Example of Security Incident

Thimou (2018) outlined the data breach of T-Mobile’s customer data identified by security researcher, Ryan Stevenson. Ryan identified that there is an unprotected subdomain, which is used by T-Mobile employees to lookup personal account details of customer for possible promotional offer. The unprotected tool does not require any password and allow anyone to append the phone number with URL and fetch details, like:

1. Customer’s full name

2. Customer’s mailing address

3. Account PINs, which are used by customer service to challenge and verify customer’s identity

4. Billing account information

5. Past due bill notices

6. Service suspension notices

7. Tax identification, in some case (2018)

It was also found that URL was easily available on Google and other search engines, thus providing customer’s personal information to everyone with just browser capabilities (Thimou, 2018). Account PIN, which was also part of leak can lead to SIM jacking. SIM hijacking. SIM hijacking is defined as the phenomenon where anyone with access to someone’s PIN can impersonate him or her during call with customer service, thus enabling modification, addition or removal of telephony services (2018). T-Mobile reported the incident to authorities and have already patched the vulnerability (Hall, 2018). The researcher who found the vulnerability is a seasoned ‘white hat hacker’ or ‘ethical hacker’ and was rewarded with bug bounty by T-Mobile (2018).

Possible ways to fix issues like T-Mobile’s portal can be approached by using multiple solutions like,

1. Making the subdomain or hyperlink only accessible within corporate T-Mobile network will make the URL un-searchable and inaccessible on widely used search engines like Google.

2. Add two factor authentication access by using hard or soft tokens.

3. Encrypt all customer information so that bulk leakage would not lead to catastrophe like TMobile.

4. Limit the access of sensitive information like this to fewer people.

5. Implement 30 or even fewer days for password expiry.

6. Require customer’s approval to unlock subscribe information view by requiring confirmation from subscriber through text or email or voice call.

References:

Hall, G. T-Mobile data breach might affect millions of customers. Retrieved from https://www.2-spyware.com/t-mobile-data-breach-might-affect-millions-of-customers

Thimou, T. (2018). T-Mobile website data breach exposed customer addresses, PINs. Retrieved from https://clark.com/protect-your-identity/t-mobile-website-data-breach-exposed-customer-addresses-pins/