[QUOTE=J!NX;50673683]t-mobile is fucked up lmao[/QUOTE]
verizon did the exact same thing to Boogie. It's not just tmobile or verizon.
[QUOTE=patq911;50673718]verizon did the exact same thing to Boogie. It's not just tmobile or verizon.[/QUOTE]
This could happen at any company, really. There's always too many hoops to jump through for the consumer, but impersonating an employee is the skeleton key to so many important things. My parents had a credit card stolen from them because someone pretended to be from the credit union.
So wait... how did this work, exactly? Did the hackers get the passcode from Ethan, and then take it to T-Mobile and impersonate him? But wait, they said that the hacker impersonated a T-Mobile employee. How does that work? How did they know T-Mobile generated the passcode with Ethan? How would this hack their YouTube account? Google Authenticator for 2fa isn't tied to SIM cards.
Not much of this is making much sense. I'm not saying I don't believe him, I'm just saying I don't understand how the hack works.
How fucking retarded are these customer service reps?
Is there no authorization for if you are an actual employee? Also, giving up a SIM that easily (probably for the sake of ~convenience~) is goddamn idiotic.
[QUOTE=SGTNAPALM;50673819]So wait... how did this work, exactly? Did the hackers get the passcode from Ethan, and then take it to T-Mobile and impersonate him? But wait, they said that the hacker impersonated a T-Mobile employee. How does that work? How did they know T-Mobile generated the passcode with Ethan? How would this hack their YouTube account? Google Authenticator for 2fa isn't tied to SIM cards.
Not much of this is making much sense. I'm not saying I don't believe him, I'm just saying I don't understand how the hack works.[/QUOTE]
what i gathered was that t-mobile offered to set up a passcode to ethan as an extra security measure. the hackers then called him sometime after that impersonating t-mobile and asking for the passcode, which they then use to get the sim card from t-mobile. not really "hacking" but more like [URL="https://en.wikipedia.org/wiki/Social_engineering_(security)"]social engineering[/URL]
not sure how the simcard instantly allows people to access the 2fa, though
Isn't this social engineering?
Where is the hacking?
Actual hacking is 90% social engineering, 10% actual computer hacking:
[video=youtube;pL9q2lOZ1Fw]http://www.youtube.com/watch?v=pL9q2lOZ1Fw[/video]
[QUOTE=SGTNAPALM;50673819]So wait... how did this work, exactly? Did the hackers get the passcode from Ethan, and then took it to T-Mobile and impersonated him? But wait, they said that the hacker impersonated a T-Mobile employee. How does that work? How did they know T-Mobile generated the passcode with Ethan? How would this hack their YouTube account? Google Authenticator for 2fa isn't tied to SIM cards.
Not much of this is making much sense. I'm not saying I don't believe him, I'm just saying I don't understand how the hack works.[/QUOTE]
As I understood it:
T-Mobile called Ethan and recommended he setup a passcode as a security layer. They then gave the passcode to the attacker who called and again impersonated a employee, probably since giving up a code to someone who acts like an employee would be perceived as way more benign than giving up a SS number.
They must have called back and used the passcode to verify it was "Ethan", then activated a SIM card on a phone they possess. Once that's active all of Ethan's service goes to the new phone and they can straight up go through 2fa to reset the Google password because the attacker's phone is now the only one able to receive any calls/messages.
[QUOTE=Kaelnukem;50673860]Isn't this social engineering?
Where is the hacking?[/QUOTE]
i mean i understand what he meant when he kept calling them hackers even though they haven't "hacked" anything, probably because a lot of people use the word "hacker" to mean any kind of unauthorized access to something
words change over time or something, i don't know
So confused about the whole posing as an employee, is it seriously that easy? Aren't there hoops you gotta jump through to prove that, like an ID? I mean even a retail employee should have one too, cause they can have so much access to your day to day life if you save contacts and the likes to your SIM.
[QUOTE=usaokay;50673848]Probably impersonated a T-Mobile retail employee who lied that he was talking to Ethan Klein in front of him.
