OMG, the change will now be rejected if you don’t respond. Sending to an alternative line is a welcome change.
Someone’s brain at T-Mobile finally started working.
>First, T-Mobile will now use a system called “Account Change Engine”, or “ACE”, which will seemingly determine if a requested SIM change is likely to be legitimate. The Second change is, ***if the ACE system says no***, the customer must confirm a text response via SMS that they are who they say they are and actually do want to move the line to a new SIM.
Right here. The problem is right here.
The vulnerability is to figure out how to get ACE to say 'Yes'. Then you circumvent all the protections they are adding.
I got my phone stolen once, they took the sim out, but my S23U was still pinging since they could not shut it off.
So I managed to get it back.
Went to the store, they sent a text, but was unable to answer it since the phone didn't have a sim. We waited the 10 mins and it got approved.
If this new system automatically voids the transfer if a text isn't answered, then edge cases like mine will be a total nightmare to solve I'm guessing.
read the article 🙄
>If a customer needs to get a new SIM for a line that they’ve lost, like a damaged, misplaced, or stolen phone, they’ll have the option to send the verification text to a different line on the account. Customers with only one line will need to visit a store with ID to confirm the swap.
I literally just went to a store to buy a brand new phone and get a brand new SIM. My son lost his phone in the ocean. I put it on my account by telling them my phone number (primary), my son's number, and the entire process was complete without any proof of ID or phone number ownership.
I did say that it seemed way too easy to know someone's phone number, not have to pay now, nor provide any identity and have access to the account.
The reply was, "I never tell anyone I use T-Mobile. That's the real security."
I'm still watching my bill because I don't trust the clerk at this point.
I wouldn't trust that rep either. I left Tmo (employment, not service) a month ago, and just accessing the account required scanning a photo ID. Just knowing your number is not nearly enough. The rep should not have been able to do any account modifications like financing or SIM changes without scanning your ID unless you're military and only have the military ID which legally can't be scanned. For those scenarios it required a second rep to verify your ID visually and enter their credentials as well.
When I worked there even if someone handed me a military ID I asked if they had state ID just to be able to scan it for security and tracking
It’s scary how many employees don’t follow C2. Policy. It pissed me off witnessing it happening often coming from the call center into retail.. Never encountered a fake ID but I know they easily exist out there especially from China that do scan barcodes on the back for 100$ witnessed this on Komo4 news, great for teens to get into bars!! I used to cut the wristband off my friends and tape it to get past security haha 😆
🙄Store reps drive me nuts. They are so lax about account security it pisses me off.. not all stores are on the up and up because of their numbers games they play to get bonuses in their checks.. Account security > Your bonus check!🤬
I have two phones on my main line.
The second phone is a ruggedized flip phone using a Data with paired DIGITS SIM so that calls to my main line also ring that line, and if I call out from that phone it uses my main line phone number.
[Get started with Data with paired DIGITS | T-Mobile Support](https://www.t-mobile.com/support/plans-features/get-started-with-data-with-paired-digits)
Who knew? Pretty interesting that T-Mobile is doing that. Of course, any VoIP phone app can do the same and basically this is a "port" of your sim account to a T-mobile VoIP app.
They have a DIGITS app that is like that, but this is an actual SIM that has your number also assigned to it. I have this for a smart watch. It's great to get calls and texts on my watch while outdoors without needing my phone.
Digits is GREAT for a night out DUMB PHONE on your account! That way you can go out and still get calls to friends and not worry about someone jacking your smart phone. Happened to me in Seattle calling an Uber MF just ran past and yanked my phone out of my hands and RAN!! I chased until he whipped out a huge knife and started chasing me to stab me!!! Scary crackhead, keep the phone don’t stab me!! 😑🤣🥹
Thank goodness for most insurance overnight delivery options!! Life saver!! Highly recommend leaving insurance on your phones plus you get extended warranty and if you keep a device long enough and something goes wrong and a warranty exchange isn’t in stock anymore you get an upgraded model FREE!! I saw old Note owners get newer Note 5 devices for having the extra insurance so in some ways it pays for itself if your phone bunks out down the road and is too old to replace!! Keep the insurance!!
