By Joe Paonessa Aug 2, 2017
About two months ago, T-Mobile officially took its Digits platform out of beta and made it available to "all" T-Mobile customers. By all I mean T-Mobile postpaid customers, while those of us on legacy prepaid plans such as the infamous $30 prepaid plan have been left in the dark.
As a refresher, the T-Mobile Digits platform allows eligible subscribers to be able to talk and text on devices other than their main phone line such as on PC's, tablets and other cell phones. The other cell phones don't even need to be on the T-Mobile network for Digits to work.
On the surface, this sounded great to me. I have two different cell phones and lines, one which I use to review different MVNO's and carriers with and the other is my normal day to day prepaid line on the T-Mobile network. I was excited with the launch of Digits as by the sound of it, it meant I would no longer have to take two phones out with me into the world. Of course, I have since been disappointed to find out that T-Mobile never enabled the feature on prepaid lines such as mine.
Upon announcement of the Digits platform, my immediate concern was over the potential security issues that it could cause. Such issues include the possibility of someone hacking into your account and gaining access to your text messages as well as having the ability to send messages and place phone calls on your behalf. It turns out that I overlooked an even bigger implication of such a hack, and that is, what happens when one of your other accounts such as a PayPal account has two factor authentication enabled on it? What happens when your T-Mobile Digits line is tied to your PayPal account?
A couple of weeks ago I read a story told by software developer Justin Williams, whose PayPal account got hacked in part due to a security gaffe made by an AT&T customer support representative.
In a blog post, Justin stated that he uses a password manager which affords him the ability to create unique passwords as complex as the sites he logs into them with will allow. He also uses 2 factor authentication whenever possible. Both are practices that I follow and encourage others to as well.
Of course, no matter how hard you try to secure yourself online, you're in the simplest of terms, only as secure as the weakest link in your login security chain.
In the case of Justin, the weakest link in his online security chain wasn't himself, but rather a customer support representative from AT&T and perhaps PayPal.
Unfortunately for Justin, he became a victim of cell phone number identity theft. If you don't think that this is serious business, read on.
The theft occurred when a hacker repeatedly called AT&T customer support trying to get into his phone account. Initially the hacker was rejected, because he didn't have a pass code/pin number to give to customer support, however the hacker eventually got around that as one customer support representative for some reason didn't require the passcode. And just like that, the hacker was able to transfer Justin's phone number to another SIM card so that the perpetrator could use it with his own burner phone.
Once the hacker had Justin's number under his control, he was able to victimize Justin's finances. The hacker was able to transfer $200 AUD out of Justin's bank account courtesy of PayPal. Although Justin had two factor authentication enabled on his PayPal account, PayPal's security system isn't necessarily what you'd call robust.
You see, in order to reset a password on a PayPal account, all that's needed is a phone number and an email address. When you go through the lost password process with PayPal, PayPal will ask you to confirm your identity by sending you a text message that contains a security code that you must enter into the PayPal website. Once you enter the code into the website, PayPal allows you to set up a new password right then and there, without needing to login to your email account.
From this story, we can learn a few things about online security and how it relates to your mobile phone service provider, T-Mobile Digits, Google Voice and the likes.
Though T-Mobile Digits and Google Voice may provide a lot of convenience to their respective users, having a mobile phone number that can be accessed over the web through a PC, tablet or any other device one can dream of, doesn't come without risk.
As we can see by what happened with Justin, if a hacker can gain control of your phone number, it could be game over for you and your finances among other things.
With your T-Mobile number now online, those who have ill intentions now have another way to gain access to and control of your phone number, so be sure you are using good security practices such as strong passwords to protect your account.
It would also be nice to see T-Mobile offer and enable 2 factor authentication on its customer's phone lines now that it's subscriber's phone numbers are essentially in the cloud. Of course all the additional security measures that you may place on your account become moot if a hacker is able to use a little social engineering to gain control over your phone number which is likely how it happened for Justin.