BrianKrebsDec 28, 2022

Some interesting stuff I apparently didn't notice the first time in updates to AT&T's terms of service, which you agreed to by continuing to use AT&T. This language is designed to insulate AT&T from liability in the event someone SIM swaps your phone number and uses that to steal your identity, crypto, etc. There's quite a bit of ongoing litigation about this very subject.

https://www.att.com/legal/terms.consumerServiceAgreement.html

"AT&T is not responsible for losses incurred as a result of your or a third-party’s use of your AT&T wireless number or other AT&T Service as a source of authentication or verification in connection with any social media, email, financial, cryptocurrency or other account;"

....."To the greatest extent permitted by law, AT&T is not liable to you for any damages of any kind resulting in any way from:

the installation, maintenance, removal, or technical support of AT&T Services, even if the damage results from the ordinary negligence of our installer or other representative;
any unauthorized access to your AT&T Accounts or AT&T Services (including the use of your AT&T Accounts or AT&T Services to access a third-party account), even if the unauthorized access was the result of ordinary negligence by an AT&T employee, representative, agent, or any person or entity purporting to act on AT&T’s behalf;"

Whew, that's some heavy stuff. Meanwhile, please enjoy this latest SIM-swap rap. h/t @nixonnixoff
https://www.youtube.com/watch?v=C8CumdZhPIw

Terms of Service - Legal Policy Center - AT&T

Learn more about the AT&T Access ID Terms of Service.

Show threadSean Whalen πŸ‘¨πŸΌβ€πŸ¦ΌπŸ³οΈβ€πŸŒˆπŸ‡ΊπŸ‡¦πŸ•ŠοΈDec 28, 2022

@briankrebs @nixonnixoff One of the reasons I love Google Fi (which is a NVMO of T-Mobile) is you can't port my number without access to my Google account, which requires access to a physical device or key. No carrier can match that level of security.

I'm planning on making the jump from Android next summer, when Apple is rumored to finally use
a USB-C port on the iPhone. Unfortunately, Google Fi currently doesn't support 5G for Apple devices, or the eSIM for the Apple Watch, even though T-Mobile supports both just fine. As the maker of Android, Google has little incentive to change this anytime soon, but maybe things will change by the time the next iPhone is out.

That has me thinking about possibly switching to another carrier, but I'd lose the strong account protection provided by Google.

Changing their Terms of Service avoid liability if one of their employees swaps your SIM rules out AT&T https://infosec.exchange/@briankrebs/109592154060149615

Verizon has had controls in place to prevent SIM swapping since 2020. https://www.technadu.com/verizon-number-lock-protection-against-sim-swapping/130118/

T-Mobile just rolled out similar controls two weeks ago
https://tmo.report/2022/12/t-mobiles-new-sim-protection-is-now-live-heres-how-to-enable-it/

Despite T-Mobile reportedly having faster speeds, if I do end up switching from Google Fi, it will probably be to Verizon because they have been more security by implementing these controls over two years before T-Mobile did.

I'd love to know if these controls can be overridden by employees though, and if so, what precautions they've taken against social engineering. One would hope that Verizon has a solid security program, considering they publish an annual Data Breach Investigations Report https://www.verizon.com/business/resources/reports/dbir/

BrianKrebs (@[email protected])

Some interesting stuff I apparently didn't notice the first time in updates to AT&T's terms of service, which you agreed to by continuing to use AT&T. This language is designed to insulate AT&T from liability in the event someone SIM swaps your phone number and uses that to steal your identity, crypto, etc. There's quite a bit of ongoing litigation about this very subject. https://www.att.com/legal/terms.consumerServiceAgreement.html "AT&T is not responsible for losses incurred as a result of your or a third-party’s use of your AT&T wireless number or other AT&T Service as a source of authentication or verification in connection with any social media, email, financial, cryptocurrency or other account;" ....."To the greatest extent permitted by law, AT&T is not liable to you for any damages of any kind resulting in any way from: the installation, maintenance, removal, or technical support of AT&T Services, even if the damage results from the ordinary negligence of our installer or other representative; any unauthorized access to your AT&T Accounts or AT&T Services (including the use of your AT&T Accounts or AT&T Services to access a third-party account), even if the unauthorized access was the result of ordinary negligence by an AT&T employee, representative, agent, or any person or entity purporting to act on AT&T’s behalf;" Whew, that's some heavy stuff. Meanwhile, please enjoy this latest SIM-swap rap. h/t @nixonnixoff https://www.youtube.com/watch?v=C8CumdZhPIw

Infosec Exchange
Show threadAllison NixonDec 28, 2022
@seanthegeek @briankrebs They can still get into Verizon, it's just a bit harder and sim swap services out of Verizon are more expensive. But not impossible.
Show threadSean Whalen πŸ‘¨πŸΌβ€πŸ¦ΌπŸ³οΈβ€πŸŒˆπŸ‡ΊπŸ‡¦πŸ•ŠοΈDec 28, 2022
@nixonnixoff @briankrebs I'm guessing you're basing that on underground ads for SIM swapping "services"? Any mention of Google Fi?
Show threadAllison NixonDec 28, 2022
@seanthegeek @briankrebs google fi is generally considered to be un sim swappable
Show threadSean Whalen πŸ‘¨πŸΌβ€πŸ¦ΌπŸ³οΈβ€πŸŒˆπŸ‡ΊπŸ‡¦πŸ•ŠοΈDec 28, 2022
@nixonnixoff @briankrebs Do you know of any other US NVMOs that are generally considered un SIM-swapppale who are more Apple friendly?
Show threadAllison NixonDec 28, 2022
@seanthegeek @briankrebs no
Show threadSean Whalen πŸ‘¨πŸΌβ€πŸ¦ΌπŸ³οΈβ€πŸŒˆπŸ‡ΊπŸ‡¦πŸ•ŠοΈ
@nixonnixoff @briankrebs So anything else would be a huge step down. It sounds like Verizon is the next-best option for SIM swap defense?
Dec 28, 2022 at 6:42pmWeb