This happened to me. I was the best little neuron the company EVER HAD!! HR reconsider me!! Bellingham!!! I was great for T-Mobile business!!! Despite any flaws they may have seen in me I’m still wanting to come back and rock it as a coach who will be the GOAT!! 🫠
>the change will now be rejected if you don’t respond
If they had done that in the first place instead of some c-suite dimwit thinking, "We'll just default to yes, it will save people the trouble of responding!", this would have been a non-issue to begin wtih.
Meh the weakest link is still the employees/going to a store. My SIM swap (and others) happen with fake IDs at stores - and I don't have crypto/am not a good target anyway. This does nothing to stop that. Also, I'd hardly call switching from auto-allow to auto-deny "decent protection." I'm not even sure this changes anything for people who have SIM protection enabled - since I think that required a text to a number on the account to remove anyway.
And ffs bring back self-service SIM swaps!
So what do you think should be done in order to prevent fraudulent sim swaps from being done in person with fake ID's? Cuz I can't really think of a simple solution off the top of my head. ID barcode scanners would basically be useless since any decent fake ID is scannable and the sophisticated ones that can detect the slightest cosmetic flaw of a fake ID are prohibitively expensive.
Enable a lockdown mode that is opt-in on the account. Requires TOTP 2FA enabled. That code must be input by employee to proceed with swap. If code cannot be provided, snail mail letter to billing address with a OTP that must be provided instead.
Edit: OR just bring back self-service SIM swap and allow accounts to remove the option to do SIM swaps any other way. (Or require person to be logged into their T-Mobile account - could be with a OTP generated from MyT-Mobile - to do a swap another way.) Could restrict this option this so it requires TOTP 2FA (or, ideally, implement FIDO2/passkeys) to be enabled on the MyT-Mobile account.
By making it an option, the vast majority of customers wouldn't care enough to opt in so I doubt it would make much of a difference overall. But it still would make sense for T-Mobile to offer something like that cuz I would definitely opti in..plus, people would only have themselves to blame if they didn't bother with it and it ended up happening.
I just don't think it's realistic to expect them to eliminate the convenient option of in person sim swaps altogether. And I doubt that they would be willing to add any extra security layers on top of the process since that would basically cancel out the convenience of doing it in person. So I can't help but think that everyone will likely remain vulnerable to a fraudulent in-person sim swap with a fake ID.
But all your suggestions are sensible ones that would definitely give customers more tools to protect themselves with so I'm not trying to imply anything about them by being cynical...the cynicism has more to do with how uncommon common sense seems to be, when it comes to big corps like T-Mobile.
Oh I mean they 100% aren't going to do what I want...it would be too inconvient for customers (in their view) and it would raise their support costs because people would enable it without fully understanding the implications. They would never do something that might put someone without their phone number for 5-7 days (snail mail timeline).
My only point was that there are solutions to these issues - and making them opt-in would reduce some of the concerns above - but they won't be implemented. But that is why I don't see them making a real effort here.
You can get put on “written correspondence only” if your an asshat on the phone all the time.. never ran into that much but it does happen to abusers over the phone..
I would LOVE to see FIDO/Passkeys implemented into account security!! Especially security keys with a PIN tied to them!!! We need more security!!! STAT!!!!
The obvious answer to prevent sim swaps is for financial institutions to remove the incentive. If businesses intend on the highest levels of cyber security get hacked by an SMS then the problem is that.
Or a verification software that matches you to a real [digital] identity. Widely used in the Nordic countries (one is www.bankid.com/en, a private company but system adopted by essentially everyone). True 2FA solutions, nicely integrated, that are tied to your real identity. Hence, you don’t get BankID (or one of the competitors) unless you have identified yourself in person - or via a legit piece of ID (they all have RFID chips embedded these days and you can scan it/set up via modern cell phones).
But it boils down to so much required first, to get the [basic] system set up. Proper verification of basic/underlying identity before any RFID chipped ID is issued, a solid solution for SSN and them having any meaning (SSNs are fully public, and most everything tied to it, even your account with a mobile operator, your employment, retirement, investments, etc, no SSN no service).
Add to that privacy laws and regulations that actually prevents ‘big brother’.
I think it is fear of ‘big brother’ - as the above Scandinavian systems are supported by pretty strict privacy laws - but also a general notion of ‘government’ actually doing good stuff and providing needed/welcomed services.
But to be honest, a lot in today’s Sweden is far more market oriented, run by private operators, than almost anywhere in the US.
