A Defensive Computing Checklist    by Michael Horowitz

NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022

HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

CELL PHONE COMPANIES

While SIM Swaps are probably the biggest danger when dealing with cellphone providers, there is also the issue of their wanting to spy on you.

• Cell carrier privacy settings to change now by Tatum Hunter for the Washington Post (August 2022). About how to stop the cellphone companies from targeting you for ads.
• Cellphone companies want to show you ads and sell your information. In March 2021, the tl;dr sec Newsletter published instructions for opting out for T-Mobile, Metro, Sprint, AT&T and Verizon. The instructions were based on this article: T-Mobile to Step Up Ad Targeting of Cellphone Customers by Drew FitzGerald for the Wall Street Journal (March 2021).
• Verizon ad targeting is now called Custom Experience Plus, it used to be called Verizon Selects. See Verizon Custom Experience programs FAQs from Verizon. To opt out on their website, go to Privacy preferences page and look for the Custom Experience and Custom Experience Plus sections. To opt out in the My Verizon app, go to "Edit Profile and Settings" -> Preferences -> Manage Privacy Settings. (as of Aug 2022)
• Verizon Wireless customers can review their marketing settings at vzw.com/myprivacy or by calling 800-333-9956. I suspect that most people will not want their CPNI shared with Verizon "affiliates and agents".
  December 2021: Verizon had a program called "Verizon Selects" where they spied on their customers. It has been renamed "Verizon Custom Experience" seemingly to let them spy on everyone who opted out of the first program. Details on how to opt out here: Verizon overrides users' opt-out preferences in push to collect browsing history by Jon Brodkin of Ars Technica. The best solution is to use a VPN which blocks Verizon from seeing anything.
• AT&T calls their ad targeting "relevant advertising" and "enhanced relevant advertising". You control this on their website at the cmpchoice page which has a section for both the regular and enhanced "relevant advertising". While on the page, also look for the "Third Party Services" section where you can stop some data sharing. Finally, review the "External Marketing and Analytics Reports" section too. Here is a screen shot of the relevant section of the AT&T website. (Verified Aug 2022)

Privacy: Michael Bazzell, who focuses on privacy, recommends Mint Mobile because they let you open an account anonymously. They may not brag about this, but he has opened accounts with them using fake names and they do less verification of the information you provide than other cell carriers. They use the T-Mobile network and their prices are start at $15/month. Around March 2023, however, they were in the process of being purchased by T-Mobile, so things may change.

T-MOBILE ADVERTISING

• To opt out of T-Mobile’s ad business, in their app: More -> Advertising & Analytics -> turn off "Use My Data To Make Ads More Relevant To Me". To opt out on their website: My Account -> Profile -> Privacy and Notifications -> Advertising and Analytics -> turn off "Use My Data To Make Ads More Relevant To Me." (As of August 2022)
• How to opt out of T-Mobile's creepy ad tracking campaign by Jason Cipriani for ZDnet. July 2022. The T-Mobile App Insights program collects information about the apps installed on a phone, how often they are used, the Wi-Fi networks the phone connects to and a web browsing history. You have to install a Magenta app on each device. Recommended even for non-customers of T-Mobile.
• T-Mobile to Share Customers' Web Browsing Data With Advertisers Unless They Opt Out by Michael Kan for PC Magazine (March 2021).
• T-Mobile to Step Up Ad Targeting of Cellphone Customers by Drew FitzGerald for the Wall Street Journal (March 2021).

T-MOBILE HACKS and DATA BREACHES

It seems that T-Mobile has poor internal security. Between August 2018 and May 2023, the company suffered nine, count them, 9, data breaches. A reasonable person might chose to not use their services, just for this reason. Details below:

