TMobile HotSpot Security

[tonybradley]

TMobile has begun setting up wireless networking called Hot Spot at various retail locations such as Starbuck's and Borders Books.

TMobile provides the user with a login name and password that cannot be changed by the user. The problem is that the login name is the user's TMobile phone number and the password is the last 4 of their SSN.

They do provide some CYA wording explaining that their networks do not guarantee security and that its your job to secure your data (see TMobile Security Statement).

The FAQ states that their sites do not use WEP because they feel its impractical to have a shared secret password for a publicly available network. I can't say I disagree with that.

With an inherently insecure system though, they may want to consider allowing other login names and passwords. Once someone intercepts your phone number and last 4 of your sSN, they can call TMobile and get a variety of other information (address, birth date, other phone numbers, email address, etc.) because those are the keys that verify your identity to them.

[sickyourIT]

this is definitely bad, becuase tmobile will allow you to change billing plans, etc. with the ssn of a person. on top of that, you can even change which sim card you are using, so you can have a sim-based phone, call up t-mo's service number, change the account to your sim and get the crazy service plan, and talk for hours. or just cancel their services... not fun.

[waverebel]

You never know what, you will start in a T-Zone!