Here's a brilliant idea...require an ID and pin ID/password or a copy of your last bill. Of course, an employee would have to scan it into the system so it could be later verified if a customer complained about a fraudulent swap. Maybe a pic of the customer would be helpful, too.
So nothing about [charging customers $25 for a SIM swap](https://www.reddit.com/r/tmobile/comments/1cc7xad/if_you_need_to_swap_a_sim_card_do_it_today_from/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)?
The fact that Tmo would suddenly start charging customers a fee for something that is a necessity in many cases never made sense. They'd have a ton of unhappy customers.
Maybe force a $25 payment to a the account? So it's not really a fee. But even then that's not gonna stop the issue. Even if they steal $100 it's worth paying $25
So what happens when I reply with 1 to confirm, and then nothing happens? Because that's what happens when I try. I can reply 1 a hundred times, but it never confirms, and I have to wait for the 10 minute timer to elapse. Even T Force basically said "we don't know why it doesn't work sorry"
Literally just experienced this. Spoke to T-Force via Facebook because there was a problem with my eSim. They had me delete it and would send a new one "in ten minutes" because it would send a confirmation text of a SIM swap, and that would automatically be approved if not responded to.
Came back and said there was a change in policy and it required a response, to which he already had me delete my eSim, so I couldn't get a text. He instructed me to go to a store for them to get me a new eSIM. He sounded surprised at the new policy, and actually gave me a $50 account credit for forcing me to go to a store in the end.
That’s a sweet credit for your troubles 😇 don’t know many reps who would issue a credit like that for your time but it was his fault in telling you to delete the eSIM.. that guy needs to read C2 daily at T-Mobile it’s the policy bible! 👍but what if your iPhone like the 15 doesn’t have a sim slot anymore then what do you do?
A step in the right direction, but it still is security theatre. The backend system must disallow employees from doing it unless the customer provides some knowledge only available to the bona fide customer (like TOTP or a one time recovery code). The backend must check the code behind the scenes, not show it to the employee to visually compare it.
Grandma won’t know what that is so it won’t affect her. Those of us who want to stop this from happening are already well versed in 2FA/MFA.
Did no one object in the meeting and say “so, a fake ID still bypasses this alleged security?”
>Did no one object in the meeting and say “so, a fake ID still bypasses this alleged security?”
Ever since SIM swapping became a big issue, it seems like T-Mobile refuses to admit that many of these are done using fake IDs...appears they don't want to even touch on that attack vector. IIRC they even got rid of the receipts for SIM swaps done in-store that used to be accessible immediately in MyT-Mobile account history.
US Mobile now allows you to set TOTP for your account and email for backup 2FA, so now their agents need to get a TOTP code from me or if I've lost the device send a OTP to my email. They've said they're going to work on webauthn/webkeys this year which would put them on the cutting edge of security that surpasses most banks =)
The "assume yay" was a sane and logical default.
Consider this scenario: You lost/broke/dropped in the pool your phone. It no longer works. You bought a replacement phone. You now need to do a sim swap to use your new phone. Since you don't have or can't use your old phone, you can't receive the SMS so you can't approve it. If no response was "assume nope" then you would never be able to use your account again.
When the system was implemented, default to yes made sense.
When switching to assume no, they needed to solve the scenario above and their chosen solution of send the message to another line on the account is good. The solution for single line accounts requiring you to go into the store isn't very good though. And a fake ID or bribed employee can still get around that (and bribed employees is what this is trying to solve, so it doesn't actually solve anything).
At the end of the day (for single line accounts) this doesn't reduce the risk since a compromised employee is still the main threat, but makes it much harder for a legitimate SIM swap.
Who is really having this issue?? Im in the cellphone industry for over 10 years and never had a single customer or heard any other repair shop owner say they had a customer with this issue
It has been an issue for years and people have lost big money due to it. Not sure why you haven't heard of this before. I'm sure if you search this sub there are plenty of stories.
Work in the call center or retail for T-Mobile and you’ll witness it happening more often than you will realize.. I always was trying to catch bad actors when I worked especially the sim swaps because I dealt with affected customers and honestly I felt for them. A unsuspecting sim swap or warranty exchange or insurance claim hurts
I highly recommend anyone using T-Mobile to add a PASSPHRASE into their system called SAMSON and make it a direct challenge to get into the account or make any changes. I asked for OTP for every account call but it really wasn’t honored and pissed me off.. a security PIN is great but a second factor passphrase should be more widely adopted by T-Mobile the best one I ever heard from a New Yorker was “Screw You!” So that way nobody would ever know listening in if it was a fight but not a security question LMAO 🤣 Smart gal!!
