T-Mobile Hack

For at least seven months last year, a hacker had access to T-Mobile's customer network. He's known to have accessed information belonging to 400 customers -- names, Social Security numbers, voicemail messages, SMS messages, photos -- and probably had the ability to access data belonging to any of T-Mobile's 16.3 million U.S. customers. But in its fervor to report on the security of cell phones, and T-Mobile in particular, the media missed the most important point of the story: The security of much of our data is not under our control.

This is new. A dozen years ago, if someone wanted to look through your mail, they would have to break into your house. Now they can just break into your ISP. Ten years ago, your voicemail was on an answering machine in your house; now it's on a computer owned by a telephone company. Your financial data is on Websites protected only by passwords. The list of books you browse, and the books you buy, is stored in the computers of some online bookseller. Your affinity card allows your supermarket to know what food you like. Data that used to be under your direct control is now controlled by others.

We have no choice but to trust these companies with our privacy, even though the companies have little incentive to protect that privacy. T-Mobile suffered some bad press for its lousy security, nothing more. It'll spend some money improving its security, but it'll be security designed to protect its reputation from bad PR, not security designed to protect the privacy of its customers.

This loss of control over our data has other effects, too. Our protections against police abuse have been severely watered down. The courts have ruled that the police can search your data without a warrant, as long as that data is held by others. The police need a warrant to read the e-mail on your computer; but they don't need one to read it off the backup tapes at your ISP. According to the Supreme Court, that's not a search as defined by the 4th Amendment.

This isn't a technology problem, it's a legal problem. The courts need to recognize that in the information age, virtual privacy and physical privacy don't have the same boundaries. We should be able to control our own data, regardless of where it is stored. We should be able to make decisions about the security and privacy of that data, and have legal recourse should companies fail to honor those decisions. And just as the Supreme Court eventually ruled that tapping a telephone was a Fourth Amendment search, requiring a warrant -- even though it occurred at the phone company switching office -- the Supreme Court must recognize that reading e-mail at an ISP is no different.


This essay appeared in eWeek.

Posted on February 14, 2005 at 4:26 PM • 29 Comments

Comments

Israel TorresFebruary 14, 2005 4:33 PM

Information not only "wants" to be free, it will be free.

For example in this "security-elevated world I have recently seen an unnamed phone vendor taking its customer registration at a local mall and just tossing the triplicate carbon forms in a plain old trash can. No shredding, nothing to stop anyone passing by to pick up the bag filled with SSNs, mobile numbers, credit card info, home info, photocopies of CDLs... nothing.

Information will is free, and if it isn't it will be.

Israel Torres

Joe HuffmanFebruary 14, 2005 6:54 PM

So what's your opinion on web logs and the search strings people use to find web pages? Should those be considered private? I have people access my website with google search strings like: "how+to+make+a+bomb+to+blow+up+a+school" and "I+want+to+bomb+America+can+somebody+help". Should those people have a reasonable expectation that knowledge of their browsing on my site will not make it to law enforcement?

See also some of my blog postings as I struggle with what to do:

http://blog.joehuffman.org/archive/2004/12/26/702.aspx
http://blog.joehuffman.org/archive/2005/01/08/805.aspx
http://blog.joehuffman.org/archive/2005/01/18/965.aspx

And finally, my solution:

http://blog.joehuffman.org/archive/2005/01/19/981.aspx

Which turns out to be unpopular with some people.

Davi OttenheimerFebruary 14, 2005 8:10 PM

@Joe
Good point. This is important news but not exactly "new" since it has been the subject of intense debate for at least the past five years and especially following the expansion of government powers for search/seizure via the Patriot Act. Bruce, I believe we even discussed it on your blog regarding Carnivore since the new laws seem to mean that if data is stored for even a milisecond on a system, then anyone with access to that system (presumably anyone with wiretap authority) can monitor it.

Perhaps most disturbing of all are the new "download accelerator" companies. If you install their software, they actually redirect all your traffic through their systems so they can actively track your behavior and cache your passwords. Read the User License Agreements. I think you would be (rightfully) disgusted that people are unwittingly (who actually reads the ULA?) sacrificing their own privacy, including financial passwords and sensitive identity information, to slick marketing companies.

When will we really define a "bad guy" on the Internet such that users have protection? Spammers and spyware companies still claim they are doing legit business.

Davi OttenheimerFebruary 14, 2005 8:13 PM

@Bruce
Sorry, I see what you mean by "new" now. I missed your reference to eWeek.

