[Patentpractice] Off-Topic - PSA and WTF is DIGITS on T-Mobile

Patent Lawyer patentlawyer995 at gmail.com
Fri Oct 3 14:51:28 UTC 2025 

All this SIM swap protection is a good idea for all of us, but I don’t think that you (Suzannah) were the victim of a SIM swap.  

A SIM swap would have caused your phone to stop working almost immediately (“substantially immediately”).

Since, as I understand it, your phone still works, you were not the victim of a SIM swap.

More likely, they have (or had) your email password to do the Amazon crap.

Even if you change your email password, make sure that they have not set an auto-forward rule on your email account.  


Also, maybe this T-Mobile link was already shared, I have lost track:

https://www.t-mobile.com/support/plans-features/help-with-t-mobile-account-fraud <https://www.t-mobile.com/support/plans-features/help-with-t-mobile-account-fraud>



> On Oct 2, 2025, at 9:07 PM, Rick Neifeld via Patentpractice <patentpractice at oppedahl-lists.com> wrote:
> 
> 1. On T-Mobile login, I am presented with the options of using my local TOTP generator or receceving a text containing the TOTP.  I guess your concern is that someone using T-Mobile's DIGITS service can get that texted TOTP.  A texted TOTP is vulnerable to a SIM swap attack.  (Where someone impersonates you and transfers your SIM to a new device.)  The DIGITS app authentication process has the same fundamental flaw, vulnerable to a SIM swap attack. My review of the DIGITS app authentication process is that it relies exclusively on a text message to "your" phone (or the thief's phone if a thief succeded in porting your account to their phone) to complete its own authentication that you are who you say you are. Again, vulnerable to a SIM swap attack.  
> 
> 2. But T-mobile has a separate secret code process to prevent SIM swaps attack.  See  Under Account, settings,  SIM protection.  Here you can turn ON the SIM Protection. This feature requires the entity requesting a SIM swap to provide a unique 6 to 15 digit PIN to effect the SIM transfer.  But I do not see a way to get a new PIN now, and I do not have a record of such a PIN.  I hesitate to turn on this feature until after I know from T-mobile what my PIN is.
> 
> 3. Other things you can do in T-mobile to limit the chance your user ID and pswd are compromises, and prevent other hassles:
> 
> 
> In privacy settings, turn OFF the following:
> 
> "Let us share your individual data with trusted third parties for public and scientific research purposes."
> All "Advertising options"
> All "Sharing certain financial information"
> 
> In privacy setting, turn ON the following:
> 
> "Share your data to help protect you against fraud and identity theft"
> 
> In "Do not sell or share my personal information"
> Turn OFF all options.'
> 
> In "Mobile Advertising ID Opt Out" find your cell phone's advertising ID (32 or so digits long), enter it in the interface, and click Opt Out.
> 
> In "Block calls and messages" enable "Block Scam Likely Calls"
> 
> 
> 
> 
> On Thu, Oct 2, 2025 at 5:41 PM Suzannah K. Sundby via Patentpractice <patentpractice at oppedahl-lists.com <mailto:patentpractice at oppedahl-lists.com>> wrote:
> So, considering my issue with unauthorized accounts associated with my Amazon account.
> 
>  
> 
> I decided to look into SIM card hacking, etc.
> 
>  
> 
> PSA: Check your cell phone and take measures to secure/lock your SIM card.  Read more here.  https://securityscorecard.com/blog/sim-card-hacking-what-it-is-how-it-works-and-how-to-protect-yourself/ <https://securityscorecard.com/blog/sim-card-hacking-what-it-is-how-it-works-and-how-to-protect-yourself/>
>  
> 
> I have T-Mobile.  After checking out the T-Mobile app, which I never did use before (I was previously Sprint).  I discovered that one can also set up 2FA for logging into T-Mobile… which I guess is essential to protect one’s cell phone and SIM card.
> 
>  
> 
> It seems I already had SIM card protections toggled on.  Whew.
> 
>  
> 
> But, in reviewing security options… T-Mobile has something called DIGITS, which lets one use one phone number to talk and text on multiple devices.  WTF?!?!?!
> 
>  
> 
> I tried toggling this OFF, but then a warning pops up saying if I disable then I can no longer receive texts and emails, etc.  WTF?!?!?!
> 
>  
> 
> Nevertheless, the app indicates that there are no additional devices using my account/phone number… Whew.
> 
>  
> 
> But still…  Why does toggling off DIGITS (to prevent other devices from using my phone number) turn on ‘Device Block’ which per T-Mobile “If you select this service [Device Block], you will no longer be able to send or receive any type of message.”
> 
>  
> 
> I mean… WTF… It’s just like Amazon whereby others can create associated accounts using my cell number but I can’t remove my cell number from my account, etc…
> 
>  
> 
> Anyway, PSA: Check your cell phone and take measures to secure/lock your SIM card.  Read more here.  https://securityscorecard.com/blog/sim-card-hacking-what-it-is-how-it-works-and-how-to-protect-yourself/ <https://securityscorecard.com/blog/sim-card-hacking-what-it-is-how-it-works-and-how-to-protect-yourself/>
>  
> 
> Suzannah K. Sundby <http://www.linkedin.com/in/ssundby/> | Partner
> 
> canady + lortz LLP <http://www.canadylortz.com/>
> 1050 30th Street, NW
> 
> Washington, DC 20007
> 
> T: 202.486.8020
> 
> F: 202.540.8020
> 
> suzannah at canadylortz.com <mailto:suzannah at canadylortz.com>
> www.canadylortz.com <http://www.canadylortz.com/>
> Confidentiality Notice:  This message is being sent by or on behalf of a lawyer.  It is intended exclusively for the individual or entity to which it is addressed.  This communication may contain information that is proprietary, privileged or confidential, or otherwise legally exempt from disclosure.  If you are not the named addressee, you may not read, print, retain, copy, or disseminate this message or any part.  If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.
> 
>  
> 
> -- 
> Patentpractice mailing list
> Patentpractice at oppedahl-lists.com <mailto:Patentpractice at oppedahl-lists.com>
> http://oppedahl-lists.com/mailman/listinfo/patentpractice_oppedahl-lists.com <http://oppedahl-lists.com/mailman/listinfo/patentpractice_oppedahl-lists.com>
> 
> 
> -- 
> Best regards
> Rick Neifeld, J.D., Ph.D. 
> Neifeld IP Law PLLC
> 9112 Shearman Street, Fairfax VA 22032
> Mobile: 7034470727
> Email: RichardNeifeld at gmail.com <mailto:RichardNeifeld at gmail.com>; 
> 
> -- 
> Patentpractice mailing list
> Patentpractice at oppedahl-lists.com
> http://oppedahl-lists.com/mailman/listinfo/patentpractice_oppedahl-lists.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://oppedahl-lists.com/pipermail/patentpractice_oppedahl-lists.com/attachments/20251003/0d089556/attachment.html>

More information about the Patentpractice mailing list