I consider myself to be pretty savvy with Technology. I use a password manager and randomized passwords on websites. I have Two-Factor Authentication (2FA) enabled on all of my important accounts (read: those that offer 2FA). I regularly check my devices for malware. So, how could my phone have gotten hacked and my Gmail taken over?

Here's my account of what took place and how I reacted:

Early Warning Signs

In the beginning of May, some weird stuff started happening with my phone. It began when I missed some text messages that my wife had sent me. Her phone clearly showed the messages sent, but my phone showed that they were not received (despite receiving other messages later on). Chalk this one off as a T-Mobile problem, I thought.

But, one evening, I returned to my desk to find a new text message on my phone:

Free T-Mobile Msg: The SIM card for xxx-xxx-xxxx has been updated. Account activity details at my.t-mobile.com. Call 1-800-937-8997 if change is unauthorized.

Hmm, that's odd. I also saw that I had no service. This could not be good. I contacted T-Mobile's customer support via Facebook Messenger:

Me: I received a strange SMS about 2 hours ago saying "Free
T-Mobile Msg: The SIM card for xxx-xxx-xxxx has been
updated. Call if change is unauthorized"

I did not make a change, and now my phone won't connect
to the T-Mobile network. When I try, Android says "Your
SIM card does not allow connections to this network".
I have rebooted the phone, and also removed/re-inserted
the SIM card with no luck.

T-Mobile: Oh my gosh! I'd be doing what you are doing about this
to find out what is going on with that SIM and the
message. Thank you for messaging us tonight so we can
find out what happened. I really appreciate that.

I'm pulling your account now so we can both find out
what is going on with that SIM change text you received.
You weren't expecting a SIM to updated, were you?

Me: I was not. I didnt even have the phone on me when it
happened (was sitting on my desk)

T-Mobile: That's very interesting. I'm sorry that is happening
and I understand why you're messaging. I'd do the same
thing.

So I took a look into the account memos to see what was
going on and it appears that we did the SIM change about
2.5 hours ago. From what I can tell by the memos, it was
a phone call interaction. It also says that we were
making the change due to your request. This definitely
sounds like something you are not aware of. Do you know
if anybody else was going to be making SIM change to the
account?

Me: I just checked, and nobody in the house has talked to
T-Mobile (including me). This is certainly not something
that was requested today.

T-Mobile: Oh jeez! Not good! I am so sorry about that happening.
Do you have that SIM you are supposed to have with you?
If you do, can you give the number for it to me, please?
It's a long number and should start with xxx. Are you
able to get the SIM out or locate the number for it in
the settings of the device?

Me: xxxxxxxxxxxxxxxxxxx

T-Mobile: Awesome. Thank you for that SIM card number. I
appreciate you for that. I am double checking on the
SIM in my system as well for this. I am thinking though
that we should be able to get this SIM reactivated real
quick for you. I just need to check some systems to see
if it'll let me make that happen. I still am sorry that
SIM change occurred. After we get that SIM back up
again, I really think it would be a great idea to update
the security PIN on the account. It will help with keep
the security more with keeping people out.

I'm back, Jason, and I was able to get that SIM of yours
released and placed back on your xxxx line that had the
change happen earlier. It can take up to 2 hours to
reactivate, but you may have received texts about it
already by the time you get this message. PHEW! I'm so
glad we could get that fixed even though it reads like
it should've never of happened. I am sorry that it did
to begin with, but you should be back up soon.

At this point, I thought it may have been a simple error made by T-Mobile when another customer called in to activate a SIM. Or, at worst, that a nefarious actor just wanted to access the internet, and used social engineering to take over my line so that they could use my data plan.

Deja Vu

Ten days later, on a Saturday morning, I didn't have service again. No text messages this time, but the same symptom where Android reported "Your SIM card does not allow connections to this network." I again contacted T-Mobile via Facebook Messenger and reported the situation.

I'll spare you the details, but this time, the customer service representative sent a PIN to my daughter's phone (on the same account) to verify my identity. We re-activated my SIM and also added a password to my line. Anyone trying to change my service would need to know the password on file to continue... in theory, at least.

