[Patentpractice] Off-Topic - PSA and WTF is DIGITS on T-Mobile

Suzannah K. Sundby suzannah at canadylortz.com
Fri Oct 3 15:18:05 UTC 2025 

Yeah, I’m 99.9% positive my SIM card was not compromised.  I barely leave the house and I don’t download unknown/risky stuff on my phone… and I don’t click on links via email or text from unknown senders.

This morning there were more Amazon charges to my credit card account and I received the email below from the Amazon fraud department… which you will see that they are lying… claiming that my credit card was compromised outside of Amazon.  Several Amazon representatives told me exactly what happened—that there were unauthorized Amazon accounts linked to mine via my cell phone number…

Apparently, my credit card company (Chase) said the unauthorized charges today were charged when my original card was still active and then posted when the items were shipped.  Just to be safe, Chase closed the replacement card (I have yet to receive) and are sending me a replacement for the replacement.  <sigh>

Yesterday, I wrote a long, detailed letter to the Amazon attorney guy Tom Olsen who deals with fraud (which thanks again George for finding him) begging for help and pointing out the flaws in how Amazon allows account linking.  No reply yet.

Anyway… again, recommend that everyone LOCKS DOWN THEIR Amazon, accounts, cards, SIM, phone, etc.

Email from Amazon:

Hello,



We detected that an unauthorized party used your payment card ending in 0938 on Amazon. To protect your information, we have taken the necessary security measures and canceled all pending orders.



The following charges were already processed on your card:

$51.47

$33.16

$39.58

$56.11

$54.73

$42.39

$53.67

$200.00

$83.83

$37.79

$100.00



About refunds and disputes:

Please review all recent activity on your credit or debit card and report any unauthorized charges to your bank within 90 days from the date of the unauthorized transaction. As the refund will not be issued by Amazon, your bank or financial institution is responsible for refunding any unauthorized charges to your credit or debit card. Once you have reported the unauthorized charges, your bank will guide you through their dispute process.



Why did this happen?

While we can't exactly determine how your card information was compromised because that happened away from our websites, this typically happens through:

-- Malicious software capturing payment information

-- Phishing emails requesting account details

-- Data breaches on other websites



We will provide full cooperation to any bank investigation into this matter, though we cannot share further specific details about the unauthorized activity with you.



Can I contact Customer Service about this action?

Customer Service can confirm this email is legitimate but cannot provide additional details about the unauthorized activity. For refund assistance, please work directly with your card issuer.



How can I verify this email is from Amazon?

Unsure about an email claiming to be from Amazon? Don't worry about verifying the email itself. Simply sign in to your Amazon account the way you usually do through the website or Amazon app. You can also check your Message Center for any recent communications from Amazon if you have account access. For more security tips, visit “Security and Privacy” under Amazon Help pages.



Thank you for your prompt attention to this security concern.



Amazon Account Protection Services



About refunds and disputes:

Please review all recent activity on your credit or debit card and report any unauthorized charges to your bank within 90 days from the date of the unauthorized transaction. As the refund will not be issued by Amazon, your bank or financial institution is responsible for refunding any unauthorized charges to your credit or debit card. Once you have reported the unauthorized charges, your bank will guide you through their dispute process.



Why did this happen?

While we can't exactly determine how your card information was compromised because that happened away from our websites, this typically happens through:

-- Malicious software capturing payment information

-- Phishing emails requesting account details

-- Data breaches on other websites



We will provide full cooperation to any bank investigation into this matter, though we cannot share further specific details about the unauthorized activity with you.



Can I contact Customer Service about this action?

Customer Service can confirm this email is legitimate but cannot provide additional details about the unauthorized activity. For refund assistance, please work directly with your card issuer.



How can I verify this email is from Amazon?

Unsure about an email claiming to be from Amazon? Don't worry about verifying the email itself. Simply sign in to your Amazon account the way you usually do through the website or Amazon app. You can also check your Message Center for any recent communications from Amazon if you have account access. For more security tips, visit “Security and Privacy” under Amazon Help pages.



Thank you for your prompt attention to this security concern.



Amazon Account Protection Services


Suzannah K. Sundby<http://www.linkedin.com/in/ssundby/> | Partner
canady + lortz LLP<http://www.canadylortz.com/>
1050 30th Street, NW
Washington, DC 20007
T: 202.486.8020
F: 202.540.8020
suzannah at canadylortz.com<mailto:suzannah at canadylortz.com>
www.canadylortz.com<http://www.canadylortz.com/>
Confidentiality Notice:  This message is being sent by or on behalf of a lawyer.  It is intended exclusively for the individual or entity to which it is addressed.  This communication may contain information that is proprietary, privileged or confidential, or otherwise legally exempt from disclosure.  If you are not the named addressee, you may not read, print, retain, copy, or disseminate this message or any part.  If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

From: Patentpractice <patentpractice-bounces at oppedahl-lists.com> On Behalf Of Patent Lawyer via Patentpractice
Sent: Friday, October 3, 2025 10:51 AM
To: For patent practitioners. This is not for laypersons to seek legal advice. <patentpractice at oppedahl-lists.com>
Cc: Patent Lawyer <patentlawyer995 at gmail.com>
Subject: Re: [Patentpractice] Off-Topic - PSA and WTF is DIGITS on T-Mobile

All this SIM swap protection is a good idea for all of us, but I don’t think that you (Suzannah) were the victim of a SIM swap.

A SIM swap would have caused your phone to stop working almost immediately (“substantially immediately”).

Since, as I understand it, your phone still works, you were not the victim of a SIM swap.

