5 comments

[ 0.22 ms ] story [ 18.0 ms ] thread
> if I didn’t reply in the negative within 10 minutes, the transfer would go through by default!

How can such bullshit even be real?

The system was probably designed with narrow requirements where the goal was to deal with lost phones or SIM cards. I assume people want their service back instantly.

They should at least have an opt-in for better security.

For example, let the transfer happen after an affirmative response to a text message because it demonstrates the requestor is already in control of the SIM. If an affirmative response isn't possible, disable service to the phone for 24 hours and then approve the transfer. That way people get 24h to notice the issue and figure out what's going on if a bad actor tries to perform a SIM swap on them.

If I had the choice between losing service to my phone for a full week or getting SIM swapped, I'd choose the former because the latter would have such a huge impact if the attacker starting recovering accounts via SMS.

Recently had a nightmare interaction with T-Mobile and they actually wouldn’t take any form of alternate identification if I didn’t have my pin - sounds good but no, wild inconsistencies in policies cause the reps to not know what to do like the author found: only locking ports and not locking the sim.

And in my cause I had no pin on THAT account because it was set up the day before and the store reps did not set up a pin when I was in. And I had another linked account but despite being a linked account under my name just like the new account, the linked accounts pin was not acceptable for id. Neither could they send the linked account an otp and the new account wasn’t functional.

The whole reason I got into that Byzantine mess, was trying to set up a cellular watch when my phone is on a prepaid plan because I save $35/month but have all needed features. All major carriers arbitrarily restrict watches to post paid account, and despite what the original rep said, cannot be on a standalone post paid account.

Some tmobile companies use your birthday backwards as a default pin. Eg : 19900101
I had tmobile for one month and my SSN got leaked as part of one of their breaches. The reps at the store also sold me additional products I had to cancel later that I did not want.

I ported my number to Google Voice and no longer have to worry about crap like this. Tmobile is pure garbage.At least tmobile America, maybe tmobile Germany is much better.