Google Fi seemingly affected by latest T-Mobile data breach
9to5google.comNot everyone got this version of the notice. Here's a reddit user who posted [1] that they were SIM swapped:
> Additionally, on January 1, 2023 for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.
[1]: https://old.reddit.com/r/GoogleFi/comments/10pjtie/google_fi...
Oof, that's not good. As a Fi user, I'm pretty angry at the moment even though I got the other version of the notice. That's because one of the main reasons I was using Fi in the first place was the perceived protection against sim swapping, via a super locked down special purpose Google account and the apparent inability of T-Mobile CSRs to access Fi customer data. The first thing I thought upon reading the notice was usefulness for sim swapping, and my heart fell upon reading your comment.
Good reminder that SMS 2fa fucking sucks and so do the institutions that insist on it, especially those that offer other forms of 2fa but treat SMS as a fallback (why why why why why).
The why is obvious.
People will lose their 2FA. It's a fact of life. Lost keys with your yubikey. Broken phone without a backup of your totp. Etc.
After that, how do you prove that someone owns their account?
Send a photocopy of your passport? No way to edit a picture, right?
Answer some security questions, which you certainly forgot the answer to. And people are likely using the same questions with the same answer on many sites.
Tell them tough luck?
The problem is there isn't a good answer for the most common failure mode. SMS 2FA isn't perfect, but it is accessible to nearly everyone and delegates ownership proof to the telephone company.
In Germany there is a process called PostIdent by Deutsche Post. Any business can send you a QR code which you take to the local post office and a teller will verify your ID. The business is being notified next to instantly and you can proceed with whatever is needed.
It's a nice and smooth process.
Businesses could also use the German government ID, which has a chip with cryptography functionality built in.
> Businesses could also use the German government ID, which has a chip with cryptography functionality built in.
Same goes for the whole EU, it's in the new ID card standard: https://en.wikipedia.org/wiki/National_identity_cards_in_the...
I hope we start seeing some neat use cases with them. Being able to cryptographically (and in some cases anonymously) prove one's unique identity online would be pretty cool.
BankIdent is also quite smooth, a simple bank transfer to confirm your identity.
I have used both. During that time I've lost access to SMS due to my phone breaking (twice), I have lost permanent access to online banking because the bank will not accept an international number. I came extremely close to losing access to my entire Google account because I use Fi and you need to sign into Google to activate it on your phone, but you need to be able to receive SMS to sign in to Google.
Meanwhile, I have multiple yubikeys that are as hard to lose or break as a house key. Google is kind of the only site that supports hardware tokens, but you can add multiple to your account. I can't think of a single site that allows multiple phone numbers for SMS 2fa.
> I have multiple yubikeys that are as hard to lose or break as a house key.
Unfortunately, hard and easy are interchangeable in this sentence. And if you lose your house key you can always call a locksmith or just break a window to get inside.
Even if you don’t have identification on you, if the cops show up you can have your neighbors vouch for you (assuming the cops don’t already personally know you).
It's not the same though. You can never do the equivalent of locking your yubikey inside the house.
Yeah I've got enough yubikeys that I'm very unlikely to lose them all. The only thing that I'm vulnerable to right now is a house-burns-down kind of situation, and I'm considering storing a yubikey at someone else's house to get offsite backup.
The solution is a government issued key pair. Probably on a Yubikey type of device. Replacing a lost one of those is then the same process as replacing a lost driver's license / passport / other government issued identification.
By 2023 it's high time for these forms of identification to catch up with the digital age. It's high time to end the joke of verifying identity by birthday, SSN, "in-security questions", and other easily leaked information. And obviously 2FA by SMS is not good either.
I can't say the idea of a verifiable government id being demanded by every social media or other sign up sounds that thrilling to me. It'll just be facebook demanding a scan of your driver's license in a different form. The SMS verification step where you phone number is demanded "only for security" (and then used for advertising 10 minutes later) is bad enough, but at least it is still possible (if onerous) to get some some separation there.
I'd honestly just prefer TOTP or hardware tokens be mandated as an option for 2FA if you offer it.
I think Estonia started doing this like 20 years ago. [1]
The German national ID contains an NFC smartcard since 2010. Unfortunately, adoption has been quite slow. Many companies still use some wonky video based authentication procedure. I guess they believe that installing a separate app is too hard for many users, and filming the ID is easier.
We should just have state issues licenses with chips. At the bank I show my license; on bank website it reads the chip and pin off my license.
Not to mention most of the "replacements" are often service specific authenticator apps of dubious quality that might even refuse to run on your device for various reasons.
In comparison SMS works the same for all services - its an easy choice.