Attack

Seven days later, the same issue came up with having no service and no text messages announcing that the SIM was changed. Like before, I started the Facebook Messenger chat (I preferred chat, by the way, because I couldn't call them on the phone, seeing how it had no service, and chatting allowed me to multitask while the issue was resolved):

Me: Hello. My phone is not connecting to the T-Mobile
network again ("Your SIM card does not allow connection
to this network" is what Android reports). Can you see
if my xxxx number's SIM is xxxxxxxxxxxxxxxxxxx? There
has been problems lately with unauthorized SIM changes
for this number (we recently added an account password
to prevent that)

T-Mobile: Hey Jason, thank you for reaching out to T-Force! I
super appreciate you getting in touch -- I don't want
any issues for you with your phone connecting, let alone
anything unauthorized. Great thinking with that password
as well. The good news is that I'm here to help! So that
I can best do that, and with your account security in
mind, do you mind please completing this link for me
first? (URL to a login page) I'm grateful to you for
taking the time to message with me, and can't wait to
jump in!

Me: done

T-Mobile: Awesome, thank you for doing that Jason! I definitely
have that password allowing me access to the account,
so that worked perfectly. And I can see now you've been
part of my #MagentaFamily for six months on this
account, which is so wonderful. I want to turn that into
six years, and I always take care of my family so
you're in great hands! And you're exactly right that the
SIM on xxxx does not match the number you provided.
Obviously it's huge that that matches, but there's just
a quick hang-up: To change the SIM card number, I need
to be able to text you a one-time PIN number to verify
your identity. However, because the SIM doesn't match
currently, you wouldn't even receive that, I can only
send it to the primary line. I hate to do this to you,
but definitely don't want any more changes to your
account, so do you mind visiting us in-store with a
photo ID to change the SIM card? That's essentially the
only option left to us, and though I'm sure that sounds
like a headache, it's absolutely done with your best
interests in mind.

Me: I can do that tomorrow, sure. Are there any notes/
history on the account screen that provide information
into why this keeps happening?

T-Mobile: Yeah, I'd have that question too. Looking at the
history, it was done today via our care department, with
the person verifying with your name. I'm not able to see
if the password was used or the last four of SSN, but
the password is absolutely supposed to be primary. We're
also only to change SIM card numbers with a one-time
text to the primary number, and it doesn't look like
that was followed either, unless you received a text and
read the PIN to a representative without knowing it.
I'm really sorry this keeps happening Jason -- it's
absolutely not okay. We've recently tightened our
verification to make it even more difficult to bypass
anything, so we've definitely got your back on this.

Me: would that have been around 5:30 PM Eastern (2:37
Pacific)? Looking at my account usage on the website, I
see some texts received about that time that I don't
show on my phone - perhaps that's the vector that they
are using to intercept texts sent to me (i.e., if there
is malware on my phone that intercepts texts without
showing me, and forwards them over the internet).

There is a "Directtoconsumer Shortcode" listed, and then
other texts "received" from Mauritania. I assume the
Mauritania is probably the SMS that TMobile sends with a
PIN, and the Shortcode is their intercept mechanism.
Looking back through history, this pattern seems to
repeat every time I have had a SIM outage.

T-Mobile: Oh man, I love to see your expertise Jason. You'e got a
great handle on this stuff, and I appreciate it very
much. On my end, it looks like it happened about an hour
ago, actually, so I'm not sure the times match up with
the text history. It sounds like it might ostensibly be
what's happening, but I also don't show that a one-time
text was sent out from our end. I'm going to send you
one now, just to test it, if you don't mind letting me
know if/what you received.

At that point, I went to Google.com to search for something. That's when I saw a bright red warning at the top of the Google homepage stating that my account had been suspended due to suspicious activity. WTF was going on?

I went to Gmail, and found a similar warning on the login screen. To reactivate my account, I had to perform a 2FA. I wouldn't be able to use SMS to my phone this time, but luckily, there was a second email associated with my Gmail that I could use. After getting into my inbox, I see a bunch of emails from Coinbase, Genesis Mining, and Gemini about password resets. Ugh!

