Number Temporarily Hijacked (i think)

jared555

    I called T-Mobile about this but had trouble getting a straight answer to my question.  I know it's a bit complex with the intrusion point coming from any possible number of locations, so I'm going to first ask the question that T-Mobile should be able to answer.

     

    1.  I have two sms messages in my Usage->Messaging that I never received on my phone.  Is it possible to see where those went?  Does that network know when it's talking to my phone and when it's talking to another phone?  Does the network know what city those smses were sent to?  The question I'm trying to answer is were those messages sent to my phone and auto-deleted by some virus or were they sent to another device and never made it to my phone?

     

    The story:

    At 8:40am Telegram sent me a login code via the Telegram desktop app.

    At 8:44am Telegram informs me that someone has logged into my account.

    I immediately go and revoke access and begin the process of setting up 2fa with a password.

    At 8:45am Telegram sent me a login code via the Telegram desktop app.

    At 8:46am Telegram sent me a login code via the Telegram desktop app.

    Somewhere around this time I disable wifi on my phone and notice that my phone is not connecting to the mobile internet.

    At 8:48am Telegram informs me that someone has logged into my account via ip address #1

    At 8:48am Telegram informs me that someone has logged into my account via ip address #2

    I revoke access.

    I finish setting up 2fa.

    I restart my phone and get 2 smses informing me that my MMS and WAP Service Settings have arrived.  My assumption being that my phone shows up as a new phone on the network and gets sent these settings, but I'm not very familiar with how mobile networks work.

     

    What I'm ultimately trying to clear up here is if T-Mobile was the intrusion point, if my phone has been hijacked or if they found another exploit.  I called T-Mobile and they have no record of anyone else calling in, so that's out of the equation.  But where did those smses go?

      All replies

      • tmo_chris

        Re: Number Temporarily Hijacked (i think)

        That is super strange! To me, this sounds like someone may have tried to port your number out of T-Mobile. It is strange how you lost data connectivity though. My recommendation would be to call us back and have port blocking added to your account and setting up some additional layers of security Protect yourself from scams.

         

        The rep you speak with can look at your account history to see if there was any attempt to port your number out. 

          • jared555

            Re: Number Temporarily Hijacked (i think)

            Thanks for your reply Chris.  When I called T-Mobile, they checked and said no one had contacted them recently including myself (so nobody called impersonating me).  I will make sure port blocking gets enabled. 

             

            Do you know if it's possible for T-Mobile to see which device those missing text messages went to or the devices location at the time of receiving those text messages?  This would really help me narrow down what happened and either eliminate my phone being compromised as part of what happened or make it pretty clear that something is up with my phone. 

          • jared555

            Re: Number Temporarily Hijacked (i think)

            Hey guys,

             

            I can the number the messages were sent from.  It's telegrams sms verification number. 

            07/17/2018, 06:48 AM--28 8401IncomingText
            07/17/2018, 06:44 AM--28 8401IncomingText

            My current theory on this is that it was an SS7 hack.  My understanding is that once hackers have access to SS7, they can temporarily divert SMS and phone calls to their device.  Getting access to SS7 is difficult, though I would label myself and what my telegram provides, as a decently high value target.  I'm sure I have not been the only one targeted. 

             

            I found a thread about a Dash (cryptocurrency) admin's telegram being hacked.  It's unclear if his number was ported or the SS7 exploit was used, but it seems it was the SS7 exploit.

            https://www.dash.org/forum/threads/telegram-chat-compromised.30464/

             

            This is why I was trying to find out the location of the device the texts were sent to and if T-Mobile knows the device's ID (though that may have been faked to look like me).  With this information I might be able to add more proof to my theory and feel safer that the rest of my security measures are holding up.

            • tmo_mike_c

              Re: Number Temporarily Hijacked (i think)

              Hi there!

               

              Adding that port validation is really important. Were you able to do that as Chris suggested?