»[UPDATE] How to take over someone's phone number in T-Mobile? Too simple - Niebezpiecznik.pl -
We "stole" someone's phone number. Although it should not be possible - it worked. We called the T-Mobile hotline, gave the victim's PESEL number and the serial number of the unregistered starter purchased for a few zlotys. So much. It is enough in T-Mobile to get a duplicate of someone's SIM card. A visit to the salon is not needed. There is no need to provide any subscriber passwords, or to show or dictate data from the ID of the owner of the number that we "intercept".
You have a T-Mobile number and are you panicking now? It's good because you should. But that's not the end of the horror movie. T-Mobile, which we told about the vulnerability in the procedure, did not confirm that the problem was removed. It seems that ... convenience and speed of operation are of greater importance to the operator.
Therefore, we warn you:
(UPDATE: You ask if the problem is related to the subscription. One consultant says yes, the other consultant says no. We have information from subscription customers that have not been verified other than with PESEL remotely and we have offered to ship the card, we have those who were told that the duplicate was only available in the showroom. Maybe it depends on the method of contacting TMobile and the reason given for obtaining the duplicate, we do not know, so we will wait for the official position of T-Mobile, and until then we suggest for your safety to assume that the subscription is the same.)
Duplicating someone else's SIM card is a serious problem
Getting a duplicate SIM card shouldn't be easy. It should be very hard. Because someone who succeeds in doing so can take over not only your calls and SMSs, but - which may be much scarier today - also your money, by taking over access to your bank account or your confidential data by taking over your accounts on websites, e.g. an e-mail box that you set up with this phone number.
For example, if, for example, Prime Minister Morawiecki had his number in T-Mobile, his e-mail box could be seized in the manner described by us above. The PESEL number of the prime minister is known. The prime minister's phone number can be determined quite quickly using a simple OSINT technique and - what is worse - everything indicates that the prime minister did not unpin it from the Google account. So, after a successful procedure of making a duplicate SIM card, someone could reset the Prime Minister's account password on GMail:
A gap discovered by chance
Our reader Tomasz, the author of an interesting blog and some interesting applications, decided some time ago to get a duplicate SIM card in T-Mobile. First, Tomasz asked T-Mobile in the chat about how to make a duplicate.
Yes, you read that right! The consultant stated that the only verification is the question about PESEL. Tomasz called the hotline and described the whole situation as follows:
Here, for the sake of order, let us clarify two points.
Let's repeat: PESEL. Not. There is. Secret. These are just some companies - which is absolutely shameful - use it as a secret that allows the customer to authenticate or authorize some operation. Such practices must be absolutely suppressed, so if you encounter them somewhere, please report them to us. We are collecting materials for the new film. Thriller. We already have a poster!
Going back to the report we received from Tomasz ... At first it seemed to us that Tomasz was not telling us something. That the procedure he described is so easy that it is impossible for such a large operator as T-Mobile to allow such a thing. We rationalized it by the fact that perhaps the consultant had a worse day and did not verify Tomasz correctly by mistake. That it was a one-time incident.
That's why we decided to do an experiment.
We got a sim card
We purchased two starters and registered one of them. The first had a cool number + 4860XXXXXXX, the second was + 4869YYYYYYY.
Interestingly, during the registration of the SIM card in the salon, our editor was asked to enter the subscriber's password "for activities related to the card". The password was 8 digits. This made us very sad, because we thought that T-Mobile had a reasonable security and in fact, incidentally in the case of our Reader, the consultant simply did not apply it.
As you can see, during registration, we also provided a contact number, but intentionally different from the registered number (it was the number + 48ZZZZZZZZZ). We wanted to give T-Mobile a head start. The operator had another number noted on our account from which we could contact him.We waited an hour and called the hotline. Importantly, we called from another, completely different number, + 48AAAAAAAAA.
We introduced ourselves as the "victim" and told the following fairy tale:
The consultant told us that it is possible to transfer the number to another, yet unregistered starter. We replied that fortunately we had such an unregistered starter at hand, so we asked to be transferred. Then the consultant verified us. He asked for his first name, last name and PESEL number, then the number of the new starter (long string of numbers visible under the barcode).
Interestingly, the consultant entered this number into the system several times and allegedly obtained information that this unregistered starter was already registered (and that's how it is in life, problems are not where you expect). Then he determined that the problem might be that we haven't made any calls from our registered starter yet, so it's not active and can't be moved. Finally, after 13 minutes of conversation, we were promised that the new number would be transferred to the new card.We waited 3 days for the number to be activated and nothing happened. We started to wonder if some special security had not worked? T-Mobile has analyzed the sound of the voice with artificial intelligence and sensed the trick. So we called the hotline again (again from + 48AAAAAAAAA).
The consultant with whom we were connected apologized for his colleague, asked for the PUK code of the new starter and promised that the number should be transferred soon. Activation happened literally 5 minutes later (we were impressed with the service efficiency, regardless of the purpose of our test).
Let's summarize:
- We were able to obtain a duplicate SIM card via the hotline, verifying only with the name and PESEL number.
- We called the hotline from a number completely unknown to the operator, other than the number provided as an additional contact number.
- Although T-Mobile asks for the subscriber's password when registering the SIM card, it does not require it when obtaining a duplicate SIM card.
What about T-Mobile
We were a bit shocked because taking over the SIM card turned out to be trivial. We asked the operator three questions.