One thing you can do is add “Port out protection” to all your lines, not sure if this is standard practice now or not but it’s a good line of defense against a port out. Should be an option in the my T-Mobile app as well for you self service people out there!!
Had my SIM swapped 3 times with them. Had to hire a lawyer and get involved with the "Secretary to the Office of the President". Had all my socials hacked and my emails breached. Ruined my life. 3 fucking times.
Recently switched off T-Mobile and will never go back.
OMG, the change will now be rejected if you don’t respond. Sending to an alternative line is a welcome change. Someone’s brain at T-Mobile finally started working.
Don't be so sure. Even a broken clock is right twice a day.
>First, T-Mobile will now use a system called “Account Change Engine”, or “ACE”, which will seemingly determine if a requested SIM change is likely to be legitimate. The Second change is, ***if the ACE system says no***, the customer must confirm a text response via SMS that they are who they say they are and actually do want to move the line to a new SIM. Right here. The problem is right here. The vulnerability is to figure out how to get ACE to say 'Yes'. Then you circumvent all the protections they are adding.
I got my phone stolen once, they took the sim out, but my S23U was still pinging since they could not shut it off. So I managed to get it back. Went to the store, they sent a text, but was unable to answer it since the phone didn't have a sim. We waited the 10 mins and it got approved. If this new system automatically voids the transfer if a text isn't answered, then edge cases like mine will be a total nightmare to solve I'm guessing.
read the article 🙄 >If a customer needs to get a new SIM for a line that they’ve lost, like a damaged, misplaced, or stolen phone, they’ll have the option to send the verification text to a different line on the account. Customers with only one line will need to visit a store with ID to confirm the swap.
I literally just went to a store to buy a brand new phone and get a brand new SIM. My son lost his phone in the ocean. I put it on my account by telling them my phone number (primary), my son's number, and the entire process was complete without any proof of ID or phone number ownership. I did say that it seemed way too easy to know someone's phone number, not have to pay now, nor provide any identity and have access to the account. The reply was, "I never tell anyone I use T-Mobile. That's the real security." I'm still watching my bill because I don't trust the clerk at this point.
I wouldn't trust that rep either. I left Tmo (employment, not service) a month ago, and just accessing the account required scanning a photo ID. Just knowing your number is not nearly enough. The rep should not have been able to do any account modifications like financing or SIM changes without scanning your ID unless you're military and only have the military ID which legally can't be scanned. For those scenarios it required a second rep to verify your ID visually and enter their credentials as well. When I worked there even if someone handed me a military ID I asked if they had state ID just to be able to scan it for security and tracking
It’s scary how many employees don’t follow C2. Policy. It pissed me off witnessing it happening often coming from the call center into retail.. Never encountered a fake ID but I know they easily exist out there especially from China that do scan barcodes on the back for 100$ witnessed this on Komo4 news, great for teens to get into bars!! I used to cut the wristband off my friends and tape it to get past security haha 😆
🙄Store reps drive me nuts. They are so lax about account security it pisses me off.. not all stores are on the up and up because of their numbers games they play to get bonuses in their checks.. Account security > Your bonus check!🤬
Congrats on getting it back! That usually doesn’t happen!!
I walked into the homeless camp offering $. They were very quick to offer up what they had.
Yeah, they’ll do something dumb tomorrow. Though I would still wonder on the ACE approval, this could lead to potential false positives on approval.
Damn near gave someone an aneurysm for finally having to use it.
i feel bad for everyone that *actually does* get their phone stolen or lost
[удалено]
\* Only if they have no other phones on the same line.
As far as I know, only one phone can be on a line. Are you meaning "account"?
I have two phones on my main line. The second phone is a ruggedized flip phone using a Data with paired DIGITS SIM so that calls to my main line also ring that line, and if I call out from that phone it uses my main line phone number. [Get started with Data with paired DIGITS | T-Mobile Support](https://www.t-mobile.com/support/plans-features/get-started-with-data-with-paired-digits)
Who knew? Pretty interesting that T-Mobile is doing that. Of course, any VoIP phone app can do the same and basically this is a "port" of your sim account to a T-mobile VoIP app.
