Mastodawn

SolarAquarion Dec 28, 2022

Some interesting stuff I apparently didn't notice the first time in updates to AT&T's terms of service, which you agreed to by continuing to use AT&T. This language is designed to insulate AT&T from liability in the event someone SIM swaps your phone number and uses that to steal your identity, crypto, etc. There's quite a bit of ongoing litigation about this very subject.

https://www.att.com/legal/terms.consumerServiceAgreement.html

"AT&T is not responsible for losses incurred as a result of your or a third-party’s use of your AT&T wireless number or other AT&T Service as a source of authentication or verification in connection with any social media, email, financial, cryptocurrency or other account;"

....."To the greatest extent permitted by law, AT&T is not liable to you for any damages of any kind resulting in any way from:

the installation, maintenance, removal, or technical support of AT&T Services, even if the damage results from the ordinary negligence of our installer or other representative;
any unauthorized access to your AT&T Accounts or AT&T Services (including the use of your AT&T Accounts or AT&T Services to access a third-party account), even if the unauthorized access was the result of ordinary negligence by an AT&T employee, representative, agent, or any person or entity purporting to act on AT&T’s behalf;"

Whew, that's some heavy stuff. Meanwhile, please enjoy this latest SIM-swap rap. h/t @nixonnixoff
https://www.youtube.com/watch?v=C8CumdZhPIw

Terms of Service - Legal Policy Center - AT&T

Learn more about the AT&T Access ID Terms of Service.

Oliver Kamer Dec 28, 2022

@briankrebs look I'm not a giant telco, but the solution to this is easy. Build safeguards that protect against sim swapping, then you don't have to change your ToS.

Janak J Parekh Dec 28, 2022

@olikami @briankrebs eSIM is that technology, no? At this point the carriers should force its adoption.

Oliver Kamer Dec 28, 2022

@janakj @briankrebs sim swap is mostly activating your sim card on someone else's number.

Janak J Parekh Dec 28, 2022

@olikami @briankrebs Yep, I looked it up after the earlier response. TIL!

(There are definitely best practices around having a PIN for physical SIM to deal with the theft use case, but I’d agree that’s a bit more marginal of a vulnerability than outright taking over the phone number.)

HiFi Dec 28, 2022

@briankrebs it’s far past time we started holding makers of electronics and software products liable for the security of said products. The data apocalypse currently evidenced by things like Cambridge Analytica, GLOO, 2016 political targeting by Parscale… most people don’t even understand this exists.

Jonne Dec 28, 2022

@HiFi @briankrebs this isn't a tech issue, it's a social engineering/ process issue on the Telco side. They made it too easy to port numbers without doing proper checks. What you personally can do is use an authenticator app for 2fa as opposed to SMS.

HiFi Dec 28, 2022

@jonne @briankrebs gonna strong disagree, sorry.

ms. liz Dec 28, 2022

@jonne @HiFi @briankrebs yes, that horse had already left the barn years ago. one might also argue that companies who only offer SMS for 2FA also bear some culpability, and that telcos should require extra auth to change account details.

HiFi Dec 28, 2022

@unknown8bit @jonne @briankrebs oh I’d say the whole industry has been slipshod with their (decided lack of) security measures. Perhaps some serious regulation, data protection, and data privacy laws with severe fines for transgressions are in order. I like the EU’s new DMA and DSA, but feel even those don’t go far enough.

AlisonW ♿🏳️‍🌈♾️Dec 28, 2022

@briankrebs @nixonnixoff
Where it enjoins someone to look after their stuff it's sorta reasonable. When it says "even if the unauthorized access was the result of ordinary negligence by an AT&T employee" it definitely isn't.

Kurt Dec 28, 2022

@briankrebs @nixonnixoff Wild that we’re reached the point where you can just write into a TOS that you’re not responsible for the negligence of your employees.

toby Dec 28, 2022

@kurt @briankrebs @nixonnixoff I mean to be fair they can write anything into a TOS, doesn't mean it's sufficient defence in a court of law

Antone Johnson Dec 28, 2022

@kurt @nixonnixoff @briankrebs @tobypinder That is viciously anti-consumer language, allowing them to contract around their own employees’ negligence! IMO the only silver lining is “ordinary negligence” ≠ gross negligence or willful misconduct (e.g. a corrupt “inny” taking payoffs). AT&T has a long record of pushing such things as far as courts allow, so I’m guessing they placed a bet on this clause being upheld in at least *some* states.

