T-Mobile and AT&T customers’ account PINs — passcodes meant to protect mobile accounts from being hacked — have been exposed by two different security flaws, which were discovered by security researchers Phobia and Nicholas “Convict” Ceraolo.
Apple’s online store contained the security flaw that inadvertently exposed over 77 million T-Mobile customers’ account PINs. The website for Asurion, a phone insurance company, had a separate vulnerability that exposed the passcodes of Asurion’s AT&T customers.
Apple and Asurion fixed the vulnerabilities after BuzzFeed News shared the security researchers’ findings. Apple declined to provide further comment on the record, stating only that the company is very grateful to the researchers who found the flaw. Asurion spokesperson Nicole Miller said, “Asurion takes customer security and privacy very seriously, and as such we have an ongoing, layered security program in place to prevent security issues. We are investigating the researcher’s concerns, but have immediately implemented measures to address these concerns to ensure customers’ accounts are safe.”
A mobile account PIN is particularly sensitive information. If a hacker has access to it, they could easily commandeer your phone number and use it to trick the SMS-based authentication designed to verify your identity when you log on to your bank, email provider, or social media accounts.
SIM hijacking — where hackers forward a victim’s calls and texts to another phone — has become so prevalent that T-Mobile and AT&T sent alerts earlier this year urging customers to create new PIN numbers to protect their accounts. (For most mobile providers, a customer’s default PIN is the same as the last four digits of their social security number.) In theory, a custom PIN, which is required to make changes to an account, is an extra security layer to ward off hackers.
But the discovered vulnerabilities on Apple’s and Asurion’s websites, if exploited, would render those PINs useless. They allowed bad actors to use widely available hacking software that can automate what’s called a brute-force attack, which involves repeatedly trying different numeric combinations until the correct sequence is guessed.
Apple’s online iPhone store exposed the partial Social Security number or account PIN of any T-Mobile customer to hackers. After shoppers initiate an iPhone purchase and select monthly payment installments through T-Mobile, Apple’s site takes shoppers to an authentication form that asks for their T-Mobile cell number, and the account PIN or last four digits of their Social Security number.
This page permitted infinite entry attempts in the account PIN and Social Security Number field, allowing it to be brute-forced. The flaw appeared to only affect T-Mobile accounts. On the same account validation page for other carriers (Verizon, Sprint, and AT&T), a rate limit locks access to the form for 60 minutes after five to 10 incorrect submissions, blocking hackers’ ability to brute force it.
According to Ceraolo, the vulnerability is likely due to an engineering mistake made when connecting T-Mobile’s account validation API to Apple’s website. An API, or application programming interface, allows third parties to access customer data and validate security measures, like PINs. T-Mobile declined to comment on this specific vulnerability, but did point to a recent post on its website detailing a separate incident, which involved unauthorized access to customers’ personal information, including account number, email address, phone number, name, and billing zip code.
In a different vulnerability, the account PINs of AT&T customers who purchased phone insurance through Asurion were left vulnerable. Neither Asurion nor AT&T specified exactly how many customers were affected. Asurion, which has over 300 million customers, partners with nearly every major cell carrier to provide insurance for lost, damaged, or stolen phones.
On an Asurion webpage where customers can file claims, hackers with knowledge of an AT&T customer’s wireless number could gain access to another form that asked for the account holder’s four- to eight-digit passcode. This form has no limit on tries, so it was brute-forceable. According to Ceraolo, most PINs are four digits and “can be brute-forced in a reasonable time frame.”
The same form for requesting account PINs for other carriers had a rate limit, which protected it from brute force attacks.
In a statement, AT&T spokesperson Jim Greer said, “In addition to the multiple layers of security we have in place to help protect our customers, we will continue to work with Asurion to investigate this. We will take any additional action that may be appropriate.”
If you have information or tips, you can contact this reporter over the encrypted chat service Signal at 415-943-0446. You can also send an encrypted email to firstname.lastname@example.org, using the PGP key found here.
Increasingly, websites use mobile phone numbers to help verify that you are who you say you are — and when that phone number is compromised, it often means that your digital life is too. If hackers hijack your phone number, they have access to virtually any online account that can be reset by SMS or protected by SMS-based two-factor authentication.
With your account PIN in hand, Ceraolo said, “Hackers can social engineer customer support, and commit SIM swap fraud to steal Bitcoin or [someone’s] other financials, such as their bank account.”
Hackers are increasingly targeting cryptocurrency investors with this method. A college student from Boston recently stole $5 million from cryptocurrency investors by using this SIM hijacking technique, which involves calling a carrier, using the victim’s personal information (like a PIN) to trick a customer service representative, and transferring the victim’s calls and texts to another SIM card. One AT&T customer is suing the company for fraud after losing millions of dollars worth of cryptocurrency as the result of a separate SIM swapping attack. And a California-based hacker was even able to purchase a $200,000 luxury car with his SIM swap spoils.
Co-opted phone numbers can also mean losing your Instagram account. The social media app allows users to reset their password with a link texted to their phones. SIM swap fraud is also what allowed hackers to access activist DeRay Mckesson’s Twitter account, which can be reset via SMS.
Despite these vulnerabilities, having a mobile account PIN is still a good second line of defense against hackers. The longer the passcode, the better, because it makes it harder to brute force. Just remember to update your cell provider PIN every year or so, and, if you have multiple accounts that require PINs, make sure they’re unique. Don’t reuse them.
But, where possible, avoid SMS-based authentication altogether, and try an app like Authy (for iOS and Android) or Google Authenticator (for iOS and Android) instead. Your Google, Facebook, Amazon, Dropbox, and Twitter accounts can all be set up to work with an authenticator app, which aren’t vulnerable to being hacked via SIM hijacking.
Learn more with this guide on how to protect yourself against SIM hijacking.
This article has been updated with the current number of T-Mobile customers: 77 million.