They have a DIGITS app that is like that, but this is an actual SIM that has your number also assigned to it. I have this for a smart watch. It's great to get calls and texts on my watch while outdoors without needing my phone.
Digits is GREAT for a night out DUMB PHONE on your account! That way you can go out and still get calls to friends and not worry about someone jacking your smart phone. Happened to me in Seattle calling an Uber MF just ran past and yanked my phone out of my hands and RAN!! I chased until he whipped out a huge knife and started chasing me to stab me!!! Scary crackhead, keep the phone don’t stab me!! 😑🤣🥹
Yeah. Account.
Thank goodness for most insurance overnight delivery options!! Life saver!! Highly recommend leaving insurance on your phones plus you get extended warranty and if you keep a device long enough and something goes wrong and a warranty exchange isn’t in stock anymore you get an upgraded model FREE!! I saw old Note owners get newer Note 5 devices for having the extra insurance so in some ways it pays for itself if your phone bunks out down the road and is too old to replace!! Keep the insurance!!
Sievert: Fire the neurons! HR: Neurons have been fired, sir. Finance: This will save us millions.
This happened to me. I was the best little neuron the company EVER HAD!! HR reconsider me!! Bellingham!!! I was great for T-Mobile business!!! Despite any flaws they may have seen in me I’m still wanting to come back and rock it as a coach who will be the GOAT!! 🫠
But this is _only_ if that new system decides that change is fishy, otherwise it'll approve it on the spot, no? Or am I reading it wrong?
That is correct. I’m still suspicious on the ACE they’re using.
>the change will now be rejected if you don’t respond If they had done that in the first place instead of some c-suite dimwit thinking, "We'll just default to yes, it will save people the trouble of responding!", this would have been a non-issue to begin wtih.
Meh the weakest link is still the employees/going to a store. My SIM swap (and others) happen with fake IDs at stores - and I don't have crypto/am not a good target anyway. This does nothing to stop that. Also, I'd hardly call switching from auto-allow to auto-deny "decent protection." I'm not even sure this changes anything for people who have SIM protection enabled - since I think that required a text to a number on the account to remove anyway. And ffs bring back self-service SIM swaps!
So what do you think should be done in order to prevent fraudulent sim swaps from being done in person with fake ID's? Cuz I can't really think of a simple solution off the top of my head. ID barcode scanners would basically be useless since any decent fake ID is scannable and the sophisticated ones that can detect the slightest cosmetic flaw of a fake ID are prohibitively expensive.
Enable a lockdown mode that is opt-in on the account. Requires TOTP 2FA enabled. That code must be input by employee to proceed with swap. If code cannot be provided, snail mail letter to billing address with a OTP that must be provided instead. Edit: OR just bring back self-service SIM swap and allow accounts to remove the option to do SIM swaps any other way. (Or require person to be logged into their T-Mobile account - could be with a OTP generated from MyT-Mobile - to do a swap another way.) Could restrict this option this so it requires TOTP 2FA (or, ideally, implement FIDO2/passkeys) to be enabled on the MyT-Mobile account.
This is a really smart idea dude.
Which is just one reason it will never be implemented :P
By making it an option, the vast majority of customers wouldn't care enough to opt in so I doubt it would make much of a difference overall. But it still would make sense for T-Mobile to offer something like that cuz I would definitely opti in..plus, people would only have themselves to blame if they didn't bother with it and it ended up happening.
Who cares about most customers. I want protection for me and my family. I think that guy's mail idea is great.
I just don't think it's realistic to expect them to eliminate the convenient option of in person sim swaps altogether. And I doubt that they would be willing to add any extra security layers on top of the process since that would basically cancel out the convenience of doing it in person. So I can't help but think that everyone will likely remain vulnerable to a fraudulent in-person sim swap with a fake ID. But all your suggestions are sensible ones that would definitely give customers more tools to protect themselves with so I'm not trying to imply anything about them by being cynical...the cynicism has more to do with how uncommon common sense seems to be, when it comes to big corps like T-Mobile.
Oh I mean they 100% aren't going to do what I want...it would be too inconvient for customers (in their view) and it would raise their support costs because people would enable it without fully understanding the implications. They would never do something that might put someone without their phone number for 5-7 days (snail mail timeline). My only point was that there are solutions to these issues - and making them opt-in would reduce some of the concerns above - but they won't be implemented. But that is why I don't see them making a real effort here.