Recently, Instagram asked to verify an account I have been using for past 2 year. Spent over $100 on ads.
I felt stupid and embarassed taking my own selfie with a piece of paper with a number written on it. But then I would have lost my account, had to do it.
Venmo requested the something similar from me a few years ago for an account with 0 activity. Except they wanted a passport or driver's license with a selfie. This was an account without any bank account or cards attached to it. I hadn't used it to pay or receive any money. But it wasn't a new account. I had for like 3 years and just never used it like I thought I would need to.
I understand needing to verify the identity of people transferring large amounts of money, but it was a ridiculous ask for someone who just wanted it to send a friend 10 bucks for lunch. I just used another app, and my identity is still frozen in Venmo to this day. The silver lining is that no one can open an account with my information to circumvent the freeze, so I'm safe in that respect on Venmo.
i used to use linkedin from a different location from my current one. i didn't think about this but when i tried to log in from my present location, it said something bullshit about "security" and now i am forced to upload my passport for verification and they pinky promise to delete the photo after verification. no fucking way
Facebook decided they wanted my drivers license to verify my account that I wanted to log in to to pull some very old pictures off of it and never think about it ever again.
You have to use the camera on a device, you can’t upload an image file (which just makes things more obnoxious, not any more secure) They tell you they’ll keep the photo stored for a year to better improve their process or whatever other bullshit. You can opt to have them only store it for one month (how nice of them) but when you do that I totally resets the flow of everything so you have to do everything all over again and it makes it seem like you’re stuck in an endless loop of doing that so you’ll just let them keep it for a year.
I caved and did it. There was no time to verify. I was just able to login.
So no, they didn’t need it for any actual verification or security reason. They just wanted the data. It’s almost funny how naked it was.
Well, banks seem pretty happy with the safety of USPS for sending cards, so how about sending the person a letter with a one-time code?
The multi-day delay even sounds like a good idea, in case someone triggers that system with the intent to steal mail -- it gives the still-able-to-login real user time to veto it.
(If you want a level of anonymity, you can rent a PO box, use a commercial mail handling agent, register c/o a lawyer, etc.)
Solution is multiple yubikeys or printing out backup codes.
How are you handling multiple Yubikeys? I'm doing it personally and it's so annoying that I can't imagine recommending this to anyone else. Since I'd hate to lose access to everything if my house burns down, I keep a key outside of the home. Of course, for that key to be useful, I need to update it whenever I use my key on a new site/service. Dropping everything to go fetch my key is inconvenient, so I keep multiple keys in the house. That way I can add two keys to a service and have a local backup in case one breaks. But, then I need to remember to actually add the off-site key to the account as well.
Maybe I should just round-robin the off-site key. It's just tedious to keep track of what's been registered with which key and making sure they're all in sync. I really wish there were a secure way to simply have a key backup.
Not to mention, this is kind of expensive and also non-obvious as Yubikey primarily sells single keys. I'd love to see wider adoption, but can't see the general population putting up with this.
This has been what stops me from going full webauthn, instead right now I use 3 yubikeys with pass (password store) and encrypt with 3 separate gpg keys (one private key stored on each yubikey), I haven't touched one of the yubikeys in a year but I know that if I lose the other two it can still decrypt my passwords.
The disadvantage here is obviously it's just another password manager instead of taking full advantage of hardware tokens, but I want to be able to enroll passwords or tokens without the key present all the time. (Also, yubikeys have limited slots for keys)
> this is kind of expensive and also non-obvious as Yubikey primarily sells single keys
Unless you need the GnuPG or SSH applets, I just use the $14 FIDO keys from Identiv. They are also NFC capable for my mobile devices also. I keep one at my office, one at home and carry one in my pack.
I too wish there were a way to keep them in sync or back them up.
Maybe a virtual FIDO key? https://github.com/bulwarkid/virtual-fido
Fireproof safe, and living in an area where the fire department would be able to get the fire under control fast enough that I would hopefully not need 1/10th of the capability of that safe.
Edit: also, if your house burns down, won’t you probably have your keys on you if you’re not home?
Although these keys are intended to be stored on a keychain, I don't know of anyone that actually uses them that way. If you work remotely, there's just no need to have your keys on you most of the time. One of my keys is a 5C Nano and it just sits in the laptop all day long. So, if my house burns, I'm losing any keys in the house along with it.
As for a fireproof safe, I do have one, but they're rated for X hours and degrade over time. I should probably get a new one.
I had a good fireproof safe burn once it fused the sand or whatever material is between the layers of metal. I was never able to get back into it.
