[Patentpractice] Off-Topic - PSA and WTF is DIGITS on T-Mobile

Fri Oct 3 01:07:02 UTC 2025

1. On T-Mobile login, I am presented with the options of using my local
TOTP generator or receceving a text containing the TOTP.  I guess your
concern is that someone using T-Mobile's DIGITS service can get that texted
TOTP.  A texted TOTP is vulnerable to a SIM swap attack.  (Where someone
impersonates you and transfers your SIM to a new device.)  The DIGITS app
authentication process has the same fundamental flaw, vulnerable to a SIM
swap attack. My review of the DIGITS app authentication process is that it
relies exclusively on a text message to "your" phone (or the thief's phone
if a thief succeded in porting your account to their phone) to complete its
own authentication that you are who you say you are. Again, vulnerable to a
SIM swap attack.

2. But T-mobile has a separate secret code process to prevent SIM swaps
attack.  See  Under Account, settings,  SIM protection.  Here you can turn
ON the SIM Protection. This feature requires the entity requesting a SIM
swap to provide a unique 6 to 15 digit PIN to effect the SIM transfer.  But
I do not see a way to get a new PIN now, and I do not have a record of such
a PIN.  I hesitate to turn on this feature until after I know from T-mobile
what my PIN is.

3. Other things you can do in T-mobile to limit the chance your user ID and
pswd are compromises, and prevent other hassles:

In privacy settings, turn OFF the following:

"Let us share your individual data with trusted third parties for public
and scientific research purposes."
All "Advertising options"
All "Sharing certain financial information"

In privacy setting, turn ON the following:

"Share your data to help protect you against fraud and identity theft"

In "Do not sell or share my personal information"
Turn OFF all options.'

In "Mobile Advertising ID Opt Out" find your cell phone's advertising ID
(32 or so digits long), enter it in the interface, and click Opt Out.

In "Block calls and messages" enable "Block Scam Likely Calls"

On Thu, Oct 2, 2025 at 5:41 PM Suzannah K. Sundby via Patentpractice <
patentpractice at oppedahl-lists.com> wrote:

> So, considering my issue with unauthorized accounts associated with my
> Amazon account.
>
>
>
> I decided to look into SIM card hacking, etc.
>
>
>
> PSA: Check your cell phone and take measures to secure/lock your SIM card.
> Read more here.
> https://securityscorecard.com/blog/sim-card-hacking-what-it-is-how-it-works-and-how-to-protect-yourself/
>
>
>
> I have T-Mobile.  After checking out the T-Mobile app, which I never did
> use before (I was previously Sprint).  I discovered that one can also set
> up 2FA for logging into T-Mobile… which I guess is essential to protect
> one’s cell phone and SIM card.
>
>
>
> It seems I already had SIM card protections toggled on.  Whew.
>
>
>
> But, in reviewing security options… T-Mobile has something called DIGITS,
> which lets one use one phone number to talk and text on multiple devices.
> WTF?!?!?!
>
>
>
> I tried toggling this OFF, but then a warning pops up saying if I disable
> then I can no longer receive texts and emails, etc.  WTF?!?!?!
>
>
>
> Nevertheless, the app indicates that there are no additional devices using
> my account/phone number… Whew.
>
>
>
> But still…  Why does toggling off DIGITS (to prevent other devices from
> using my phone number) turn on ‘Device Block’ which per T-Mobile “If you
> select this service [Device Block], you will no longer be able to send or
> receive any type of message.”
>
>
>
> I mean… WTF… It’s just like Amazon whereby others can create associated
> accounts using my cell number but I can’t remove my cell number from my
> account, etc…
>
>
>
> Anyway, PSA: Check your cell phone and take measures to secure/lock your
> SIM card.  Read more here.
> https://securityscorecard.com/blog/sim-card-hacking-what-it-is-how-it-works-and-how-to-protect-yourself/
>
>
>
> Suzannah K. Sundby <http://www.linkedin.com/in/ssundby/> *|* Partner
>
> *canady + lortz** LLP* <http://www.canadylortz.com/>
>
> 1050 30th Street, NW
>
> Washington, DC 20007
>
> T: 202.486.8020
>
> F: 202.540.8020
>
> suzannah at canadylortz.com
>
> www.canadylortz.com
>
> Confidentiality Notice:  This message is being sent by or on behalf of a
> lawyer.  It is intended exclusively for the individual or entity to which
> it is addressed.  This communication may contain information that is
> proprietary, privileged or confidential, or otherwise legally exempt from
> disclosure.  If you are not the named addressee, you may not read, print,
> retain, copy, or disseminate this message or any part.  If you have
> received this message in error, please notify the sender immediately by
> e-mail and delete all copies of the message.
>
>
> --
> Patentpractice mailing list
> Patentpractice at oppedahl-lists.com
>
> http://oppedahl-lists.com/mailman/listinfo/patentpractice_oppedahl-lists.com
>

-- 
Best regards
Rick Neifeld, J.D., Ph.D.
Neifeld IP Law PLLC
9112 Shearman Street, Fairfax VA 22032
Mobile: 7034470727
Email: RichardNeifeld at gmail.com;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://oppedahl-lists.com/pipermail/patentpractice_oppedahl-lists.com/attachments/20251002/eee6de4e/attachment.html>