More likely, they have (or had) your email password to do the Amazon crap.

Even if you change your email password, make sure that they have not set an auto-forward rule on your email account.


Also, maybe this T-Mobile link was already shared, I have lost track:

https://www.t-mobile.com/support/plans-features/help-with-t-mobile-account-fraud




On Oct 2, 2025, at 9:07 PM, Rick Neifeld via Patentpractice <patentpractice at oppedahl-lists.com<mailto:patentpractice at oppedahl-lists.com>> wrote:

1. On T-Mobile login, I am presented with the options of using my local TOTP generator or receceving a text containing the TOTP.  I guess your concern is that someone using T-Mobile's DIGITS service can get that texted TOTP.  A texted TOTP is vulnerable to a SIM swap attack.  (Where someone impersonates you and transfers your SIM to a new device.)  The DIGITS app authentication process has the same fundamental flaw, vulnerable to a SIM swap attack. My review of the DIGITS app authentication process is that it relies exclusively on a text message to "your" phone (or the thief's phone if a thief succeded in porting your account to their phone) to complete its own authentication that you are who you say you are. Again, vulnerable to a SIM swap attack.

2. But T-mobile has a separate secret code process to prevent SIM swaps attack.  See  Under Account, settings,  SIM protection.  Here you can turn ON the SIM Protection. This feature requires the entity requesting a SIM swap to provide a unique 6 to 15 digit PIN to effect the SIM transfer.  But I do not see a way to get a new PIN now, and I do not have a record of such a PIN.  I hesitate to turn on this feature until after I know from T-mobile what my PIN is.

3. Other things you can do in T-mobile to limit the chance your user ID and pswd are compromises, and prevent other hassles:


In privacy settings, turn OFF the following:

"Let us share your individual data with trusted third parties for public and scientific research purposes."
All "Advertising options"
All "Sharing certain financial information"

In privacy setting, turn ON the following:

"Share your data to help protect you against fraud and identity theft"

In "Do not sell or share my personal information"
Turn OFF all options.'

In "Mobile Advertising ID Opt Out" find your cell phone's advertising ID (32 or so digits long), enter it in the interface, and click Opt Out.

In "Block calls and messages" enable "Block Scam Likely Calls"




On Thu, Oct 2, 2025 at 5:41 PM Suzannah K. Sundby via Patentpractice <patentpractice at oppedahl-lists.com<mailto:patentpractice at oppedahl-lists.com>> wrote:
So, considering my issue with unauthorized accounts associated with my Amazon account.

I decided to look into SIM card hacking, etc.

PSA: Check your cell phone and take measures to secure/lock your SIM card.  Read more here.  https://securityscorecard.com/blog/sim-card-hacking-what-it-is-how-it-works-and-how-to-protect-yourself/

I have T-Mobile.  After checking out the T-Mobile app, which I never did use before (I was previously Sprint).  I discovered that one can also set up 2FA for logging into T-Mobile… which I guess is essential to protect one’s cell phone and SIM card.

It seems I already had SIM card protections toggled on.  Whew.

But, in reviewing security options… T-Mobile has something called DIGITS, which lets one use one phone number to talk and text on multiple devices.  WTF?!?!?!

I tried toggling this OFF, but then a warning pops up saying if I disable then I can no longer receive texts and emails, etc.  WTF?!?!?!

Nevertheless, the app indicates that there are no additional devices using my account/phone number… Whew.

But still…  Why does toggling off DIGITS (to prevent other devices from using my phone number) turn on ‘Device Block’ which per T-Mobile “If you select this service [Device Block], you will no longer be able to send or receive any type of message.”

I mean… WTF… It’s just like Amazon whereby others can create associated accounts using my cell number but I can’t remove my cell number from my account, etc…

Anyway, PSA: Check your cell phone and take measures to secure/lock your SIM card.  Read more here.  https://securityscorecard.com/blog/sim-card-hacking-what-it-is-how-it-works-and-how-to-protect-yourself/

Suzannah K. Sundby<http://www.linkedin.com/in/ssundby/> | Partner
canady + lortz LLP<http://www.canadylortz.com/>
1050 30th Street, NW
Washington, DC 20007
T: 202.486.8020
F: 202.540.8020
suzannah at canadylortz.com<mailto:suzannah at canadylortz.com>
www.canadylortz.com<http://www.canadylortz.com/>
Confidentiality Notice:  This message is being sent by or on behalf of a lawyer.  It is intended exclusively for the individual or entity to which it is addressed.  This communication may contain information that is proprietary, privileged or confidential, or otherwise legally exempt from disclosure.  If you are not the named addressee, you may not read, print, retain, copy, or disseminate this message or any part.  If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

--
Patentpractice mailing list
Patentpractice at oppedahl-lists.com<mailto:Patentpractice at oppedahl-lists.com>
http://oppedahl-lists.com/mailman/listinfo/patentpractice_oppedahl-lists.com


--
Best regards
Rick Neifeld, J.D., Ph.D.
Neifeld IP Law PLLC
9112 Shearman Street, Fairfax VA 22032
Mobile: 7034470727
Email: RichardNeifeld at gmail.com<mailto:RichardNeifeld at gmail.com>;

--
Patentpractice mailing list
Patentpractice at oppedahl-lists.com<mailto:Patentpractice at oppedahl-lists.com>
http://oppedahl-lists.com/mailman/listinfo/patentpractice_oppedahl-lists.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://oppedahl-lists.com/pipermail/patentpractice_oppedahl-lists.com/attachments/20251003/c848ef1c/attachment.html>

More information about the Patentpractice mailing list