Not everyone got this version of the notice. Here's a reddit user who posted [1] that they were SIM swapped:
> Additionally, on January 1, 2023 for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.
Oof, that's not good. As a Fi user, I'm pretty angry at the moment even though I got the other version of the notice. That's because one of the main reasons I was using Fi in the first place was the perceived protection against sim swapping, via a super locked down special purpose Google account and the apparent inability of T-Mobile CSRs to access Fi customer data. The first thing I thought upon reading the notice was usefulness for sim swapping, and my heart fell upon reading your comment.
Good reminder that SMS 2fa fucking sucks and so do the institutions that insist on it, especially those that offer other forms of 2fa but treat SMS as a fallback (why why why why why).
People will lose their 2FA. It's a fact of life. Lost keys with your yubikey. Broken phone without a backup of your totp. Etc.
After that, how do you prove that someone owns their account?
Send a photocopy of your passport? No way to edit a picture, right?
Answer some security questions, which you certainly forgot the answer to. And people are likely using the same questions with the same answer on many sites.
Tell them tough luck?
The problem is there isn't a good answer for the most common failure mode. SMS 2FA isn't perfect, but it is accessible to nearly everyone and delegates ownership proof to the telephone company.
In Germany there is a process called PostIdent by Deutsche Post. Any business can send you a QR code which you take to the local post office and a teller will verify your ID. The business is being notified next to instantly and you can proceed with whatever is needed.
It's a nice and smooth process.
Businesses could also use the German government ID, which has a chip with cryptography functionality built in.
I hope we start seeing some neat use cases with them. Being able to cryptographically (and in some cases anonymously) prove one's unique identity online would be pretty cool.
I have used both. During that time I've lost access to SMS due to my phone breaking (twice), I have lost permanent access to online banking because the bank will not accept an international number. I came extremely close to losing access to my entire Google account because I use Fi and you need to sign into Google to activate it on your phone, but you need to be able to receive SMS to sign in to Google.
Meanwhile, I have multiple yubikeys that are as hard to lose or break as a house key. Google is kind of the only site that supports hardware tokens, but you can add multiple to your account. I can't think of a single site that allows multiple phone numbers for SMS 2fa.
> I have multiple yubikeys that are as hard to lose or break as a house key.
Unfortunately, hard and easy are interchangeable in this sentence. And if you lose your house key you can always call a locksmith or just break a window to get inside.
Even if you don’t have identification on you, if the cops show up you can have your neighbors vouch for you (assuming the cops don’t already personally know you).
Yeah I've got enough yubikeys that I'm very unlikely to lose them all. The only thing that I'm vulnerable to right now is a house-burns-down kind of situation, and I'm considering storing a yubikey at someone else's house to get offsite backup.
The solution is a government issued key pair. Probably on a Yubikey type of device. Replacing a lost one of those is then the same process as replacing a lost driver's license / passport / other government issued identification.
By 2023 it's high time for these forms of identification to catch up with the digital age. It's high time to end the joke of verifying identity by birthday, SSN, "in-security questions", and other easily leaked information. And obviously 2FA by SMS is not good either.
I can't say the idea of a verifiable government id being demanded by every social media or other sign up sounds that thrilling to me. It'll just be facebook demanding a scan of your driver's license in a different form. The SMS verification step where you phone number is demanded "only for security" (and then used for advertising 10 minutes later) is bad enough, but at least it is still possible (if onerous) to get some some separation there.
I'd honestly just prefer TOTP or hardware tokens be mandated as an option for 2FA if you offer it.
The German national ID contains an NFC smartcard since 2010. Unfortunately, adoption has been quite slow. Many companies still use some wonky video based authentication procedure. I guess they believe that installing a separate app is too hard for many users, and filming the ID is easier.
Not to mention most of the "replacements" are often service specific authenticator apps of dubious quality that might even refuse to run on your device for various reasons.
In comparison SMS works the same for all services - its an easy choice.
Recently, Instagram asked to verify an account I have been using for past 2 year. Spent over $100 on ads.