If you paid attention to the story, Ethan mentions the latter part, so we could assume that the story the hacker told the gullible employee was that Ethan needed a new SIM card or something.
Then the hacker did it again by asking for the passcode.
Really, it's up to companies to keep the customer's information private, even from other employees.[/QUOTE]
Yes, but how did they then take that passcode and plug it in? Surely he could just not call Ethan in the firstplace and make up a passcode at that point? For the hackers to have enginnered Ethan into giving a passcode, they could have just made whatever up. For the hackers to social engineer the passcode from a T-Mobile employee, they needed access to that information within the 30 minutes that Ethan set up the passcode. How did they know he did that? Is T-Mobile part of a larger security breach?
[QUOTE=DOG-GY;50673877]As I understood it:
T-Mobile called Ethan and recommended he setup a passcode as a security layer. They then gave the passcode to the attacker who called and again impersonated a employee, probably since giving up a code to someone who acts like an employee would be perceived as way more benign than giving up a SS number.
They must have called back and used the passcode to verify it was "Ethan", then activated a SIM card on a phone they possess. Once that's active all of Ethan's service goes to the new phone and they can straight up go through 2fa to reset the Google password because the attacker's phone is now the only one able to receive any calls/messages.[/QUOTE]
oh right, i just remembered that google asks you to tie your account to your phone number at some point so they can use it in case you need to recover your password, that's probably why getting the simcard is a big thing
was too lazy to set it up even though they keep asking me but i guess it would be safer to leave it like that
funny when you think about it
this isn't google fault after all
[QUOTE=Rocko's;50673898]So confused about the whole posing as an employee, is it seriously that easy? Aren't there hoops you gotta jump through to prove that, like an ID? I mean even a retail employee should have one too, cause they can have so much access to your day to day life if you save contacts and the likes to your SIM.[/QUOTE]It's scary how far you can get if you sound somewhat official over the phone.
[media]https://www.youtube.com/watch?v=h8kWcggio5A&ab_channel=PhoneLosersofAmerica[/media]
Advice for life, even if this isn't what happened to Ethan:
If you get a cold call from a company asking about security or your personal information, ask for their name and say that they will call you back at their official number. Dude called me up the other day asking for my credit card information, claiming he represented our newspaper, so I explained to him that I'll just call the paper back myself and that i don't give away my credit card information to cold callers. He got all flustered and ensured me it was okay, and then I said "No, giving you my credit card is a horrible idea. Have a good day."
Sometimes if I'm in front of a computer I look up dummy credit card numbers and give those out, hoping that it trips a red flag somewhere and gets them caught.
Pro tip:
Use an authentication app and never rely on two-step verification via something as awful as SMS.
Also, H3H3 is a little confused, because emails and contacts aren't going to 'come in' with a sim card change.
[QUOTE=1/4 Life;50674017]Pro tip:
Use an authentication app and never rely on two-step verification via something as awful as SMS.
Also, H3H3 is a little confused, because emails and contacts aren't going to 'come in' with a sim card change.[/QUOTE]
I know a few people whose banks only use SMS for 2fa. I guess it's better than nothing but it still sucks that that's their only option.
[QUOTE=SGTNAPALM;50674012]Advice for life, even if this isn't what happened to Ethan:
If you get a cold call from a company asking about security or your personal information, ask for their name and say that they will call you back at their official number. Dude called me up the other day asking for my credit card information, claiming he represented our newspaper, so I explained to him that I'll just call the paper back myself and that i don't give away my credit card information to cold callers. He got all flustered and ensured me it was okay, and then I said "No, giving you my credit card is a horrible idea. Have a good day."
Sometimes if I'm in front of a computer I look up dummy credit card numbers and give those out, hoping that it trips a red flag somewhere and gets them caught.[/QUOTE]
That moment when you realize fucking Runescape has better security than most major companies.
(i.e. "We will never ask for your personal information/passwords", installing/enforcing basic two-step verification and recovery questions)
[QUOTE=1/4 Life;50674017]Pro tip:
Use an authentication app and never rely on two-step verification via something as awful as SMS.
