[kornhole]

The same probably goes for other MVNO carriers such as Mint and Ting. The PII and billing data is with the MVNO carriers.

I buy my SIM cards anonymously. I never use cellular near my house and only use it for data over a VPN. So it would not affect me if all of their data was breached.

[Arnavion]

>The same probably goes for other MVNO carriers such as Mint and Ting. The PII and billing data is with the MVNO carriers.

Are you sure? In the previous T-Mo breach Ting claimed the opposite.

https://help.ting.com/hc/en-us/community/posts/4405384603291...

>the kind of Ting Mobile customer data at issue in this data breach is not stored on T-Mobile servers. Ting Mobile holds its own customer database on our own servers. The kind of data T-Mobile does have access to are things that are network-specific, like your phone number, SIM card number, usage data, and IMEI.

>T-Mobile does not have access to the Ting Mobile database of names, email addresses, credit card information, etc. Your information is protected and secure from what the hackers claim to have collected.

[kornhole]

Thanks. I was not sure. MVNO contracts could differ. This gives me more reason to hide my identity by using SIM cards carefully.

[Someone1234]

> only use it for data over a VPN

Unless you run this yourself, I don't understand why you nor anyone thinks that adds to their data integrity? VPNs can, have, and are the subject of break-ins and have their own agenda and or government oversight.

People think that VPNs are this magical black box that makes you secure and private, because the YouTube ads told everyone so, the reality is that you are just adding an extra point of trust or potential failure. The needle has barely moved.

All while making performance, in particular latency, worse.

[cbsks]

In the context of not trusting your ISP (the mobile provider in this case) a VPN provides a lot of security. You aren’t “adding an extra point of trust or potential failure”, you are choosing to trust your VPN provider instead of your ISP.

[ehhthing]

VPNs still have massive problems with network diversity. They often rely on a tiny subset of transit providers, usually just Cogent/HE/Telia and some straight up all run on the same network, usually M247. While a carrier like Comcast has thousands of peering agreements and much more diverse routing. This means all traffic coming out of a VPN is viewable by a tiny group of network providers.

Sure, I would probably trust Cogent over Comcast, but the current state of the VPN market seems very stagnant in actually diverse network routing.

It's really hard to recommend a VPN for people who are actually privacy conscious simply because you're moving your data to a handful of transit providers that aren't put under nearly as much scrutiny as a normal consumer ISP.

[drivebycomment]

HTTPS already provides the same protection. VPN doesn't add anything for that.

About the only meaningful feature VPN provides is presenting a different IP address to the server.

VPN provides negligible extra security for most people, while adding extra exposure.

[CuriousCosmic]

VPNs are significantly better wrt protection than HTTPS.

VPNs create a separation between the client and the server (as you mentioned) so not only can the server (or those eavesdropping on the server's connection) not see the client's IP, those eavesdropping on the client can't see what services they are connecting to (other than the VPN).

Of course by combining knowledge from multiple sources you can still build a fingerprint but VPNs with sufficient utilization can serve as a mixer to obfuscate which users are taking part in which traffic. Doubly so if the VPN supports multi-hop routing where the client side VPN and the server side VPN are at different sites.

Really as long as you aren't leaking DNS and you use a reasonably secure + well utilized VPN, your client should appear as a black box that shouts opaque contents at a single server without leaking many details about the actual communication taking place.

Compare this with HTTPS + no VPN where only the contents are obscured and everyone eavesdropping (aka the ISP or anyone on the same network) can see every service you are connected to. That alone should be enough to fingerprint a given connection to a specific user.

[hunter2_]

I assume there's a sizable segment of VPN users who enjoy torrenting without DMCA letters catching up with them, FWIW. HTTPS doesn't help much with that.

[wepple]

I agree that VPNs are generally over-hyped, but they absolutely offer an increase in protection here.

ISPs have historically done slimey things like hijacking DNS, and HTTPS leaks tons of metadata like what sites you’re browsing and for how long, and what user agents you have can easily be fingerprinted. And there are still too many IoT and mobile apps that don’t strictly use TLS for everything.

[tesseract]

We concentrated in one place the internet traffic of people who care enough about privacy that they are willing to pay for an extra service. What could go wrong!?

[kornhole]

Yes I know the trust requirement of VPN's and hear this all the time. I run my own VPN. The point is that the carrier has too little data to identify me.

[chairmanwow1]

Lol this is not the same with most people. Pretty incredible if true. Timing attacks are pretty powerful though. Only one person has likely been to all the same places at you at the same time over the past week.

[kornhole]

I don't have a regular movement pattern and only activate the SIM when needed. I also rotate SIM's with my partner to confuse things more. We are part of a budding trend.

[rrdharan]

If you really want to be safe you should eat your SIM card.

https://youtu.be/wxJkLKjdMcc

[poisonbug]

> I buy my SIM cards anonymously.

What's the methodology for doing this successfully?

[kornhole]

Use cash to buy prepaid SIM card from someplace like Bustbuy.

Use virtual card from service such as privacy.com to add funds.

Never make calls or SMS with the SIM card number. Instead use VOIP such as jmp.chat or voip.ms.

[ShredKazoo]

What threat model does this help with?

[kornhole]

This is for anybody who does not want their call and SMS history, location history, or billing information leaked, breached, or sold to government or commercial entities.

[ravel-bar-foo]

Phone carrier metadata tracking for https and MITM and advertisement insertion into non-secured web pages.

[sofixa]

> MITM and advertisement insertion into non-secured web pages.

Which for all intents and purposes don't exist anymore.