Paul Jackson Dec 28, 2022

For those that don't know what an #inny is: https://frankonfraud.com/fraud-trends/how-innys-are-being-used-to-swap-sims-at-major-carriers/

Jonne Dec 28, 2022

@pauljackson @briankrebs seems like that would be ridiculously easy to track if the internal systems had any type of auditing trail and carriers cared about the issue at all.

toby Dec 28, 2022

@briankrebs @nixonnixoff "we want to run a phone network with none of the responsibility of running a phone network"

Allison Nixon Dec 28, 2022

@briankrebs FCC and all privacy and CPNI regulations can pack up and go home now

Mike Benjamin Dec 28, 2022

@nixonnixoff @briankrebs does CPNI apply to mobile networks? I’m under the impression that wireline is much more regulated than wireless.

Allison Nixon Dec 28, 2022

@mikeb @briankrebs wireless yes they have to abide by CPNI

Until some genius realized all they have to do is change their ToS, and all laws are cancelled

Mike Benjamin Dec 28, 2022

@nixonnixoff @briankrebs interesting. If CPNI applies, I’d imagine the ToS is to avoid customer liability and they think they can lobby or negotiate their way out of any meaningful FCC liability.

Allison Nixon Dec 28, 2022

@briankrebs FYI its not just atnt

tmobile says they aren't liable for crypto fraud:

https://www.t-mobile.com/responsibility/legal/terms-and-conditions

And MetroPCS:

https://www.metrobyt-mobile.com/content/metro/en/desktop/metro/terms-conditions/terms-conditions-service.html

And Cricket:

https://www.cricketwireless.com/terms

And Straighttalk:

https://www.straighttalk.com/support/terms-conditions

And Mint Mobile:

https://www.mintmobile.com/plan-terms-and-conditions/

And Simple Mobile:

https://www.simplemobile.com/termsandconditions

Terms & Conditions | T-Mobile Legal Center

Please read these terms & conditions, which contain important information about your relationship with T-Mobile.

snowbound Dec 28, 2022

@nixonnixoff @briankrebs

Go with Google Fi, their customer service is so horrendous that someone trying to social engineer a sim swap with them would likely go crazy with frustration.

Dannyboyguyman Dec 28, 2022

@nixonnixoff @briankrebs only Verizon has yet to indemnify themselves for sim swap fraud?

Dan Sugalski Dec 28, 2022

@nixonnixoff @briankrebs When all the major US phone companies are "nope, include us out, this is too skeevy for us to be even tangentally involved with" on something you know it *has* to be a painfully bad idea.

Thiago Figueiró Dec 28, 2022

@nixonnixoff @briankrebs it’s not just crypto either. Any financial service, so banks, stock brokers, 401k. Here’s the excerpt from T-Mobile:
> … neither of us will seek any indirect, special, consequential, treble, or punitive damages from the other. These disallowed damages include, but are not limited to, damages arising out of unauthorized access or changes to your Account, Service, or Device, or the use of your Account, Service, or Device by you or by others to authenticate, access, use or make changes to third party accounts, including financial, cryptocurrency, or social media accounts …

ニルス・スキニール Dec 28, 2022

@nixonnixoff @briankrebs
We're morons for trusting these guys.

nelsonsa Dec 28, 2022

@briankrebs surely this is unenforceable? Any clause in a contract that is blatantly unfair can't be held up in court? Even if someone has signed against it?

Aaron D Borden Dec 28, 2022

@briankrebs @nixonnixoff

Is this the final straw for MFA providers to stop using SMS as a second factor for authentication?

Sean Whalen 👨🏼‍🦼🏳️‍🌈🇺🇦🕊️Dec 28, 2022

@briankrebs @nixonnixoff One of the reasons I love Google Fi (which is a NVMO of T-Mobile) is you can't port my number without access to my Google account, which requires access to a physical device or key. No carrier can match that level of security.

I'm planning on making the jump from Android next summer, when Apple is rumored to finally use
a USB-C port on the iPhone. Unfortunately, Google Fi currently doesn't support 5G for Apple devices, or the eSIM for the Apple Watch, even though T-Mobile supports both just fine. As the maker of Android, Google has little incentive to change this anytime soon, but maybe things will change by the time the next iPhone is out.

That has me thinking about possibly switching to another carrier, but I'd lose the strong account protection provided by Google.

Changing their Terms of Service avoid liability if one of their employees swaps your SIM rules out AT&T https://infosec.exchange/@briankrebs/109592154060149615

Verizon has had controls in place to prevent SIM swapping since 2020. https://www.technadu.com/verizon-number-lock-protection-against-sim-swapping/130118/

T-Mobile just rolled out similar controls two weeks ago
https://tmo.report/2022/12/t-mobiles-new-sim-protection-is-now-live-heres-how-to-enable-it/

Despite T-Mobile reportedly having faster speeds, if I do end up switching from Google Fi, it will probably be to Verizon because they have been more security by implementing these controls over two years before T-Mobile did.