Also, H3H3 is a little confused, because emails and contacts aren't going to 'come in' with a sim card change.[/QUOTE]
some carriers automatically sync contacts linked to a phone number when you transfer phones, AT&T does this.
[QUOTE=LoneWolf_Recon;50674103]That moment when you realize fucking Runescape has better security than most major companies.
(i.e. "We will never ask for your personal information/passwords", installing/enforcing basic two-step verification and recovery questions)[/QUOTE]
but then they also run a lot of their customer support through twitter.
[QUOTE=AJ10017;50674114]some carriers automatically sync contacts linked to a phone number when you transfer phones, AT&T does this.[/QUOTE]
Pro tip:
Uninstall carrier bloatware and never set it up. Your carrier cannot give away what it does not have.
Sweden is really stupid too. Our SSN equivalent is apparently "public information" so if you just sign up to website you can access the info of people if I am not mistaken. Somebody tried to steal my dad's identity and buy a phone on contract recently. Takes minimal effort. Luckily my dad intercepted the package and had it returned.
[QUOTE=1/4 Life;50674017]Pro tip:
Use an authentication app and never rely on two-step verification via something as awful as SMS.
Also, H3H3 is a little confused, because emails and contacts aren't going to 'come in' with a sim card change.[/QUOTE]
They could have saved them onto the sim card, and I'm sure that some carriers have stuff that can transfer them or back them up to new cards.
[QUOTE=cpt.armadillo;50674419]They could have saved them onto the sim card, and I'm sure that some carriers have stuff that can transfer them or back them up to new cards.[/QUOTE]
I'm almost 100% certain that simply puts them on the physical sim card, and you'd have to have the sim card containing them or the phone with it in installed handy to do that transfer (Or some unimaginably nasty bloatware you forgot to uninstall).
Honestly, just put your contacts in Google Contacts or iCloud. There is no reason in this day and age to save contacts to a Sim card.
[QUOTE=Rocko's;50673898]So confused about the whole posing as an employee, is it seriously that easy? Aren't there hoops you gotta jump through to prove that, like an ID? I mean even a retail employee should have one too, cause they can have so much access to your day to day life if you save contacts and the likes to your SIM.[/QUOTE]
It depends on the internal structure of the company. Chances are T-Mobile has a lot of separate departments at different sites that communicate to one another remotely via phone or email, if that's the case then chances are someone in one department doesn't know the name of every single other person in another department.
In Ethan's case it sounds like the guy calling at one point was posing as a store rep.
[QUOTE=CommanderPT;50674332]Sweden is really stupid too. Our SSN equivalent is apparently "public information" so if you just sign up to website you can access the info of people if I am not mistaken. Somebody tried to steal my dad's identity and buy a phone on contract recently. Takes minimal effort. Luckily my dad intercepted the package and had it returned.[/QUOTE]
At the very least that system has the advantage of not having the illusion of privacy. If everyone knows it's that easy to get someone's SSN equivalent, no company or service will rely on it being private.
[QUOTE=LoneWolf_Recon;50674103]That moment when you realize fucking Runescape has better security than most major companies.
(i.e. "We will never ask for your personal information/passwords", installing/enforcing basic two-step verification and [B]recovery questions[/B])[/QUOTE]
Recovery questions are pretty horrid.
Reason is is that most of them are stupidly easy for a stranger to find basically just by checking your social media. And the rest can often be easily found out by just chatting someone up. It was actually a somewhat common method of hacking on xbox live, to get recovery answers out of people.
[QUOTE=1/4 Life;50674180]Pro tip:
Uninstall carrier bloatware and never set it up. Your carrier cannot give away what it does not have.[/QUOTE]
im not with AT&T anymore, havent been for about a year :v: i get to enjoy the stock android experience since im a Project Fi customer. and even then, some android roms that manufacturers put on their phone make it very difficult to remove the apps that come preinstalled on the phone
Sorry, you need to Log In to post a reply to this thread.