Episode: 2856
Title: HPR2856: Mint Mobile Security Rant
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2856/hpr2856.mp3
Transcribed: 2025-10-24 12:15:06

---

This is HPR Episode 2856 entitled Mint Mobile Security Rand.
It is hosted by Operator and is about 20 minutes long and carries an explicit flag.
The summary is settled in for a Mint Mobile Security Rand.
This episode of HPR is brought to you by archive.org.
Support universal access to all knowledge by heading over to archive.org forward slash donate.
Support universal access to all knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge, knowledge,
Hello and welcome to that episode of Hacker Public Radio with your host, Operator.
Today I'm going to be ranting about my experience with mobile carriers and also just security in general.
So if you want some tips about moving from T-Mobile to Mint or want to hear ranting about security and authentication issues,
tune in if not then probably want to skip this.
So I am now on my probably second hour after finally resolving my issue and I haven't changed carriers and probably, I don't know, forever.
I've always been with T-Mobile. So changing carriers is new to me and I went through the process of figuring all that out and getting the right information.
I knew that I had to call T-Mobile for something to get some kind of code to transfer that information over. I knew I needed that.
So I called and did that. The problem with that is that once I did do that, I ended up basically kind of canceling the account out.
So I don't know what is going to happen on the first before I get my new SIM format.
So the process is you get basically a code or a pin to transfer your number to a different carrier and usually there's charges involved with that.
They'll charge you, you know, nine bucks or whatever it is. That wasn't my problem. What I did is I ordered Mint at a, you know, whatever, three month discount thing that they have.
And I ordered it and I got the SIM card and I put it in and I activated it and I don't care about my number, about porting my number over because I use Google Voice for everything.
So that wasn't a problem for me.
My original idea was to use Mint for a while, see how it goes and then sign myself and my wife up for Mint.
And what I ended up doing is it comes with two trial cards that you can use that you can't apparently port numbers over to either.
So what I've should have done is paid for the $45 three month thing and use the temporary card to play with feel like a better term to play with Mint and decide if I want to switch to it.
And then when I was ready, use the real card and activate it and port the number over and all that stuff.
Now we're in the position of I have an account with Mint. I've paid them and given the money and I cannot transfer that SIM because I've already activated it.
I cannot transfer that number and port it over from T-Mobile to this SIM because I already have a number which I don't know if any other carriers do this, but apparently once you activate the card and you don't port numbers over, you're done.
There's no, you don't get the opportunity to port the number over later and I'm assuming I feel like that was what would happen with you know other carriers once you sign up for you have to, once you sign up and get your SIM card, you have to do the porting over when you do the SIM card stuff.
So that might be just how it works, but it seems frustrating to me in this age of software that you can't just call up and say, hey, I want to port my number over to this number or I want to port my number over to that number and it has to involve getting new SIM cards and activating new SIM cards and once they've been activated, you can't do anything.
So that was kind of weird.
So I went through that process, I called and spent, I called at least three times if not four, finally figured out that I have to basically start over.
So I got the trial card and I put that in and I went through the process and of course their OCR or their barcode scanner doesn't work at all for their scanning the thing so you put in like a 24 digit SIM card number.
So I put that in and it's like, great, you're good, you're activated, you're good to go and I never got the prompt to port a number over, I never, whatever.
So I called back furious trying to figure out what happened and how do I get, I only got one more SIM to do this with that hasn't been activated.
How do I port it over and she said, oh well, you can't do that. That's a trial SIM.
So you can't port numbers over to it blah, blah, blah. So basically I was told that I basically kind of had to start over.
I guess if you're going to do it, you also want to get a referral from a friend to save yourself the $33 but that's only after like three months of service or something stupid.
So I'm on my first month, if not maybe my second month, I don't think I'm going to get the credit.
And even if I do, it's going to go to someone else or go to myself and I'm going to have like a credit on my account of like negative whatever $30 but I doubt that they'll give me a credit on my account and then pay me back the difference.
Anyways, so I'm kind of stuck with that and I kind of screwed the pooch on that and I understand how it works now.
But in hindsight, I would have I would have preferred some other easier way to transfer my already existing information to somewhere else.
So now they've got two accounts with me and I paid them basically an extra $45 to use a phone that I'm not going to be or a SIM card that I'm not going to be using.
So that's my rant for that.
What I can tell you is I guess the idea right is to use these trial cards to your heart's content and then somehow you're supposed to have two phones.
Like I don't understand how it's supposed to work right like am I supposed to take my personal phone, put it in a different phone and try the carrier for a while and like swap swims back and forth until I'm comfortable like that isn't where that doesn't make any sense either.
So the only other logical thing is to have like two phones so that you can you know, you can try things out which that also doesn't really make any sense like not a lot of people have multiple phones and if they do they usually hand them down or donate them or recycle them whatever.