I just have one in my drawer and one in my bag / always connected to my Mac
Then a printed backup sheets like 1password somewhere offsite (still needs master password to be usable)
I use Windows hello and Apple passkey as secondary fido devices, isn’t that a valid method??
Maybe? I really don't know. I dual-boot a Linux & Windows workstation and have a macOS laptop, so I haven't looked too deeply into platform-specific solutions. For now, I stick with Yubikeys. Complicating things further is for some accounts I'd like to give my wife access and she has her own keys and own devices. I've hit the key registration limit on some sites.
The one time I had to use backup codes with Google they simply didn't work. Fortunately I was still logged on at my home comptuer.
Fi is an MVNO - there's apparently some sort of magical mapping between Fi numbers and network-specific numbers that still end up on the network's infrastructure (there apparently used to be issues with 911 operators seeing the network-specific number rather than the actual Fi number), and the mapping of that network-specific number onto an IMSI is still going to be under the control of that network. It's possible to block front-end agents from being able to do anything with that, but if someone compromises network infrastructure then it seems like it's hard to protect against it?
> could have involved the use of your phone number to send and receive phone calls
Surely from their logs they know if these calls/texts happened?
If, during that period no calls/sms's occurred, then there has been no breach - the attacker was close to their target, but walked away with nothing.
If messages/calls were made, the user really needs to know who they were to/from to make any informed decisions. And Google has those logs.
> Surely from their logs they know if these calls/texts happened?
Why would they have logs of calls/texts that weren't routed to them?
Straight to a write only bucket in Maryland.
Has anyone been able to confirm that this actually happened?
A reasonable headline could state "Google Fi essentially not affected by latest T-Mobile data breach". Look at the data "breached":
> limited data including when your account was activated, data about your mobile service plan, SIM card serial number, and active or inactive account status.
> It does not contain your name, date of birth, email address, payment card information, social security number or tax IDs, driver’s license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi, or the contents of any SMS messages or calls.
I mean, that's almost the minimum amount of data T-Mobile has to have to provide the service to Google Fi customers, and nothing else. The actual customer data is probably stored at Google, and is perfectly safe. The chances of someone being able to use the leaked data in a nefarious way seem practically nil.
I mean the fact is that Google Fi gave my information to a third party that suffered from a breach, which leaked some amount of data. I’m happy it’s not that much data, personally, but it’s still a breach. And from other comments in the thread it seems like some were affected more than that.
I don't see anywhere in the statement where Fi customer information is given to a third party. Here's what it says:
>system is used for Google Fi customer support purposes and contains limited data including when your account was activated, data about your mobile service plan, SIM card serial number, and active or inactive account status.
>It does not contain your name, date of birth, email address, payment card information, social security number or tax IDs, driver’s license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi, or the contents of any SMS messages or calls.
SIM swaps were reported, so this is definitely a breach that impacts Google Fi customers.
When will T-Mobile take accountability for their repeated data breaches and fix the systemic issues? Is there anyone in the company who cares enough to do something?
The annual T-Mobile data breach is a tradition at this point. 2022 was set to break that tradition but the breach just happened to run a few weeks late.
The FTC filing says they first got popped in November 2022, so it’s still an annual tradition.
Also, they only report the breaches they actually know about. From my understanding of T-mobile, they probably only find a breach when someone completely stumbles into it. For every one they discover I bet there’s 10 they don’t, hah
The same probably goes for other MVNO carriers such as Mint and Ting. The PII and billing data is with the MVNO carriers.
I buy my SIM cards anonymously. I never use cellular near my house and only use it for data over a VPN. So it would not affect me if all of their data was breached.
>The same probably goes for other MVNO carriers such as Mint and Ting. The PII and billing data is with the MVNO carriers.
Are you sure? In the previous T-Mo breach Ting claimed the opposite.
https://help.ting.com/hc/en-us/community/posts/4405384603291...
>the kind of Ting Mobile customer data at issue in this data breach is not stored on T-Mobile servers. Ting Mobile holds its own customer database on our own servers. The kind of data T-Mobile does have access to are things that are network-specific, like your phone number, SIM card number, usage data, and IMEI.
>T-Mobile does not have access to the Ting Mobile database of names, email addresses, credit card information, etc. Your information is protected and secure from what the hackers claim to have collected.
Thanks. I was not sure. MVNO contracts could differ. This gives me more reason to hide my identity by using SIM cards carefully.
> only use it for data over a VPN
Unless you run this yourself, I don't understand why you nor anyone thinks that adds to their data integrity? VPNs can, have, and are the subject of break-ins and have their own agenda and or government oversight.
People think that VPNs are this magical black box that makes you secure and private, because the YouTube ads told everyone so, the reality is that you are just adding an extra point of trust or potential failure. The needle has barely moved.