Me: ugh, that's exactly what's going on. They are hacking
all of my accounts right now, it seems. Google had
locked my account because they gained access to my
gmail, etc. Google shows them as being in Houston, TX,
but that's probably easily spoofed. Since my phone is
currently not connected to the TMobile network, if you
show my device as being live right now, then it's "them".
Not sure if you're able to escalate to your security/
infosec department at this hour.

T-Mobile: Oh man, okay, thanks Jason. So, the first thing I've
done is changed the SIM number you gave me to an
Available status, so that can be updated when we have
the right verification. The second thing is I've filled
out everything my fraud department needs to get
involved, and they usually get involved pretty quick.
It's likely you'll be contacted, though I'm not sure
if/when, but either way any fraudulent charges that may
have resulted would absolutely be adjusted.

Me: Aside from using my data, I don't think these people
are after TMobile assets. They have been changing
passwords on all of my accounts (and since most 2FA just
sends a SMS to my phone, they have been able to do that).

T-Mobile: Oh okay, I've got you Jason. It really kind of hurts my
heart that we have a place in making your life more
complicated, since that's the complete opposite of what
I want for you. But I've absolutely taken the best steps
for the T-Mobile side of things, and action on next
steps should come soon. Would you like me to suspend the
line in the meantime? You can always un-suspend at any
time and may help delay the authentication spread.

Me: yes, please. suspend and I will resume it tomorrow when
I visit the retail store

So, that was the hacker's angle. Once they took over my line, then all of my SMS messages went to them. They then could perform a password reset for my Gmail account (since it used SMS for Account Recovery), and once inside, could initiate password resets for accounts that simply send you a confirmation email.

I had a few things going for me, though, which helped to protect me from further damage on that evening:

I had Authy activated for both Coinbase and Gemini. When you lose your phone and need to reset Authy, there's a 3-day delay inserted into the process for this very reason (so I was able to stop the Authy change that would have given them full access to the Crypto exchanges that I use).

I also have multiple accounts set up associated with different email addresses. In this case, the Coinbase and Gemini accounts associated with my Gmail had no balance in them, and were not associated with my bank accounts. So, even if they had gotten in, there was nothing waiting for them.

Reactions

Of course, the first thing that I did was change passwords of my accounts (especially the ones that I knew were attacked, because I had the emails in my inbox).

I then removed my phone as an "Account Recovery Option" in the Google Sign-in & Security settings, as well as from the "2-Step Verification" methods. This experience proved to me that using SMS for 2FA is flawed.

My mobile phone account has a memo on it saying that all changes must be done in person and identification is required. This is a huge pain for me when I need to make changes, because it was so convenient before to just call up T-Mobile. But, the thing that made it convenient for me also made it convenient for the hacker using social engineering. So, enough of that.

I have scanned my phone with many malware detectors, and all of the scans came back clean. I'm pretty sure that the missing SMS messages were related to this hacking, and the vector that I am picturing being used is one where an app with SMS permissions on my phone intercepts the incoming text message, and instead of delivering it to my Messaging app, sends it over the internet to the hacker. They can then use this to receive the PIN that T-Mobile (and other carriers) send to identify you during a support call.

Since I couldn't pinpoint a specific app to uninstall, I instead went into my Settings > Apps > (Cog menu) > App Permissions > SMS and denied access to apps that I knew didn't rely on SMS. My thought here was that a clever hacker might be able to somehow exploit an otherwise good app with SMS permissions to perform the text message forwarding (or maybe a bad app made it into the store disguised as a good app, etc).

Interestingly, a short time after this happened to me, Coinbase advised its users to abandon Authy and use an Authenticator instead:

It appears that I was just one victim out of many recently to have this "Phone Porting Attack" happen. And, while I praised Authy above for saving me with their three-day delay, there is still a phone-number component to the system that benefits a hacker that has control over your phone number. So, I changed out my 2FA from Authy to Authenticator on all accounts where it was offered.

Note

I mention T-Mobile many times, because that's my carrier of choice and I'm quite happy with their service. This wave of Phone Porting Attacks was not limited to one mobile carrier, so there's nothing about T-Mobile's network specifically that enabled my phone to be taken over by a bad actor.

Photo Credit: https://www.pexels.com/photo/blur-blurry-curly-hair-depth-of-field-404973/