I felt stupid and embarassed taking my own selfie with a piece of paper with a number written on it. But then I would have lost my account, had to do it.
Venmo requested the something similar from me a few years ago for an account with 0 activity. Except they wanted a passport or driver's license with a selfie. This was an account without any bank account or cards attached to it. I hadn't used it to pay or receive any money. But it wasn't a new account. I had for like 3 years and just never used it like I thought I would need to.
I understand needing to verify the identity of people transferring large amounts of money, but it was a ridiculous ask for someone who just wanted it to send a friend 10 bucks for lunch. I just used another app, and my identity is still frozen in Venmo to this day. The silver lining is that no one can open an account with my information to circumvent the freeze, so I'm safe in that respect on Venmo.
i used to use linkedin from a different location from my current one. i didn't think about this but when i tried to log in from my present location, it said something bullshit about "security" and now i am forced to upload my passport for verification and they pinky promise to delete the photo after verification. no fucking way
Facebook decided they wanted my drivers license to verify my account that I wanted to log in to to pull some very old pictures off of it and never think about it ever again.
You have to use the camera on a device, you can’t upload an image file (which just makes things more obnoxious, not any more secure) They tell you they’ll keep the photo stored for a year to better improve their process or whatever other bullshit. You can opt to have them only store it for one month (how nice of them) but when you do that I totally resets the flow of everything so you have to do everything all over again and it makes it seem like you’re stuck in an endless loop of doing that so you’ll just let them keep it for a year.
I caved and did it. There was no time to verify. I was just able to login.
So no, they didn’t need it for any actual verification or security reason. They just wanted the data. It’s almost funny how naked it was.
Well, banks seem pretty happy with the safety of USPS for sending cards, so how about sending the person a letter with a one-time code?
The multi-day delay even sounds like a good idea, in case someone triggers that system with the intent to steal mail -- it gives the still-able-to-login real user time to veto it.
(If you want a level of anonymity, you can rent a PO box, use a commercial mail handling agent, register c/o a lawyer, etc.)
How are you handling multiple Yubikeys? I'm doing it personally and it's so annoying that I can't imagine recommending this to anyone else. Since I'd hate to lose access to everything if my house burns down, I keep a key outside of the home. Of course, for that key to be useful, I need to update it whenever I use my key on a new site/service. Dropping everything to go fetch my key is inconvenient, so I keep multiple keys in the house. That way I can add two keys to a service and have a local backup in case one breaks. But, then I need to remember to actually add the off-site key to the account as well.
Maybe I should just round-robin the off-site key. It's just tedious to keep track of what's been registered with which key and making sure they're all in sync. I really wish there were a secure way to simply have a key backup.
Not to mention, this is kind of expensive and also non-obvious as Yubikey primarily sells single keys. I'd love to see wider adoption, but can't see the general population putting up with this.
This has been what stops me from going full webauthn, instead right now I use 3 yubikeys with pass (password store) and encrypt with 3 separate gpg keys (one private key stored on each yubikey), I haven't touched one of the yubikeys in a year but I know that if I lose the other two it can still decrypt my passwords.
The disadvantage here is obviously it's just another password manager instead of taking full advantage of hardware tokens, but I want to be able to enroll passwords or tokens without the key present all the time. (Also, yubikeys have limited slots for keys)
> this is kind of expensive and also non-obvious as Yubikey primarily sells single keys
Unless you need the GnuPG or SSH applets, I just use the $14 FIDO keys from Identiv. They are also NFC capable for my mobile devices also. I keep one at my office, one at home and carry one in my pack.
I too wish there were a way to keep them in sync or back them up.
Fireproof safe, and living in an area where the fire department would be able to get the fire under control fast enough that I would hopefully not need 1/10th of the capability of that safe.
Edit: also, if your house burns down, won’t you probably have your keys on you if you’re not home?
Although these keys are intended to be stored on a keychain, I don't know of anyone that actually uses them that way. If you work remotely, there's just no need to have your keys on you most of the time. One of my keys is a 5C Nano and it just sits in the laptop all day long. So, if my house burns, I'm losing any keys in the house along with it.
