Major T-Mobile Security Issue (customer experience, geekery)
I've been with T-Mobile since 2001, and although they're still the best provider out there (in my opinion), they still have some pretty major potential problems. One particularly horrifying one is in terms of information security, which has been in the back of my mind for a few months, but which a well-publicized (and much more minor) issue with Sprint reminded me that I should really write about publicly, and this deserves a bit more than a comment on This Is Broken.
If someone finds your phone they can easily figure out the phone number (by dialing *686 if the phone doesn't just display it in an easy-to-find menu), then on the T-Mobile website you just click "forgot password?" and it'll send the login password in plaintext as an SMS to the phone (the username is just the phone number).
From there people can find out pretty much EVERYTHING about you, or at least enough to do some pretty major damage. They have your billing address, the last four digits of the credit card number (if you're set up on EasyPay), and the last 3 months of calls you've placed and received, at a minimum. If you have a Hiptop/Sidekick they can read and edit your email and calendar, look at/send/delete your photos, and basically everything else that you can do with the device itself (so even if you get the device back, if you don't change your T-Mobile password they still have access to it).
If they know your birthday (month and day) or the last four digits of your SSN they can also change your rate plan and billing address, order a brand new shiny phone (charged to your account of course), and sign you up for all sorts of crap you never wanted.
And of course, if you use the same password on T-Mobile as anywhere else and that other person knows your username for the other places, you're completely screwed.
It's pretty scary how one break in the chain of trust can completely mess everything else up. This is why I always set a PIN on my SIM (so that if someone finds my phone they can't just turn it on and get my password) though of course that doesn't help at all if they find it when it still has a charge. I also don't use EasyPay (though that's mostly because I also don't implicitly trust T-Mobile to bill me correctly, and credit card companies won't reverse pre-authorized charges).
A better mechanism would be to add a challenge/response to the password retrieval (there used to be one, but I think they decided that simply having the phone was challenge/response enough, when it clearly isn't), and instead of sending (and storing!) the password in plaintext, have the password retrieval function force you to make a new one.
T-Mobile really needs to fix this problem. Meanwhile, if you're on T-Mobile, make sure you have a PIN on your SIM (you set this on your phone), and that you don't use the same password for your T-Mobile account as anything else.
Comments