Rich WilsonFebruary 14, 2005 10:32 PM

When I first heard about this a couple of months back, the cracker claimed to have accessed cellphone camera photos taken by celebrities.

Not that their privacy is any more important than ours, but being Demi Moore or Paris Hilton makes them more desirable targets.

Davi OttenheimerFebruary 14, 2005 10:44 PM

Hmmm. All quiet on this topic...sorry for posting three times in a row (bad form, I know) but this just seems like a convenient continuation of where we left off discussing Cyveillance and Carnivore over the past few weeks.

On that note, I think California Senate Bill 1386 is showing how government regulation that can make a difference with regard to our data:
http://www.msnbc.msn.com/id/6969799/

To make a long story short, forget about high-tech security when the very basic stuff is completely broken. The article says "about 50 fake companies had been set up and then registered with ChoicePoint to access consumer data."

It is now a crime that consumer information is so exposed by companies, but just as troubling is the fact (similar to T-Mobile) that "ChoicePoint has no way of knowing whether anyone's personal information actually has been accessed".

Again, SB1386 is invaluable in helping consumers fight careless data warehousing and identity theft. The market is not quick enough to drive companies to setup controls to authorize, authenticate, and account for access. Consumers must turn to the government to help weigh in on their behalf.

And finally, I do not know how you could call this a purely legal issue, since the solution requires consideration of the current availability of technology that qualifies as "reasonable" precautions.

Without technical details of a solution available, or even possible, the law becomes toothless. I mean, can you actually have the Supreme Court decide what constitutes "reading email at an ISP" without any discussion of even the high-level technical issues regarding present-day data routing?

Thanks for pushing on the legal aspects though. We need more of that, for sure. Governments need to seriously consider rapidly adopting and clarifying personal identity information laws (e.g. SB1386 and AB1950) as well as privacy/wiretap protection based on technical details such as "reasonable" information security practices.

Davi OttenheimerFebruary 14, 2005 11:08 PM

@Rich
The entire T-Mobile system was compromised for many months (March to October of 2003). The reporters claimed that everything, including sensitive data, was exposed.

It is vital to not forget that the incident was discovered during a broad Secret Service investigation called "Operation Firewall," directed at closing down criminal groups such as Shadowcrew, Carderplanet and Darkprofits.

So, although celebrity pictures might have been an incidental target, it appears that the personal financial harm and national security issues actually drove the Secret Service to investigate . They were trying to quickly resolve leaks that exposed identity information and official documents with highly sensitive information.

Back to my point above, I think this is as much a technical issue as a legal one and neither one will do much good on its own without the other.

FredFebruary 15, 2005 8:31 AM

And how about only California having a law on the books forcing companies to disclose any of this intrusions. It just happens that only people in California need be notified. Everyone else has no right to know. I kindda like the European model for personal information a bit better.

arendtFebruary 15, 2005 1:30 PM

It's odd, but this is a problem I've solved by:
a. not owning a cellular phone
b. refusing to purchase items online (send them a check-would an extra day kill you?)
c. retaining a tape recording answering machine.
d. not using online banking.
e. never using my social security number as identification.

maikenFebruary 15, 2005 2:28 PM

The author claims that "This isn't a technology problem, it's a legal problem", and urges the court to protect our private data even when it's held by others.

It would certainly be wise for the courts to legally protect private data stored with third parties, but there can also be a technological solution to at least a subset of the problem.

For situations where ISPs or other data carriers are acting only as conduits and repositories for your private data (e.g., email, voicemail, file storage, etc), there is no good reason why the entity storing the data should be able to read it. End-to-end encryption of email, and encryption of stored files, can make it useless to swipe data from ISP storage.

Of course, encryption can't solve the problem of "generated data", where purchase habits and history are created through your interaction with a vendor, or the safety of private data legitimately held by a company, for, say billing purposes. However, in the less-IT-laden past, there were also no protections for data of this sort that could be collected by other people. (Although, in fairness, it has now become vastly easier to collect this data, and vastly easier for it to be compromised on a large scale).

Go forth and encrypt your email!

pigletFebruary 16, 2005 11:06 AM

Agree with arendt, except for the online banking - I am reasonably satisfied with the banks with which I'm doing business. My least protected data are probably my email. maiken makes a good point - ISPs could and should employ encryption to protect customers' data. It's a pity, by the way, so few people are using PGP.

QuadroFebruary 16, 2005 7:16 PM

There is a way to own a cell phone without compromising your privacy. In the US at least, there are several prepaid mobile providers, which do not require any personal information. If you buy the phone and the minutes in cash, it should be pretty untraceable. Of course, don't discuss anything sensitive, as it is still on the air.