As for a fireproof safe, I do have one, but they're rated for X hours and degrade over time. I should probably get a new one.
Maybe? I really don't know. I dual-boot a Linux & Windows workstation and have a macOS laptop, so I haven't looked too deeply into platform-specific solutions. For now, I stick with Yubikeys. Complicating things further is for some accounts I'd like to give my wife access and she has her own keys and own devices. I've hit the key registration limit on some sites.
Fi is an MVNO - there's apparently some sort of magical mapping between Fi numbers and network-specific numbers that still end up on the network's infrastructure (there apparently used to be issues with 911 operators seeing the network-specific number rather than the actual Fi number), and the mapping of that network-specific number onto an IMSI is still going to be under the control of that network. It's possible to block front-end agents from being able to do anything with that, but if someone compromises network infrastructure then it seems like it's hard to protect against it?
A reasonable headline could state "Google Fi essentially not affected by latest T-Mobile data breach". Look at the data "breached":
> limited data including when your account was activated, data about your mobile service plan, SIM card serial number, and active or inactive account status.
> It does not contain your name, date of birth, email address, payment card information, social security number or tax IDs, driver’s license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi, or the contents of any SMS messages or calls.
I mean, that's almost the minimum amount of data T-Mobile has to have to provide the service to Google Fi customers, and nothing else. The actual customer data is probably stored at Google, and is perfectly safe. The chances of someone being able to use the leaked data in a nefarious way seem practically nil.
I mean the fact is that Google Fi gave my information to a third party that suffered from a breach, which leaked some amount of data. I’m happy it’s not that much data, personally, but it’s still a breach. And from other comments in the thread it seems like some were affected more than that.
I don't see anywhere in the statement where Fi customer information is given to a third party. Here's what it says:
>system is used for Google Fi customer support purposes and contains limited data including when your account was activated, data about your mobile service plan, SIM card serial number, and active or inactive account status.
>It does not contain your name, date of birth, email address, payment card information, social security number or tax IDs, driver’s license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi, or the contents of any SMS messages or calls.
Well, my interpretation still doesn't make it a good comment. I'm not against it being dead, even if it was completely clear and my interpretation was the only one.
When will T-Mobile take accountability for their repeated data breaches and fix the systemic issues? Is there anyone in the company who cares enough to do something?
The annual T-Mobile data breach is a tradition at this point. 2022 was set to break that tradition but the breach just happened to run a few weeks late.
The FTC filing says they first got popped in November 2022, so it’s still an annual tradition.
Also, they only report the breaches they actually know about. From my understanding of T-mobile, they probably only find a breach when someone completely stumbles into it. For every one they discover I bet there’s 10 they don’t, hah
The same probably goes for other MVNO carriers such as Mint and Ting. The PII and billing data is with the MVNO carriers.
I buy my SIM cards anonymously. I never use cellular near my house and only use it for data over a VPN. So it would not affect me if all of their data was breached.
>the kind of Ting Mobile customer data at issue in this data breach is not stored on T-Mobile servers. Ting Mobile holds its own customer database on our own servers. The kind of data T-Mobile does have access to are things that are network-specific, like your phone number, SIM card number, usage data, and IMEI.
>T-Mobile does not have access to the Ting Mobile database of names, email addresses, credit card information, etc. Your information is protected and secure from what the hackers claim to have collected.
Unless you run this yourself, I don't understand why you nor anyone thinks that adds to their data integrity? VPNs can, have, and are the subject of break-ins and have their own agenda and or government oversight.
People think that VPNs are this magical black box that makes you secure and private, because the YouTube ads told everyone so, the reality is that you are just adding an extra point of trust or potential failure. The needle has barely moved.
All while making performance, in particular latency, worse.
In the context of not trusting your ISP (the mobile provider in this case) a VPN provides a lot of security. You aren’t “adding an extra point of trust or potential failure”, you are choosing to trust your VPN provider instead of your ISP.