All while making performance, in particular latency, worse.
In the context of not trusting your ISP (the mobile provider in this case) a VPN provides a lot of security. You aren’t “adding an extra point of trust or potential failure”, you are choosing to trust your VPN provider instead of your ISP.
VPNs still have massive problems with network diversity. They often rely on a tiny subset of transit providers, usually just Cogent/HE/Telia and some straight up all run on the same network, usually M247. While a carrier like Comcast has thousands of peering agreements and much more diverse routing. This means all traffic coming out of a VPN is viewable by a tiny group of network providers.
Sure, I would probably trust Cogent over Comcast, but the current state of the VPN market seems very stagnant in actually diverse network routing.
It's really hard to recommend a VPN for people who are actually privacy conscious simply because you're moving your data to a handful of transit providers that aren't put under nearly as much scrutiny as a normal consumer ISP.
HTTPS already provides the same protection. VPN doesn't add anything for that.
About the only meaningful feature VPN provides is presenting a different IP address to the server.
VPN provides negligible extra security for most people, while adding extra exposure.
VPNs are significantly better wrt protection than HTTPS.
VPNs create a separation between the client and the server (as you mentioned) so not only can the server (or those eavesdropping on the server's connection) not see the client's IP, those eavesdropping on the client can't see what services they are connecting to (other than the VPN).
Of course by combining knowledge from multiple sources you can still build a fingerprint but VPNs with sufficient utilization can serve as a mixer to obfuscate which users are taking part in which traffic. Doubly so if the VPN supports multi-hop routing where the client side VPN and the server side VPN are at different sites.
Really as long as you aren't leaking DNS and you use a reasonably secure + well utilized VPN, your client should appear as a black box that shouts opaque contents at a single server without leaking many details about the actual communication taking place.
Compare this with HTTPS + no VPN where only the contents are obscured and everyone eavesdropping (aka the ISP or anyone on the same network) can see every service you are connected to. That alone should be enough to fingerprint a given connection to a specific user.
I assume there's a sizable segment of VPN users who enjoy torrenting without DMCA letters catching up with them, FWIW. HTTPS doesn't help much with that.
I agree that VPNs are generally over-hyped, but they absolutely offer an increase in protection here.
ISPs have historically done slimey things like hijacking DNS, and HTTPS leaks tons of metadata like what sites you’re browsing and for how long, and what user agents you have can easily be fingerprinted. And there are still too many IoT and mobile apps that don’t strictly use TLS for everything.
We concentrated in one place the internet traffic of people who care enough about privacy that they are willing to pay for an extra service. What could go wrong!?
Yes I know the trust requirement of VPN's and hear this all the time. I run my own VPN. The point is that the carrier has too little data to identify me.
Lol this is not the same with most people. Pretty incredible if true. Timing attacks are pretty powerful though. Only one person has likely been to all the same places at you at the same time over the past week.
I don't have a regular movement pattern and only activate the SIM when needed. I also rotate SIM's with my partner to confuse things more. We are part of a budding trend.
If you really want to be safe you should eat your SIM card.
> I buy my SIM cards anonymously.
What's the methodology for doing this successfully?
Use cash to buy prepaid SIM card from someplace like Bustbuy.
Use virtual card from service such as privacy.com to add funds.
Never make calls or SMS with the SIM card number. Instead use VOIP such as jmp.chat or voip.ms.
What threat model does this help with?
This is for anybody who does not want their call and SMS history, location history, or billing information leaked, breached, or sold to government or commercial entities.
Phone carrier metadata tracking for https and MITM and advertisement insertion into non-secured web pages.
> MITM and advertisement insertion into non-secured web pages.
Which for all intents and purposes don't exist anymore.
This could be a dumb question, and I assume the answer is no, but could the SIM serial data potentially be used to aid in a SIM spoof attack?
At least 1 reported case of a Fi customer being SIM swapped because of this breach.
I feel like there's more to that situation, since he had multiple accounts compromised.
Or to facilitate a SIM swap?
Kind of upset that Google didn’t provide any details about the context of the breach itself in the email they sent me, just a vague “someone had a breach and don’t blame us”.
If anyone is worried about a potential SIM swap attack due to this breach, you can order a new SIM card free of charge at https://fi.google.com/ordersim
Because it’s buried a few links deep:
T-Mobile detected the breach January 5 and shut it down “within a day”
But
It started approximately November 25th, so the attackers were there for at least a month and a half, pulling 37,000,000 records before anyone noticed.
After all these years, Google Fi still has NOT add 5G support on iPhones, now another data breach, nice!
I signed up for Google Fi after the beach... But yikes.