Another day, another breach . . . When are we getting 2 Factor options?

security_plox

    So as I am sure most people here know, there was another breach that had the potential to expose T-Mobile customer information (check Ars Technica or any of the other sites reporting on it).

     

    I rushed online to change my password, and then started looking for the option to setup some meaningful 2 factor authorization, such as a Yubikey (what places like Google and Facebook use for their employess).  I found nothing, and contacted support as a result.

     

    They told me that this isn't an option, and the best they could do was forward it to their supervisor (meaning it is as good as trashed in my experience). I don't think that is acceptable anymore.

     

    When is T-mobile going to start taking security seriously? Having something like U2F as an option for people that want it as an option should not be too much to ask.

      All replies

      • tmo_mike_c

        Oh no!

         

        We do take your account security very seriously so I'm sure the person you spoke with will be filing a report. That is the right thing to do and we do have a dedicated team that'll investigate reports like this further. I totally get the benefit of having 2 factor verification. I'll make sure I pass this along to our internal devs, I just can't say if/when something like this will be changed. I'm sure you've done this already, but we do encourage that you use a unique password. I wish I could give you a solid "yes" this'll be changed, but we appreciate you coming here to tell us what happened and give us feedback. Thanks you.

          • security_plox

            That's exactly the problem. They say they forward it on, just like you have, and I am sure they do, but nothing ever comes of it.  It just disappears into the ether, like someone further up the chain just trashes it because they don't have to directly answer to a customer personally.

             

            I used a randomly generated password, but T-mobile also limits you to a 15 character password so that isn't particularly secure either. A 16 character password can be cracked in less than an hour.

              • tmo_mike_c

                When we file fraud forms they go to our fraud team. We have form numbers we use to keep track of them so there's no mix-up. It usually takes about 3 business days to get updates on those fraud reports but these reports are reviewed. Keep in mind, these fraud reports are used to look at your account for possible fraudulent activity. Changing the password verification structure is something completely separate. As I mentioned, I passed this feedback about 2 factor verification to the right team, I just can't promise if or when that'll change on the site.

                • stevetjr

                  security_plox wrote:

                   

                  That's exactly the problem. They say they forward it on, just like you have, and I am sure they do, but nothing ever comes of it. It just disappears into the ether, like someone further up the chain just trashes it because they don't have to directly answer to a customer personally.

                   

                  I used a randomly generated password, but T-mobile also limits you to a 15 character password so that isn't particularly secure either. A 16 character password can be cracked in less than an hour.

                  security_plox  I have been with TMO for 13+ years and have been on this forum for quite a while also.  I can tell you that they don't just trash things that are sent up by the moderators as I have seen issues they have sent up addressed and things changed based on input from users forwarded up by the moderators.  Will you always see a response, no because sometimes you don't want your competitors or in this case hackers know what your plans are ahead of time that's just good business practice.  Also it may be something out of there control, involve a third party or etc. and putting a timeline on something is just not an option but it doesn't mean they are going to do it or just threw it in the trash.  Just note also the other carriers and many other companies haven't gone to 2FA yet and some companies probably already have it somewhere in the budget/pipeline to do.

                  1 of 1 people found this helpful
                    • security_plox

                      stevetjr wrote:

                      Just note also the other carriers and many other companies haven't gone to 2FA yet

                      Then isn't it time for T-Mobile to do the uncarrier thing and lead the change?

                        • tmo_marissa

                          security_plox, sounds like you're familiar with our MO. You're definitely right that we like to be at the foreground of changes that benefit customers, and I hope in this situation it's no different. I know MC has passed on your feedback; and I appreciate that you'd prefer a concrete answer -- if we do hear a reply back that we're putting plans in place to make this change, I'm sure he will update here. In the interim, it sounds like you're doing the best that you can to keep your online account secure, which is awesome. We'll let you know ASAP if two-factor options are going to be implemented on the site.

                           

                          - Marissa

                            • security_plox

                              I have been around long enough to know that saying you "passed the information along" is just a way to placate someone you don't want to deal with. (It is one of the first things call centers teach their agents.)  That conclusion is further evidenced by the fact that you (general) marked his reply as the "correct answer" once you thought I was no longer checking the thread, and quite frankly . . . it is simply insulting.

                               

                              It is NOT the correct answer. The correct answer would only be a reply from the people you "passed on" the information to, even if that answer were a simple, "not happening."