So that's my rant there. My other rant here is about security and authentication in general and I don't know what the problem is but I'm going to rant about some things that frustrate me being in the security industry.
There has to be something else where we're moving towards kind of this one location not needing a password type of single authentication thing.
You got folks like a key pass or a UB key and Windows kind of teaming up to create some kind of fog that will basically replace all of that and it will replace your log on and all that stuff.
The problem is of course passwords. What's even a bigger problem is authentication in general and the madness that has gone on with it.
So in this process, right, I had my identity stolen or a credit card stolen that I use and I had to cancel my credit card.
So there's a card sitting downstairs that hasn't been activated of which I can't use to make any online purchases.
So when I'm trying to go through this process to activate another card or to purchase another SIM card, I basically can't because I don't have a valid credit card number that's not a check card.
I don't want to use my check card online of course. You want to have those, you want to have a separate checking account for your online transactions.
So that way if something happens to your check card for that account, you're kind of more or less safe and you don't do like any.
So here I am. I have a card that I need to get activated. So I call the number and I whatever and then I hang up quickly because I realize that I can activate online by providing my credentials and all that.
So it's just, it's just a myriad of issues with authentication today and I just feel like I have to rant. I don't know why.
So that was, that was kind of my first problem is that I had information that I needed to update in order to use my credit card.
So I go through the activation part for my credit card. Again, that's an identity theft prevention mechanism.
The mint stuff is not necessarily identity theft. I think that's just part of that is is protection and security to where you're not able to move cards around and make it more harder for people to do fraudulent things. I'm assuming.
So that's probably somewhat for security reasons why you can't port a number over to a sim that's already active.
So that's that. Then we move on to pay my, you know, my account seems kind of off for Amazon because I now have a credit card that's not valid on my Amazon account. So I have to update that.
I update that. And of course, it's all different because the new card you get is obviously got a new card number. Sometimes they'll give you the same card number in a different expiration date and a different CVE, CCC, CVE, whatever.
That wasn't the case. I got a new CVE. I got a new card number altogether. So I activate that card number and I put it in mint or put it in Amazon and I'm good to go.
During that process, I think I want to say when I was logging into mint, mint mobile, I was presented with a capture. And during that process, I probably put the capture in like two or three different times with two or three different browsers, which is, which is also frustrating to be asked if I'm a robot coming from the same IP address.
And I feel there's nothing you can really do about that unless we move to IBP six and everybody has their own number that's bound to their identification. So you can't necessarily whitelist by IP because, you know, you have your corporate enterprises and your large networks, for example, you know, team mobile does not translation anywhere.
Any of your couriers do net translation, you're not actually directly connected to the internet when you're using your mobile phone. That's why you can't easily host a website on your mobile phone.
Because they use net cool. So not only a security feature to for for people is to do capture. And there's no way for them to easily whitelist me because I might be coming in from a big giant hub of an IP and they can't whitelist me by IP. But what they can do.
Is they can create a session ID for the main domain, for example, Google or mint. And they can keep that session ID active and say, OK, well, this person comes back after the capture, we're not going to ask for the capture again. And I'm pretty sure that's part of the recapture stuff or whatever Google uses for their capture. I think if you if you get prompted for a capture, it saves that key.
That session for a certain amount of time. And so you don't have to tell the log back in and reauth indicate.
So that's frustrating because there's no way to not be asked, I don't know, at least once a day, I don't know you guys, I feel like at least once a day, I get asked if I'm a robot and have to enter capture.
And it's kind of it's kind of annoying after about the 20th time doing that. So that's something else that the kind of frustrated me during that process.
And I also looked into what what else I want to mention about security. I can't remember. Oh, it was two factor off. So after I did that, went through that process. I wanted to check check in on my work stuff.
I get disconnected for being idle from my VPN. And I don't know if you've ever had to deal with two factor authentication. It's, it's not particularly easy.
But you will get a duo off or some kind of physical authentication token. And you have to put that token in or whatever. A lot of them are moving more towards push based application based token authentication stuff.
So you install an app on your phone, you get an activated basically session identifier that binds your phone to your identity.
So that way if, you know, the capture is basically instead of something you have, it's basically your phone is the something you have. And that's a software token, which can be copied.
It can be copied easier than on a hardware device.
So if you have a hardware key, basically you got to have us ordering iron and all that shouldn't copy that key and have some hardware to copy that key. Now when you're using software based authentication, you're, you can copy the device, you can copy the key, the session key that's attached to that device to create the tokens.
You can pick a VMware snapshot. There's people online that have posted, oh, I can copy RSA soft tokens, blah, blah, blah, blah. Yeah, it's a soft token. That's why it's software. It's easy to copy because it's software.
