In the United States, prepaid wireless services took a while to catch on; while customer demand was certainly there from the beginning, telecoms were somewhat apprehensive about deviating from the tried-and-true service contract and monthly billing arrangements. Eventually, American providers of wireless services gave into demand, and they marketed this option as being more convenient, more flexible, and just as secure as cell phone service contracts.
Unlike other countries where the regulation of prepaid wireless services tends to be more relaxed in terms of requesting information from users, a prepaid SIM account in the U.S. requires the collection of personally identifiable information; moreover, each prepaid customer becomes an account record, one that can be tied to financial information to make it easier to add credit, airtime, and services. With regard to data security, there is no difference between wireless contracts and prepaid arrangements, and this is something that T-Mobile was recently forced to contend with.
According an official press release issued by T-Mobile on November 22, a data breach affected about 1.12 million prepaid service customers, which represents less than 1.5% of their total user base. The incident occurred in early November, and it looks like a standard cybercrime situation and not an insider attack. Affected customers received SMS notifications about the incident, and they were urged to change their passwords as well as the PIN codes they use for easy account access.
Fortunately, the cyber perpetrators were not able to steal financial records associated with the accounts, which means that credit cards and social security numbers were not compromised; nonetheless, the stolen records include names, phone numbers, account numbers, and billing addresses. In the hands of cybercrime groups dedicated to identity theft, this type of information can be very dangerous.
Earlier this year, hackers were somehow able to access customer records of Sprint wireless subscribers, and they did so by exploiting a vulnerability on a website that caters to owners of Samsung smartphones. Similar to the T-Mobile incident, financial records were not accessed, and this is probably related to compliance with Payment Card Industry Data Security Standards.
For the payment processing industry, prepaid wireless services have become a substantial segment of their business. Unlike wireless contracts, which are mostly settled once per month and sometimes just once per year for customers seeking deep discounts, topping up prepaid smartphones with voice minutes or blocks of data is something that they may do a couple of times each week, and even more often when carriers send out notifications with coupons and special deals. The most privacy-conscious will only “top up” their cell phones with cash; however, quite a few end up linking credit and debit cards for convenience.