[Crosseye_Jack]

Not a t-mobile customer nor in the US so can’t say I have much experience with their process to know if it’s “secure” or not. But the command to request a support code could trigger a code to be generated, salt and hash it (yeah I know hashing a 4 digit pin is pointless if their validity was longer than say 30 mins as you would have to breach and call up right away), stored an a DB along with the salt and not be displayed to the CS agent. When you call they then ask for the pin, enter it into their system and their system could then validate the pin entered by the CS agent by adding the salt and hashing and comparing what’s in the DB.

After a valid pin has been entered or X invalid tries by the customer service agent the customer needs to request another support pin.

Now this doesn’t doesn’t mean that the transmission of SMS is 100% secure but as they operate the network they could be in a much better place to validate that a request came from and was delivered to a phone and sim on their network (if the customer is on network and not roaming, but would be a bit of a shit customer support experience if you could only get support on network).

Just saying that the one time, limited lifespan support code system can be done securely so let’s not throw them under the bus just yet.

Edit: Using support pins delivered to the phone should only be treated as proof of being in possession of the sim and not proof of being the account holder.