We sent the questions on Friday, June 11th. We received a call immediately letting us know that we would get answers and the matter would be checked, but it would take time. We understood it perfectly. We expected a change in procedures, and a large company needs time for that. On June 15, we received a comment like this, which was to be the answer to our questions.
We have not received any confirmation on this that the procedure has been changed, so we assume that it still looks like it was a week ago. At least in the case of subscription phones, we expected this procedure to be different. Unfortunately, no one mentioned it, to be otherwise ...
Update: One of the readers found out on the hotline that the procedure should be different in the case of subscription. Here is the quote from the answer: “The replacement of the SIM card in the case of a subscription is not performed on the remote channel. You can only place an order, but the SIM card itself is only issued to the number owner.Why can't you do that with pre-paid numbers? We don't know, we'll ask. Especially that another reader let us know that today it was possible to get a duplicate SIM card in the subscription without being in the salon. Verification in the interview by PESEL. The card is sent to the address - and here the reader's quote - “not even the one from the contract”. Well, but the address is at least a trace.
Any of you have a T-Mobile subscription and have recently made a duplicate SIM card? Let me know what it was like for you. Until a few years ago (see the quote from the article below), T-Mobile also sent duplicate SIM cards by post.
For now, at the beginning of the article, we added information about the uncertainty as to what it looks like in the subscription. But for your safety, we suggest for now that you assume that, unfortunately, the same.
As if you were getting a duplicate SIM card in T-Mobile, let me know if anything has changed. Today, after the publication of this article, and probably tomorrow, and maybe even the day after tomorrow, the operator and the helpline may be extremely sensitive to such changes. It is clear. We'll wait, we'll see ...
What we are sure is that the procedure for making a duplicate SIM card in T-Mobile should not look like it is now. For example, sending an SMS to the number to be transferred would be advisable. It could alert a person whose SIM card is being duplicated by someone unauthorized. While within 5 minutes (in our case) someone would be able to read such an SMS at all ...
More people have cheated T-Mobile procedures
Some time ago we described the case of Wanda, whose SIM card was swindled in T-Mobile, we recommend reading the article entitled How thieves have been robbing clients of Polish banks for amounts exceeding one hundred thousand zlotys for six months.
We also described how another person was robbed, including a T-Mobile subscriber, who had not so much obtained a duplicate SIM card via the hotline, but incoming calls were redirected, and then, thanks to the redirection, his account at mBank was connected to his account at mBank with a mobile application.
This does not mean, of course, that the problem of extorting a duplicate SIM card does not exist with other operators. We know of cases where fraudsters used forged ID cards or a falsified notarial declaration to deceive the operator and seize someone's SIM card.
I have a T-Mobile number - what to do, how to live?
Unfortunately, you have to think hard about whether it is worth having "sensitive" phone numbers at T-Mobile. It is worth recalling that for a long time in Poland it is possible to switch to another operator without losing the number. At least until T-Mobile informs that it has sealed the procedure (and someone will verify it).
And if you come to the conclusion that you are staying with T-Mobile with your "sensitive" number, at least detach it from any account and institutions where you can access your data, services or money via a code sent via SMS to this number (change it to a different number). A bank account and e-mail box are a priority. Cryptocurrency exchanges too.
Obviously, it is not the fault of telecommunications operators that services independent of operators build their security on the (wrong) assumption that telephone numbers are not interceptable. But this is what it looks like. And maybe it's time for the operators to take it more into account?
Update 06/18/2021, 18:21 We received an additional comment from T-Mobile, in which the operator finally admits to a hole in its procedures for issuing a duplicate SIM card. Before we present it, however, let's take a moment to look at T-Mobile's communication both in chats with you and in social media. First, the story of a chat conversation with one of the readers. The "denial" phase:
There was also a "Mystery" phase, we're safe, but we won't say why:
… And PESEL IS SECRET !!!
Fortunately, other consultants were more knowledgeable about the topic:
The T-Mobile consultant (or bot?) Was also active on social media and answered like this:
Don't ask us, we don't know what it means that "the verification process is two-step." Some readers in response to T-Mobile twits joked that the first stage is "Hello, can you hear me?" and the second is "Please provide PESEL now to confirm", others were of the opinion that the first step is to provide PESEL and the second is the date of birth;)
Then the profile (bot?) Of T-Mobile changed its tactic and began to insert the same in the responses, what Konrad Mróz from T-Mobile Polska SA sent us by e-mail:
So the procedure with holes was supposed to be applied to only "some" of the clients. What? T-Mobile did not answer this question. Nevertheless, we are glad that the operator made the right decision. It is a pity that it was only pressed by the echo of our publication. But that's what we are for. At your service.
Finally, we paste a collection of reports from Readers who - like us and Tomasz - also made duplicate cards, although they should not. There were also those who reported a similar problem to the operator over a year and a half ago and then found out that it was possible to force T-Mobile to change the authentication element from PESEL to a code (subscriber or PUK). It is a pity that the operator does not inform about it ... And even more it is a pity that it is not the default option.
Unfortunately, it is not possible to enforce the obligation to duplicate yourself in the salon:
There were also subscribers among the readers, so we modify the annotation at the beginning of this article accordingly. The problem of the lack of proper customer verification concerned subscription customers.
And corporate:
Will it be better in T-Mobile from today? Were all consultants informed about the change of the verification procedure? We'll wait, we'll see ...
PS. And don't think that if you haven't published your PESEL number anywhere, nobody knows it. It's not true. It can be obtained from many sources using simple osint techniques.
