2 Million T-Mobile Customers Are Hit by a Data BreachAugust 25, 2018
"It’s always better to open a new browser window or tab and go to a company’s website on your own," Richter says. "Don’t follow links or respond to emails asking for passwords or other personal data. And don’t call a phone number included in the email."
This is the latest in a long line of data breaches consumers have learned about over the past year affecting the credit-reporting agency Equifax, the travel website Orbitz, the ride-sharing company Uber, and other companies.
Data breaches involving cellular providers can be especially risky, according to Dan Guido, CEO of the security firm Trail of Bits, if they make it easier for a criminal to take control of a consumer’s phone number by porting it to a new phone. That’s just one in a rising tide of fraud schemes related to cell phones. If someone does take control of your number, they might be able to use it to change banking passwords and others.
"The lesson for consumers here is that we tend to have misplaced trust in the cellular telephone system," Guido says. Over the past 10 years, banks and other institutions have used SMS messages and phones calls to authenticate users’ identities.
The system, called two-factor authentication, typically requires consumers to enter a one-time code sent by text message along with a password to log in to an account. But data breaches and new kinds of cellular fraud are gradually making the practice less effective, Guido says.
To help protect their cellular accounts, Guido says consumers should add a different type of protection that’s offered by all of the major carriers, including T-Mobile. It requires a separate password to make changes to an account, such as porting the number to a new carrier.
T-Mobile says that consumers with questions about the data breach can dial 611, use two-way messaging on MyT-Mobile.com, or access the T-Mobile app. "We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access," the announcement said. "We truly regret that this incident occurred and are so sorry for any inconvenience this has caused."