• May 1, 2023: T-Mobile discloses 2nd data breach of 2023, this one leaking account PINs and more by Dan Goodin for Ars Technica. This was the second network intrusion this year for T-Mobile and the ninth since 2018. As for details, the hack affected 836 subscribers and lasted for just over a month.
• February 28, 2023: Hackers Claim They Breached T-Mobile More Than 100 Times in 2022 by Brian Krebs. Krebs came to this conclusion after researching Telegram chat logs from three different cybercrime groups that are known to be particularly active in "SIM-swapping". Each group periodically offers SIM-swapping services for other mobile phone providers too, but those solicitations appear far less frequently than T-Mobile swap offers.
• January 19, 2023: T-Mobile hacked to steal data of 37 million accounts in API data breach by Sergiu Gatlan for Bleeping Computer. Bad guys stole the personal information of 37 million current postpaid and prepaid customers. T-Mobile did not share how their API was exploited. The attacker started stealing data around November 25, 2022. The company first detected this on January 5, 2023. Not stolen: driver's licenses or other government ID numbers, social security numbers, passwords/PINs, payment card information or other financial account info. Stolen: customer name, billing address, email, phone number, date of birth, T-Mobile account number and other account information. This article provided the breach history below.
• January 19, 2023: New T-Mobile Breach Affects 37 Million Accounts by Brian Krebs. Quoting: "Last year, T-Mobile agreed to pay $500 million to settle all class action lawsuits stemming from the 2021 breach. The company pledged to spend $150 million of that money toward beefing up its own cybersecurity ... T-Mobile reported revenues of nearly $20 billion in the third quarter of 2022 alone. In that context, a few hundred million dollars every couple of years to make the class action lawyers go away is a drop in the bucket."
• April 22, 2022: T-Mobile confirms Lapsus$ hackers breached internal systems by Sergiu Gatlan for Bleeping Computer. They used stolen credentials.
• August 2021: T-Mobile CEO: Hacker brute-forced his way through our network by Sergiu Gatlan for Bleeping Computer. Data was stolen for an estimated 76 million customers. The attacker was quoted in the Wall Street Journal saying their security was miserable. The initial breach was of the testing environments. Stolen data: customer names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company.
• April 12, 2022: T-Mobile Secretly Bought Its Customer Data from Hackers to Stop Leak. It Failed. by Joseph Cox. After hackers stole data from T-Mobile in August 2021, T-Mobile hired a third-party firm that went undercover and bought exclusive access to the data. T-Mobile paid the bad guys $270,000.
• February 2021: T-Mobile discloses data breach after SIM swapping attacks by Sergiu Gatlan for Bleeping Computer. Attackers accessed an internal T-Mobile application without authorization. The number of effected customers is not known. The attackers were able to port numbers, but it is not known if they gained access to an employee's account or if they did it through the compromised users' accounts.
• December 30, 2020: T-Mobile data breach exposed phone numbers, call records by Lawrence Abrams for Bleeping Computer. Roughly 200,000 customers were impacted.
• March 5, 2020: T-Mobile Data Breach Exposes Customer's Personal, Financial Info by Lawrence Abrams for Bleeping Computer. A data breach was caused by an email vendor being hacked. That, in turn, exposed the personal and financial information for some T-Mobile customers. An unauthorized person was able to access the email accounts of some T-Mobile employees. Some of the hacked email accounts contained customer information such as social security numbers, financial information, government ID numbers and billing information. It is not known how many T-Mobile customers were affected or when the breach occurred.
• November 21, 2019: T-Mobile Discloses Data Breach Impacting Prepaid Customers by Sergiu Gatlan for Bleeping Computer. The number of impacted customers is "small". Exactly how many? T-Mobile did not say. Stolen data: customer name, billing address, phone number, account number and rate plan and features. Not stolen: credit card information, social security numbers, passwords. At the time, the company said "We have a number of safeguards in place to protect your personal information from unauthorized access, use, or disclosure." History has shown they did not have enough safeguards.
• August 24, 2018: T-Mobile Detects and Stops Ongoing Security Breach by Catalin Cimpanu for Bleeping Computer. The breach affected roughly 3.9 million customers. Rather than say that, T-Mobile said it affected less than 3 percent of their customers. Sounds better that way. Stolen data: customer names, billing ZIP codes, phone numbers, email addresses, account numbers and other account information. Not stolen: passwords, social security numbers, financial information. The company said: "We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access." We now (January 2023) know this was bullshit.

This article was written in August 2021 and then revised in January 2023: Here’s what to do if you think you're affected by T-Mobile's latest data breach by Chris Velazco for the Washington Post. Change your password (duh). Change your PIN (another duh). Freeze your credit reports. Avoid relying on your phone number for proving your identity with a text message. Instead, use an authenticator app for two factor authorization. In other words, the article just rounds up the usual suspects. To me, the most interesting thing here were some reader comments about 2FA for T-Mobile. It seems the company does it wrong. While they do offer the use of an authenticator app, at the same time, they will also offer a text message. This should have been in the article.

T-MOBILE HOME INTERNET

• T-Mobile Home Internet Was Great, Until My Service Died And the Company Could not Fix It by Brandon Hill (August 2022). A user experience, good at first, but then error "All PDN IP Connection Failure" could not be fixed and the reporter closed his account. This story led to a follow-up: Former Employee: T-Mobile Misleads Home Internet Customers by Brandon Hill (August 2022) which claims that T-Mobile does not have the technical expertise to fix some problems. Also, other customers had similar problems and the claim that the tower is being upgraded is a common lie told by customer support reps.
• T-Mobile's 5G Home Internet: I tried it, and it tried me by Mitchell Clark for The Verge (Dec 2021). The reporter found that the service was not sufficiently reliable. The provided router (made by Nokia Solutions & Networks) almost always had a weak cellular signal. The app showed two bars of service, but this was not reliable as it showed two bars even during service outages. The setup instructions were poor. That said, "The thing about cellular internet, though, is that my experience won’t necessarily be the same as yours, even if you live a few blocks away from me."

Again, there is more on cellphone company security on the SIM Swaps page.

Copyright 2019 - 2023