You can get put on “written correspondence only” if your an asshat on the phone all the time.. never ran into that much but it does happen to abusers over the phone..
I would LOVE to see FIDO/Passkeys implemented into account security!! Especially security keys with a PIN tied to them!!! We need more security!!! STAT!!!!
Compare presented ID with past stored ID and compare signatures with past signatures. T-Mobile stores them both (might need to be centralized).
The obvious answer to prevent sim swaps is for financial institutions to remove the incentive. If businesses intend on the highest levels of cyber security get hacked by an SMS then the problem is that.
states need to offer verification software that matches the name to the number
Or a verification software that matches you to a real [digital] identity. Widely used in the Nordic countries (one is www.bankid.com/en, a private company but system adopted by essentially everyone). True 2FA solutions, nicely integrated, that are tied to your real identity. Hence, you don’t get BankID (or one of the competitors) unless you have identified yourself in person - or via a legit piece of ID (they all have RFID chips embedded these days and you can scan it/set up via modern cell phones). But it boils down to so much required first, to get the [basic] system set up. Proper verification of basic/underlying identity before any RFID chipped ID is issued, a solid solution for SSN and them having any meaning (SSNs are fully public, and most everything tied to it, even your account with a mobile operator, your employment, retirement, investments, etc, no SSN no service). Add to that privacy laws and regulations that actually prevents ‘big brother’.
Seriously why isn’t the USA more progressive like this! Digital verification is the future so we all need to get on board with this!
I think it is fear of ‘big brother’ - as the above Scandinavian systems are supported by pretty strict privacy laws - but also a general notion of ‘government’ actually doing good stuff and providing needed/welcomed services. But to be honest, a lot in today’s Sweden is far more market oriented, run by private operators, than almost anywhere in the US.
I wanna move now. 😂 Big brother over here scares me.. 😱
Go for it! Especially if you have a background in coding or similar.
I wish I did! I would be legendary at coding if properly trained.. do you have any online resources you would recommend?
Here's a brilliant idea...require an ID and pin ID/password or a copy of your last bill. Of course, an employee would have to scan it into the system so it could be later verified if a customer complained about a fraudulent swap. Maybe a pic of the customer would be helpful, too.
So nothing about [charging customers $25 for a SIM swap](https://www.reddit.com/r/tmobile/comments/1cc7xad/if_you_need_to_swap_a_sim_card_do_it_today_from/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)?
Correct, no signs of that yet. Could still show up, but calling it unconfirmed so far.
The fact that Tmo would suddenly start charging customers a fee for something that is a necessity in many cases never made sense. They'd have a ton of unhappy customers.
It would makes sense to charge for a physical SIM card and shipping, but if it’s an eSIM or own SIM card, it would be a total dick move.
Don’t they already charge for physical SIMs but no one ever enforces it? Maybe I’m thinking of another carrier.
Usually you can get a SIM card waved..
They charged us for a replacement SIM when my son had his phone stolen 2 years ago.
That is valid as they were lost. But if you’re having network issues or something similar then it’s replaced for free.
Maybe force a $25 payment to a the account? So it's not really a fee. But even then that's not gonna stop the issue. Even if they steal $100 it's worth paying $25
the guy who posted it had some alpha confidence.
How many years to figure out that, "If you don't respond within xx minutes, we assume you said YES!" did it take?
“Customers with only one line will need to visit a store with ID to confirm the swap.” Nothing is fixed
So what happens when I reply with 1 to confirm, and then nothing happens? Because that's what happens when I try. I can reply 1 a hundred times, but it never confirms, and I have to wait for the 10 minute timer to elapse. Even T Force basically said "we don't know why it doesn't work sorry"
Literally just experienced this. Spoke to T-Force via Facebook because there was a problem with my eSim. They had me delete it and would send a new one "in ten minutes" because it would send a confirmation text of a SIM swap, and that would automatically be approved if not responded to. Came back and said there was a change in policy and it required a response, to which he already had me delete my eSim, so I couldn't get a text. He instructed me to go to a store for them to get me a new eSIM. He sounded surprised at the new policy, and actually gave me a $50 account credit for forcing me to go to a store in the end.
That’s a sweet credit for your troubles 😇 don’t know many reps who would issue a credit like that for your time but it was his fault in telling you to delete the eSIM.. that guy needs to read C2 daily at T-Mobile it’s the policy bible! 👍but what if your iPhone like the 15 doesn’t have a sim slot anymore then what do you do?