I'd love to know if these controls can be overridden by employees though, and if so, what precautions they've taken against social engineering. One would hope that Verizon has a solid security program, considering they publish an annual Data Breach Investigations Report https://www.verizon.com/business/resources/reports/dbir/

BrianKrebs (@[email protected])

Some interesting stuff I apparently didn't notice the first time in updates to AT&T's terms of service, which you agreed to by continuing to use AT&T. This language is designed to insulate AT&T from liability in the event someone SIM swaps your phone number and uses that to steal your identity, crypto, etc. There's quite a bit of ongoing litigation about this very subject. https://www.att.com/legal/terms.consumerServiceAgreement.html "AT&T is not responsible for losses incurred as a result of your or a third-party’s use of your AT&T wireless number or other AT&T Service as a source of authentication or verification in connection with any social media, email, financial, cryptocurrency or other account;" ....."To the greatest extent permitted by law, AT&T is not liable to you for any damages of any kind resulting in any way from: the installation, maintenance, removal, or technical support of AT&T Services, even if the damage results from the ordinary negligence of our installer or other representative; any unauthorized access to your AT&T Accounts or AT&T Services (including the use of your AT&T Accounts or AT&T Services to access a third-party account), even if the unauthorized access was the result of ordinary negligence by an AT&T employee, representative, agent, or any person or entity purporting to act on AT&T’s behalf;" Whew, that's some heavy stuff. Meanwhile, please enjoy this latest SIM-swap rap. h/t @nixonnixoff https://www.youtube.com/watch?v=C8CumdZhPIw

Infosec Exchange

Allison Nixon Dec 28, 2022

@seanthegeek @briankrebs They can still get into Verizon, it's just a bit harder and sim swap services out of Verizon are more expensive. But not impossible.

Sean Whalen 👨🏼‍🦼🏳️‍🌈🇺🇦🕊️Dec 28, 2022

@nixonnixoff @briankrebs I'm guessing you're basing that on underground ads for SIM swapping "services"? Any mention of Google Fi?

Allison Nixon Dec 28, 2022

@seanthegeek @briankrebs google fi is generally considered to be un sim swappable

Sean Whalen 👨🏼‍🦼🏳️‍🌈🇺🇦🕊️Dec 28, 2022

@nixonnixoff @briankrebs Do you know of any other US NVMOs that are generally considered un SIM-swapppale who are more Apple friendly?

Allison Nixon Dec 28, 2022

@seanthegeek @briankrebs no

Sean Whalen 👨🏼‍🦼🏳️‍🌈🇺🇦🕊️Dec 28, 2022

@nixonnixoff @briankrebs So anything else would be a huge step down. It sounds like Verizon is the next-best option for SIM swap defense?

CDunn Dec 28, 2022

@nixonnixoff @briankrebs - Given that there is no way for the user to modify these ToSs and EULAs, and that full participation in society requires acceptance, modern corporations are writing their own law, usurping the legislative function of government. Congress and the states should fix this…

Greg Whitehead Dec 28, 2022

@briankrebs I mean, to be fair, the phone network was not designed to be an authentication service (and, as far as I know, no promises have been made that it's fit for use as one)

0bondo7 Dec 28, 2022

@briankrebs @nixonnixoff Sounds like a great way to say their system works as intended regardless if one was a victim of any type of fraud using their networks.

Steve Nordquist Dec 28, 2022

@briankrebs @nixonnixoff Is it me or is AT&T / Yahoo OAUTH broken in all the ways? In other consumer rights news I got a fresh AT&T bill on the 27th due by the 1st. Do I win a deprecation coupon so I can redeem 10 to delist AT&T?

Biggles Dec 28, 2022

Moral of the story is stop trusting your online devices for security, unless you have the skills and have personally vetted all of the code and hardware and protocols. Those 4 people can go nuts - the rest of us should recognize the danger and route around it.

"But Biggles! How can I do my crypto NFT nuttiness if I'm not online?" - exactly.

Cultured Shrimp Dec 28, 2022

@briankrebs @nixonnixoff I can't really blame them, to be honest.
I mean - I blame them for having terrible security. Sure.
But I can't blame them for avoiding responsibility for accidents caused because some third party apps have chosen to trust that terrible security.

Like... If a cryptocurrency wallet or an online banking app considers a SIM card to be reliable authentication, then the fault is mostly on that app itself.

Alida Antonia Dec 29, 2022

@briankrebs @nixonnixoff I got a letter in the mail from them. It was 14 pages in tiny print and I didn’t understand a word of it.

J.P. Stewart Dec 31, 2022

@briankrebs @nixonnixoff Oh you know.... just plain ol
"ordinary negligence"
🤔

(Though, this makes me wonder if they now need data to prove how ordinary negligence is for them? Why not say that surely the negligence in _my_ case is extra-ordinary?)