                                • tmo_marissa

                                  I'm sorry if we weren't clear security_plox. We did reach out to our dev team and the folks behind TMO ID, and were advised that while we're always exploring security enhancements, at this time there are no published plans to enable two factor. We don't want to say it will never happen, but right now, it is not in the works. I promise I didn't intend anything sneaky by marking MC's answer as correct -- I know it's not the answer that you'd like, but it is the information that we have at this time.

                                   

                                  That said, please know that if you'd be more comfortable, we can simply leave this thread open as a discussion. Unmarked questions can interrupt the feed that our team uses to ensure that we've reviewed every item on Support, but if we mark the thread as a Discussion, we can leave it without an official answer. If at any point we hear more about this, we'll definitely provide updates.

                                   

                                  - Marissa

                                    • security_plox

                                      Do what you want. 

                                       

                                      I am well aware that telling me that you passed the information along is to placate me, get me out of your hair, and to keep your metrics down. I was clear about that right from the very first post (see: "They told me that this isn't an option, and the best they could do was forward it to their supervisor (meaning it is as good as trashed in my experience.)").

                                       

                                      However, like I also stated in the first post, I don't think this is really an acceptable response anymore.

                                        • tidbits

                                          security_plox wrote:

                                           

                                          Do what you want.

                                           

                                          I am well aware that telling me that you passed the information along is to placate me, get me out of your hair, and to keep your metrics down. I was clear about that right from the very first post (see: "They told me that this isn't an option, and the best they could do was forward it to their supervisor (meaning it is as good as trashed in my experience.)").

                                           

                                          However, like I also stated in the first post, I don't think this is really an acceptable response anymore.

                                          That's all the guy can do.  He does not control other departments or the guy who makes all the decisions on company matters.  You can send something to Legere directly on Twitter or Facebook as he is actually very active there.

                                            • security_plox

                                              He/She could leave the question open until we get a real reply from the people they forwarded the information to rather than sneaking in and marking it as answered as soon as they think the person that opened it (myself) is gone.

                                                • tidbits

                                                  If they do that and got no response would it make that much of a difference? The question on my end shows it isn't solved so I don't see what you are talking about.

                                                    • tmo_lauren

                                                      Ayeeee!

                                                       

                                                      I can promise we aren't just placating you and saying we passed the info along. I'm the one who did the digging for a contact on that side of the house so we could try and get an answer from someone who works with TMO ID and the authentication methods. I have some "I don't know who you'd talk" e-mails I could show while I goose chased who would actually be a contact for this sort of thing. Luckily, one of the devs for this site who worked on the TMO ID integration for support.t-mobile.com (which we recently started using!) was kind enough to contact them for us. Which honestly, was great, I imagine they are more likely to give a candid answer technical person to technical person.

                                                       

                                                      Unfortunately, the response he got and subsequently we got and passed along to you wasn't terribly helpful, just that it's something being evaluated and there's no timeline or customer ready plans at the time.

                                                       

                                                      What I am going to go ahead and do is mark this as a discussion so that way it's not marked as answered, although I do want to confirm the answer is that there really isn't one at this time, which I know isn't ideal, but is definitely what we have.

                                                       

                                                      We're a pretty smol but mighty team out here on Support, we always want to be candid with you and will never mark a response for the sake of SLA or metrics. Just speaking honestly, having employee questions marked as correct or closed out isn't a metric we have because we want to first and foremost be a user generated answer forum with employee responses sprinkled in where our awesome users may not have the same resources for answers that we do!

                                                       

                                                      Please don't hesitate to ask any additional questions, and if I get any updates I've bookmarked this thread and will be sure to pop back in!

                                                       

                                                      -Lauren

                                                      • security_plox

                                                        @ tidbits

                                                         

                                                        Yes, the way you present something makes a world of difference in the way it is received. It wasn't showing a solved to you because I went back and unmarked it as an answer.

                                                         

                                                        @tmo_lauren

                                                         

                                                        I am not trying to be jerk about this. I am just feeling flustered by the whole situation, and popping on to see if their had been any updates only to see someone had marked it as answered just exacerbated that feeling.

                                                          • tmo_lauren

                                                            I totally get where you are coming from, and I really am sorry I can't give you a more gratifying answer. I officially marked this as a discussion, so no right answers appearing, but Marissa and myself are still following it and will get updated if new comments come in, and we'll update if we get any new info!

                                                             

                                                            The more examples of this that we are able to pass along will hopefully result in additional security measures faster. We appreciate the input and please continue to share any feedback on this or any other concerns you may have. I can't promise we can get you answers, but we'll always go out of our way to make sure things get to where they should and dig for what we can get, even if it's sort of lame like in this case.

                                                             

                                                            Thank you again!

                                                             

                                                            -Lauren