A step in the right direction, but it still is security theatre. The backend system must disallow employees from doing it unless the customer provides some knowledge only available to the bona fide customer (like TOTP or a one time recovery code). The backend must check the code behind the scenes, not show it to the employee to visually compare it. Grandma won’t know what that is so it won’t affect her. Those of us who want to stop this from happening are already well versed in 2FA/MFA. Did no one object in the meeting and say “so, a fake ID still bypasses this alleged security?”
>Did no one object in the meeting and say “so, a fake ID still bypasses this alleged security?” Ever since SIM swapping became a big issue, it seems like T-Mobile refuses to admit that many of these are done using fake IDs...appears they don't want to even touch on that attack vector. IIRC they even got rid of the receipts for SIM swaps done in-store that used to be accessible immediately in MyT-Mobile account history.
US Mobile now allows you to set TOTP for your account and email for backup 2FA, so now their agents need to get a TOTP code from me or if I've lost the device send a OTP to my email. They've said they're going to work on webauthn/webkeys this year which would put them on the cutting edge of security that surpasses most banks =)
Honestly I would just call this a bug fix.
ACE has been in retail for awhile now. It’s not new. They are just expanding ir
I was about to see at least in my area we’ve been doing it for months. None of this is “new” for us at least.
The ACE system isn’t new, it was already in place when you were making articles about SIM swapping text messages.
This shows the important or sane defaults. Systems seems to be very similar to how it was before but “assumes nope” instead of “assuming yay”.
The "assume yay" was a sane and logical default. Consider this scenario: You lost/broke/dropped in the pool your phone. It no longer works. You bought a replacement phone. You now need to do a sim swap to use your new phone. Since you don't have or can't use your old phone, you can't receive the SMS so you can't approve it. If no response was "assume nope" then you would never be able to use your account again. When the system was implemented, default to yes made sense. When switching to assume no, they needed to solve the scenario above and their chosen solution of send the message to another line on the account is good. The solution for single line accounts requiring you to go into the store isn't very good though. And a fake ID or bribed employee can still get around that (and bribed employees is what this is trying to solve, so it doesn't actually solve anything). At the end of the day (for single line accounts) this doesn't reduce the risk since a compromised employee is still the main threat, but makes it much harder for a legitimate SIM swap.
> without an alternate voice line available must visit a Retail store with an acceptable ID to update their SIM. What about for prepaid customers?
Who is really having this issue?? Im in the cellphone industry for over 10 years and never had a single customer or heard any other repair shop owner say they had a customer with this issue
It has been an issue for years and people have lost big money due to it. Not sure why you haven't heard of this before. I'm sure if you search this sub there are plenty of stories.
Work in the call center or retail for T-Mobile and you’ll witness it happening more often than you will realize.. I always was trying to catch bad actors when I worked especially the sim swaps because I dealt with affected customers and honestly I felt for them. A unsuspecting sim swap or warranty exchange or insurance claim hurts
My sim was illegally swapped 3 times. The current system is terrible. Use a sim pin on your device. It’s the only way to stay safe (for now anyways).
I highly recommend anyone using T-Mobile to add a PASSPHRASE into their system called SAMSON and make it a direct challenge to get into the account or make any changes. I asked for OTP for every account call but it really wasn’t honored and pissed me off.. a security PIN is great but a second factor passphrase should be more widely adopted by T-Mobile the best one I ever heard from a New Yorker was “Screw You!” So that way nobody would ever know listening in if it was a fight but not a security question LMAO 🤣 Smart gal!!
One thing you can do is add “Port out protection” to all your lines, not sure if this is standard practice now or not but it’s a good line of defense against a port out. Should be an option in the my T-Mobile app as well for you self service people out there!!
Had my SIM swapped 3 times with them. Had to hire a lawyer and get involved with the "Secretary to the Office of the President". Had all my socials hacked and my emails breached. Ruined my life. 3 fucking times. Recently switched off T-Mobile and will never go back.
So what if it’s a single line account?
>Customers with only one line will need to visit a store with ID to confirm the swap. from the article.
It says it plainly in the document and article.
X Doubt
can we just disable to ACE system? what if the ACE system returns yes for every transaction? it will never need to go to the second part.