VPNs still have massive problems with network diversity. They often rely on a tiny subset of transit providers, usually just Cogent/HE/Telia and some straight up all run on the same network, usually M247. While a carrier like Comcast has thousands of peering agreements and much more diverse routing. This means all traffic coming out of a VPN is viewable by a tiny group of network providers.
Sure, I would probably trust Cogent over Comcast, but the current state of the VPN market seems very stagnant in actually diverse network routing.
It's really hard to recommend a VPN for people who are actually privacy conscious simply because you're moving your data to a handful of transit providers that aren't put under nearly as much scrutiny as a normal consumer ISP.
VPNs are significantly better wrt protection than HTTPS.
VPNs create a separation between the client and the server (as you mentioned) so not only can the server (or those eavesdropping on the server's connection) not see the client's IP, those eavesdropping on the client can't see what services they are connecting to (other than the VPN).
Of course by combining knowledge from multiple sources you can still build a fingerprint but VPNs with sufficient utilization can serve as a mixer to obfuscate which users are taking part in which traffic. Doubly so if the VPN supports multi-hop routing where the client side VPN and the server side VPN are at different sites.
Really as long as you aren't leaking DNS and you use a reasonably secure + well utilized VPN, your client should appear as a black box that shouts opaque contents at a single server without leaking many details about the actual communication taking place.
Compare this with HTTPS + no VPN where only the contents are obscured and everyone eavesdropping (aka the ISP or anyone on the same network) can see every service you are connected to. That alone should be enough to fingerprint a given connection to a specific user.
I assume there's a sizable segment of VPN users who enjoy torrenting without DMCA letters catching up with them, FWIW. HTTPS doesn't help much with that.
I agree that VPNs are generally over-hyped, but they absolutely offer an increase in protection here.
ISPs have historically done slimey things like hijacking DNS, and HTTPS leaks tons of metadata like what sites you’re browsing and for how long, and what user agents you have can easily be fingerprinted. And there are still too many IoT and mobile apps that don’t strictly use TLS for everything.
We concentrated in one place the internet traffic of people who care enough about privacy that they are willing to pay for an extra service. What could go wrong!?
Yes I know the trust requirement of VPN's and hear this all the time. I run my own VPN. The point is that the carrier has too little data to identify me.
Lol this is not the same with most people. Pretty incredible if true. Timing attacks are pretty powerful though. Only one person has likely been to all the same places at you at the same time over the past week.
I don't have a regular movement pattern and only activate the SIM when needed. I also rotate SIM's with my partner to confuse things more. We are part of a budding trend.
> You're paranoid-delusional, and engaging in cargo-cult spycraft where your education seems to be mostly centered around watching hollywood "lone wolf, former spy / contract killer trying to stay off the radar" type movies.
> you're nowhere near as interesting or important as you seem to think you are.
You actually had some decent points; are the aggressive personal attacks really necessary?
Or as the site guidelines put it,
> When disagreeing, please reply to the argument instead of calling names. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."
Also: telling someone they're not remotely as interesting as they think they are is not an insult, it's a factual statement that nobody who engages in the sort of tracking OP is worried about, would be interested in tracking the vast, vast vast majority of us. But since you're quoting the rule book, I'll qualify it.
It's certainly an insult. Stating facts (let's assume you're right about that) can still be insults. Imagine telling a middle schooler all about about the acne on their face.
p.s. I posted https://news.ycombinator.com/item?id=34606566 before seeing this subthread; I didn't mean to pile on. But yes, please dial it back. You've broken the site guidelines a great deal and I don't want to ban you.
This is for anybody who does not want their call and SMS history, location history, or billing information leaked, breached, or sold to government or commercial entities.
Kind of upset that Google didn’t provide any details about the context of the breach itself in the email they sent me, just a vague “someone had a breach and don’t blame us”.
If anyone is worried about a potential SIM swap attack due to this breach, you can order a new SIM card free of charge at https://fi.google.com/ordersim
> Additionally, on January 1, 2023 for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.
[1]: https://old.reddit.com/r/GoogleFi/comments/10pjtie/google_fi...