Over the past several weeks, it appears as though T-Mobile has been actively working to send text messages to its customers, prompting those users to enable additional security for their service accounts. Unfortunately, it has been confirmed that this is a legitimate message which the carrier has been working to get out to every postpaid user on its network. However, the company has not divulged its exact reason for sending the message out now. With that said, it has been speculated that the texts could be in response to threats carrying over from last year's T-Mobile website breach. The site has been fixed since at least October but that doesn't negate the possibility that information taken as a result of that bug could be showing up in attacks. With that said, the company points to an industry-wide problem as the reason for its messaging campaign.
On that front, the company is not incorrect that the threat addressed in the text messages are not unique to T-Mobile. That's because the threat comes in the form of a "Phone number port out" or "SIM hijacking" scam. What this kind of attack entails is effectively the theft of an identity via the theft of a phone number. A malicious actor essentially contacts a mobile provider or goes to a retail location to either request a new SIM card in a given subscriber's name or to port a subscriber's phone number to a new network. After doing that, it becomes very easy to gain access to even more information since 2-factor authentication and password reset often depend on text message-delivered verification codes. That includes 2-factor authentication setups used by banks, Google, and other institutions.
In the meantime, the added security T-Mobile is asking customers to set up is not something that is unique to T-Mobile, so it may be a good idea for anybody with a mobile service account to call their carrier and get extra security in place. In this case, added security comes in the form of an additional step that would be required to enact any account changes, including a number port out or SIM change. By setting up a passphrase, PIN, or other identity verification step, it becomes much more difficult for any would-be attacker to impersonate a subscriber. Unfortunately, it often requires users to actively ask for that security. Thankfully, some providers – including T-Mobile – appear to be taking an active approach to the issue, even if the company's approach does seem a bit odd.