And a lot of them will use like hardware IDs on the hard drive. So if you swap your hard drive out, guess what? You have to reauth for a new token for security reasons. That's how they do the identification.
So for example, RSA, I think, does the hardware ID for the hard drive serial number for the hard drive and maybe your Sid, which is a number assigned to your username, which is pseudo randomly generated and or maybe it's possibly the city of the computer itself.
I can't remember. I would assume it's the city of the username because multiple users can have multiple keys or multiple to off.
So in that scenario, it's still at the end of the day software based and you can copy those keys and enumerate and or clone those users and clone that identity to use that key somewhere else or copy it.
For example, if you have an Android phone and you have root access, you can perform backups and backup all your keys and backup all your two factory authentication stuff and restore it and be generally okay.
Sometimes they'll actually bind back to some kind of hardware key or a like Google's unique ID system identifier thing. So you'll actually have to recreate that key.
But in general, if you do a full restore from the same phone, you'll actually be able to recover those recover that stuff.
So that's kind of a rant that I'll go on about, you know, two-factor authentication. It's quite buggy and frustrating and, you know, you got to wait for a push and sometimes you don't have to wait for a push and sometimes whatever.
It's just annoying and I don't know what to do to solve it, but I basically have to spend a good, you know, I've spent a good percentage of my time today messing with things that have to do with
and compass security and identity and access management.
And I don't know what the solution is and if I have to put a chip in my brain so I don't have to do and deal with this, which is probably where we're leaning towards, I'm fully willing to do that.
Now it has to work and it has to, you know, be consistent.
But I'm really getting tired of the desperate systems for security and identity and access management and having to go all over the place when I'm just trying to just do my job and I'm just trying to get something simple done.
And because of the point zero, one, one, one point zero, zero, zero, zero, zero, zero, one percent of the population that takes advantage of identity theft and security.
I have to punish and we have to be punished as customers because for whatever reason we can't come up with some easy way for people to have identity and protection.
And hopefully that will change and this is all new and all that, but I just think it's ridiculous in this day and age that we have to, you know, provide an ID and provide a birth certificate and provide this and provide that and have all this information.
And oh, well, you're trying to get a freaking grocery card store or something, they'll give you those and they'll hand them out like candy, same thing for any other services that are like that around identity and tracking.
They'll give you all the stuff, all the information and all the access you want for you to be to track you and to track your identity and to track where you're going.
So everybody knows everything about you when you walk around and there's cameras downtown, they see you, everybody knows everything about you.
When you call, you're just verifying the information that they already know, 90% of the time.
So I don't understand why everyone knows everything about us when we call or where we come from, what we haven't connected is the identity theft part of it.
So when I call my carrier and I say, I need to do something, they don't know that the person on the other end is me.
And if we could solve that problem, the identity problem, I think all the password and authentication stuff can kind of go away.
And we're using passwords and two-factor authentication to be that piece that says, oh, the person has a piece of information, right, a password or something they have and a token.
And that obviously must be that person, which is turning out more to be more of a problem that it is a solution.
And, you know, you've got people getting fish for two-factor off now.
And that's the new hotness is to do, you know, Google off and Azure to FA products.
And they'll actually auto-detect, which is one and the other and serve up the right page and you can't tell the difference.
So it's a different form of fishing.
And it'll automatically form the information over to the side that you want to do that.
It's just another step in the fishing process that most people see.
Most people haven't picked up on.
But anyways, I know this is not super important, but I just feel like I'm getting tired of doing this.
I'm tired of proving to people in the real world that I'm standing in front of that I'm not a crook that I'm not trying to take any money from them.
I'm just trying to function and use and give you money.
90% of the time you're trying to use a service or get something out of the service.
And 90% of the time you're paying for that thing.
It's like, look, I'm willing to pay for something.
And you're still wanting me to provide all this information for identity reasons.
And it's like, I just don't understand how, why we can't get there faster.
And hopefully we'll have something soon, but I can't.
I'm getting, this is getting old.
And I'm getting more and more frustrated from day to day as, as more people tell me, I can't do something because of the .01 population of the world that takes advantage of that.
And now you have to jump through all these hoops to do something and all that stuff.
So anyways, have fun, take it easy, and I don't know if you have any questions.
You've been listening to HECCA Public Radio at HECCA Public Radio.org.
We are a community podcast network that releases shows every weekday, Monday through Friday.
Today's show, like all our shows, was contributed by an HPR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.
HECCA Public Radio was founded by the digital dog pound and the Infonomicon Computer Club.
And it's part of the binary revolution at binrev.com.
If you have comments on today's show, please email the host directly.
Leave a comment on the website or record a follow-up episode yourself.
Unless otherwise status, today's show is released under Creative Commons, App Tribution, Share a Light, 3.0 license.