This morning, reading in bed, I got a very worrying notification:
This is the notification you would receive if someone was in the process of taking control of your phone number, which could then give them access to other accounts where you had used that phone number as a backup or for two-factor authentication. So I was very concerned!
In case this was a different sort of scam, however, I wasn't about to call the phone number (which could be anyone) but I visited the website and talked to someone over chat. They confirmed that my pin had been changed, but also said that since I have a prepaid account they couldn't tell me more than that. They told me to call T-Mobile customer support at 611.
When I called 611, they looked into it, and said that this was an automatic message sent as part of migrating my account to a new billing system. They confirmed no one had reset my pin other than their automated system.
I'm disappointed in T-Mobile for either not realizing their migration would trigger this message, or deciding to go ahead with it despite the user impact.
I have 30 years of experience in IT as a user and developer and often integrating with external systems - sometimes with big corporations. The pattern that I see is that all companies, big and small are mostly cooking with water. Often lukewarm water. This is especially true if the interfacing is in areas that are not the core product/business of the company. Things look shiny on the outside. But under the hood a lot of compromises are made. Tech in financial processes are often far behind. I can evaluate this only in tech but Gell-Mann Amnesia tells me that it is probably the same elsewhere. Inadequate Equilibra everywhere. Society has just grown big very fast. It is just growing pains. On th other hand, Paul Graham would probably say it is a great potential for startups.
Why do you have a prepaid T-Mobile account?
5GB for $30/m is quite good for the US
Have you heard of Tello (a T-Mobile MVNO)? I pay $7/m for 1GB, but they have 6GB plans for $24/m
It almost sounds like they just found out which customers are vulnerable to a phishing attack.
When you say you visited 'the website', did you visit the site from the link, or did you independently find the T-mobile webpage? If the former, are you certain you went to the real T-mobile site?