Update 10/13/2021 - Visible has issued the following statement to BestMVNO.com in regards to the recent security incident detailed in the article below:
"Visible is aware of an issue in which some member accounts were accessed and/or charged without their authorization. As soon as we were made aware of the issue, we immediately initiated a review and started deploying tools to mitigate the issue and enable additional controls to further protect our customers.
Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services.
Protecting customer information -- including securing customer accounts -- is critically important to our company and our customers. As a reminder, our company will never call and ask for your password, secret questions or account PINs. If you feel your account has been compromised, please reach out to us via chat at visible.com." --statement to BestMVNO.com from Visible rep
Original Story Published 10/12/2021:
Verizon's Visible brand is the latest wireless provider to succumb to a security breach. Last night, a Visible employee posted to Reddit the acknowledgment of a security incident. According to the employee, Visible is "investigating an incident where information on a small number of member accounts was changed without their authorization. We’re working hard to take protective steps to secure these accounts." It is unclear how many accounts have been impacted, but numerous threads have been started on Reddit detailing the plight of individually impacted customers.
In response to the breach, Visible is encouraging its customers to change their passwords and answers to security questions. These are basic steps everyone should take in the event of a reported breach with any account. However, the incident may have rendered it difficult or temporarily impossible for some customers to change their passwords. Last night, a Twitter user with the handle @KingOfTechDeals shared with me a screenshot of his difficulty in resetting his password. When attempting to do so he was greeted with the message "Sit tight. Resetting your password is unavailable at the moment. Please try again later." @KingOfTechDeals tells me it's still an issue today.
One Reddit user claims that Visible says password reset requests are going to hackers' emails. Visible may be implementing a security fix that has temporarily disabled password resets for some.
This latest security incident involving a wireless carrier is already causing a lot of problems for those impacted. One alleged subscriber jumped onto Reddit to report that someone ordered two iPhone 13's and changed the shipping address on their account. They were billed $1754.40 for the transaction. The user was also blocked from being able to change their password.
Another Visible subscriber posted to Reddit that they had received an email from Visible notifying them that their email address, shipping address, and service address were all changed. The subscriber discovered this morning that their bank account was charged $1175.85 paid to Visible through PayPal.
Unfortunately, incidents like these seem to be all too common.
In August of 2021, T-Mobile revealed that it was the victim of yet another attack. That attack resulted in some customers having their social security numbers, names, addresses, date of birth, and driver's licenses/ID numbers being stolen. T-Mobile unfortunately seems to be victimized with regularity. In January of 2021, ZDNET reported on what was then T-Mobile's fourth data breach in just three years. In 2015, BestMVNO reported on another T-Mobile data breach.
In June, it was disclosed that Mint Mobile suffered an attack. Between June 8, 2021, and June 10, 2021, a small number of Mint Mobile subscribers had their phone numbers temporarily ported to another carrier without permission.
Sometimes wireless subscribers are even impacted by security breaches that occur with third parties.
Last week, it was announced that Syniverse experienced a hack that gave the intruder unauthorized access to its database for five years. Syniverse routes hundreds of billions of text messages for all major carriers including AT&T, T-Mobile, and Verizon. Syniverse and its carrier partners have not disclosed whether or not the hacker was able to read their customers' text messages. Syniverse said the hacker gained access to its systems in May of 2016. It was only in May of 2021, that it became aware of the unauthorized access and reported it to law enforcement.
Preventing cyber attacks is far from easy. But there may be some basic steps that providers can take to tighten up security a bit more. Some subscribers have asked for app-based two-factor authentication which can help to prevent some types of attacks. From one of the Reddit messages described above, it seems Visible is at least temporarily trying to add an extra layer of security to its customers' accounts by asking to verify their call history before certain actions can be taken with their accounts.
Joe, we need a thread on MVNOs that provide adequate security, i.e. with multi-factor authentication apps.
P.S. Ting has app authentication, by the way.