Security researchers found vulnerabilities at AT&T, T-Mobile, and Sprint that could have exposed customer data

It hasn’t been a good week for telecommunications companies: security researchers have uncovered security flaws with systems at AT&T, Sprint, and T-Mobile that could have left customer data accessible to bad actors.

Yesterday, BuzzFeed News reported two flaws that left customer information information vulnerable at AT&T and T-Mobile. In T-Mobile’s case, an “engineering mistake” between Apple’s online storefront and T-Mobile’s account validation API allowed for an unlimited number of attempts on an online form, which would allow a hacker to use commonly-available tools to guess an account PIN or the last four digits in a customer’s social security number, in what’s called a brute-force attack.

A similar problem occurred with phone insurance company Asurion and its AT&T customers. An online claims form would allow anyone with a customer’s phone number to access a form that allowed them unlimited guesses to guess a customer’s passcode, leaving it vulnerable to another brute-force attack.

In each case, both companies fixed the vulnerabilities when contacted by BuzzFeed News.

In another instance this weekend, TechCrunch reported that security researchers were able to access an internal staff portal at Sprint because of “weak, easy-to-use usernames and passwords,” compounded with the lack of two-factor authentication. Once in, the researcher was reportedly able to access customer account information for Sprint, Boost Mobile, and Virgin Mobile. The researcher also reported that anyone who gained access could make changes to customer accounts, and that customer PINs could be brute-forced. A Sprint spokesperson confirmed the vulnerability to TechCrunch, and noted that it didn’t believe that any customers were affected by the vulnerability, and noted that they’re working to fix the issue.

It’s worth noting that vulnerabilities aren’t necessarily breaches, but it’s vulnerabilities such as these that allow bad actors to gain access to a system and exploit the customer data that they access. These systems are by necessity complicated: companies like AT&T, Sprint, and T-Mobile have to balance providing access to employees to do their jobs and to customers to gain access to their information. But given the harm that a malicious actor can play with the vast amounts of data these companies have, it’s clear that they need to be more proactive in protecting their customers.

Customer sues AT&T for negligence over SIM hijacking that led to millions in lost cryptocurrency

US entrepreneur and cryptocurrency investor Michael Terpin is suing AT&T for negligence and fraud that he claims resulted in millions of dollars worth of cryptocurrency tokens being stolen from his account. Terpin says AT&T was his mobile carrier when criminals accessed his cellphone account by carrying out SIM swap fraud. They then stole the tokens and allegedly transferred his account to an international criminal gang. Terpin is suing for the $23.8 million and an additional $200 million in punitive damages. AT&T told Reuters in a statement that it disputed these allegations.

SIM hijacking occurs when a phone number is transferred to a different SIM card than the account owner’s without authorization or approval. Having access to a phone number is a very valuable method of hijacking other digital accounts. Motherboard did a great rundown on the growing threat. The stolen phone number was used to hack Terpin’s account, and on January 7th, three million cryptocurrency tokens worth (at the time) $23.8 million were stolen. The complaint doesn’t specify which kinds of cryptocurrency Terpin had, but given that prices have fallen since January, the stolen tokens are likely worth far less now.

The complaint reads: “what AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewelry in the safe from the rightful owner.” SIM card fraud that targets owners holding large amounts of cryptocurrency is a real phenomenon that US authorities have had to deal with in recent months.