[StudentStuff]

I was affected by this, they SIM swapped a line on our account twice, both times on Friday at 5:23pm (followed by swapping the old SIM back at 5:42pm).

Just received the CPNI notice today from T-Mobile, we had a 6 digit PIN set prior to the first SIM swap on January 10th, and changed it before the following SIM swap on January 17th.

T-Mobile told me these swaps occurred at a store for both attacks. I did remove all authorized users from the account prior to the SIM swap on the 17th. T-Mobile has refused to provide Seattle Police Dept with any info about the fraudulent activity, and left me in the dark prior to the letter today.

[lotsofpulp]

We need legislation around liability for SIMs, as every single large financial institution seems to be using SMS messages as proof of identity. Better yet, we need legislation that protects individuals from liability if a business uses SMS as proof of identity.

Edit: For ATT, I don’t know what power they give their employees to change or bypass people’s passcode, but as a user, all you need to reset passcode are last 4 digits of account owner’s social, billing zip code, and access to one of the phone lines on the account where they will send an SMS to verify you’re one of the people on the account.

I would hope that for much stricter processes to reset passcode, like a notarized letter or showing passport and physically going to a store to prove identity.

[jtokoph]

When my AT&T sim was swapped a short while back, AT&T told me the same thing about a retail store. The support person you talked to believes this because that’s what the computer system says. I even received an automated SMS a week later asking for feedback about my “retail experience” at that location.

The law enforcement task force I spoke to told me that in reality, the swappers have remote access to the admin portal and just fill out a field with a store close to your billing address to make it look legit. Nobody was ever at that retail location.

All of the metadata about the swap is manually entered by the attacker. The support people don’t understand that and just read off of their screen. Even the automated systems are fooled.

[caconym_]

How were you notified? Email?