And you can use either a digital or tape answering machine as long as it's in your home. Unless and until they come up with a way to hack digital answering machines.

Trunks4191February 22, 2005 9:22 AM

Anyone check msnbc.com... Someone hacked into Paris Hilton and Vin Diesel's T-Mobile accounts. Thank God I have Verizon.

Andrew McGuinnessFebruary 22, 2005 10:05 AM

You write:
"We should be able to control our own data, regardless of where it is stored"

But you don't distinguish between "your data" and "data about you".

My webmail inbox is my data, stored on my behalf by a service provider I engaged to do the job. If the police need a warrant to open my safe deposit box in my bank, then logically they should need one to see my email.

Account history at Amazon, say, is Amazon's data. It concerns me, and there are legitimate questions as to how it can be distributed or used without my permission, but to my mind it is not the same situation as my data which happens to be stored outside my home.


captian stubingFebruary 23, 2005 4:50 PM

in reply to:
t's odd, but this is a problem I've solved by:
a. not owning a cellular phone
b. refusing to purchase items online (send them a check-would an extra day kill you?)
c. retaining a tape recording answering machine.
d. not using online banking.
e. never using my social security number as identification.


a. what, you use pay phones? great. im sure whatever disease you catch from one will be fun.
b. have fun when someone steals that check from the mailbox, spanky... 'cause check fraud is still the #1 form of identity theft in the world.
c. um. no comment, other than most tape recording answering machines use one of 12 different 3 digit passwords to be listened to remotely.
d. have fun when someone sticks a rusty steak knife in your ribs at the corner ATM while you're trying to do a transfer to cover the money jacked from you when some dude stole your check.
e. who the fuck does? but no matter... any idea how easy it is to get the SSN of someone? own property? oh, guess what? it's amazing how much info you can get from a simple trip to the public records office.

way to go, sport... by sticking in the archiac times, you're not only just as easy of a target... you're not enjoying the modern conveniences...

HeatherFebruary 23, 2005 8:04 PM

I believe I was a victim. I've been through 3 T Mobile phones, 2 SIM Cards, local engineers to visit Houston, 50% dropped call rate, pictures altered, and endless customer service calls.
Last week, I talked to 38 T-Mobile Mgrs who could not explain why this was happening and suggested a new carrier. I explained it was if someone tapped into my phone, jammed up my line. Anyone have advice on who (besides t mobile) I can report this to?
Heather

QuadroMarch 3, 2005 11:49 PM

Forgot to mention, be sure to disable remote access to your answering machine. They're remarkably easy to break into.

PS: Is it just me who's having trouble posting comments?

christinaOctober 25, 2006 6:46 PM

Anything that seems possible these days, is actually becomming possible. Sorry to break it to you all but I don't think that fraud and internet googling to find answers to free supliences, and things we have to pay for, it will not be stopped. As the saying goes, "Where theres a will, there is a way" I believe that is true. Criminals, hackers, any one who actually can access a computer with the internet has any chance to be unlocking codes and stealing rights off mobiles, credit cards, pretty much anything. This cannot be stopped. Thats just my point of view anyway.

-15 yrs old, australia.

raj kumarAugust 31, 2007 11:56 PM

it is quiet knowledgeble to know about hacking,I just want to know that my mobile balance is automatically decreased is it somekind of hacking and if yes how can i protect my mobile?

ashish gauravSeptember 28, 2007 8:12 AM

How can one use(spend balance) of others without using others mobile? i.e. How to talk with one sim & using the balance of other sim?

HamiJune 26, 2008 9:30 PM

It is very intersting to know things about hacking, I know hacking is possible but I wana do it myself.. is there anyway to hack Ipohone? or Bluthooth of any mobile? if you know any good site about hacking plz tell me here...

Mr_mmobJune 27, 2009 10:10 PM

I was a victim of this hacking. There is no doubt about it as an ex girlfriend got a phone number to a new girlfriend that was not written anywhere except tmobile records. I exhausted every other possibility. Where can I go to participate in an investigation about it? Can I help bring the information thief to justice?

Mr_mmobJune 27, 2009 10:19 PM

Oh one other thing...I password protected my account. Next time I called, they asked for my password. But the time after that, they did not ask for it and the verbal password had been disabled. They told me it was a computer glitch after spending a half hour trying to convince me it had never been password protected in the first place. Also my web password had been tampered with and cs could not even change it back. Major weird. I would like to end my contract and go elsewhere but can't. Lunatic ex stalking me for no good reason.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..