, because of some anti-competition related law. Like, having it on by default, or telling you about it, could be construed as anti-competition by a competitor. Don't really agree, but I can see lawyers seeing it that way.
    • by mysidia ( 191772 )

      The FCC clearly states: “Commission rules require carriers to port a number when they receive a valid request, and carriers MAY NOT refuse to port.” Even if you have an outstanding balance with the old provider, the FCC also notes that they cannot refuse to port due to an outstanding balance.

      • by PPH ( 736903 )

        require carriers to port a number when they receive a valid request

        Not refusing to port. Just implementing a procedure to validate the request.

        • T-Mobile doesn't determine what a valid request is, though. All a valid request is is one telco saying "Hey, give me 123-456-7890, we own it now." to another. If the second telco owns that number, they have to fork it over. The customer does not interact with the old carrier to port a number, they only interact with the new carrier.

          I would LOVE for this to not be the case. But legally, NOPORT means nothing. (If T-Mobile does actually use NOPORT internally to flag porting requests for manual review or c

          • by PPH ( 736903 )

            one telco saying "Hey, give me 123-456-7890, we own it now."

            Also known as slamming. The FCC has put procedures in place allowing your existing telco to request verification of the switch. I imagine that switching between companies, where the new company is a known entity would be somewhat different than someone calling up, stating that they have a new phone and sim and could you please switch.

            • When I ported out from Verizon they required me to obtain a PIN and for the new carrier to provide that to them. It was not a burden to do that, all of it over the phone via existing account authentication information, and seemed perfectly reasonable.

              I certainly don't want someone to be able to go to any random cellular carrier and transfer my phone number to themselves without authentication.

              That said, much of the concern was with people going to a store (T-Mobile or other carrier), claiming to have
    • I can see why this wouldn't be a default opt-in type scenario.

      But why would that be an impediment to advertising the feature? As long as the customer is informed at the time of activation?

      • by dissy ( 172727 )

        But why would that be an impediment to advertising the feature? As long as the customer is informed at the time of activation?

        https://www.fcc.gov/general/wireless-local-number-portability-wlnp [fcc.gov]

        Wireless local number portability (WLNP) has been available in the U.S. since November 2003 (in the top 100 Metropolitan Statistical Areas (MSAs)) and May 2004 (in the rest of the country). A consumer wishing to port a number should contact the prospective new carrier, who will start the process of porting by contacting the consumer's current carrier. Commission rules require carriers to port a number when they receive a valid request, and c

        • It's not a violation. A request by someone other than customer is not a valid request. By opting to turn this on the customer is enforcing requirements on what constitutes a valid request.
          • by dissy ( 172727 )

            It's not a violation. A request by someone other than customer is not a valid request.

            Read the regulation again. "Valid requests" come from, and can ONLY come from, the new carrier.

            By opting to turn this on the customer is enforcing requirements on what constitutes a valid request.

            The regulation doesn't care about the customer. The claim of violation comes from the new carrier against the old, and the old carrier gets fined by the FCC.

            From the old carrier point of view, the customer doesn't even come into play either way.
            That's supposed to be the job of the new carrier, but as the new carrier risks no fine or other punishment, and the old carrier is guaranteed a fine, this is why no wirel

    • It seems possible they might not be allowed to advertise it, because of some anti-competition related law.

      I'd suspect that they're not advertising it because the current law says that they can't do it. So they have the feature in their process for one or more of:
      * in case the law is changed
      * for quick emergency response (using a behind-the-scenes mechanism) to a sudden massive attack
      * to disable reactivation of phones, or shipments of them, reported stolen.

      Might

  • by DigitAl56K ( 805623 ) on Friday September 13, 2019 @12:44PM (#59191394)

    I called T-Mobile and asked them to set this for me. Even after speaking to a manager, the support rep insisted no such feature exist and the best they could do was add a note to the account.

    IMO this is outrageous, as porting out numbers has been affecting T-Mobile customers for years and still is, the CEO promised to do something about it, and customers still can't use a feature they have apparently built internally.

    • I have it and have had it for a very long time. Not even sure how long. I think I did it via phone but may have done it at a physical store. They did warn me when I enabled it that forgetting it would put me in a world of hurt. I imagine they get tired of people whining when they want to port out after they have enabled. If I were them, I would not advertise it. Just remember after you turn it on, forget the pass, don't whine when you have to physically present yourself to a store with a valid ID.
  • T-Mobile has a feature that gives its customers more protection from hackers trying to steal their phone number, but you probably don't know it exists because the company doesn't advertise it publicly and won't even talk about it.

    Intriguing, msmash! Tell me more!

    But it's unclear whether all T-Mobile customers can have NOPORT or how effective it really is.

    Oh.

  • this is part of the phone system

    all cell phone companies have this by definition

  • T-Mobile also has good filters for scams and robocalls. They won't activate such filters unless you harass them. I started calling T-Moble phone support every time I got a call with an invalid caller ID - which usually accompanied calls telling me my car warranty was about to expire, or that my social security number was being cancelled. After a couple of weeks of calling T-Mobile and complaining, they finally 'enabled a setting' that prevented calls with an invalid caller ID, and most, if not all, scam

    • I've wondered for a long time why that protection (blocking calls where the calling number and the caller ID don't match) isn't on by default. The best I can guess is that, due to the distributed nature of the telephone system, the only entity that can verify the source number is the caller's service provider, and if they don't bother to ensure that the caller ID number is valid, then all the recipient's service provider gets is the ID and no way to check if it's valid. I don't know if that's actually true;

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...