The Year of Security

Avatar of Jackson Wirekoh
The Year of Security

You asked, we listened! Today, we are one of the first hybrid network operators based in the United States to offer Two-Factor Authentication (2FA) to secure subscriber accounts. But we aren’t stopping there. At US Mobile, we’re working at warp speed to deliver a comprehensive platform that can securely power all of your connectivity needs. To that point, we are proud to announce that 2022 will be another year dedicated to building the most secure carrier. So let’s dive right into what’s here and what’s coming soonTM.

Account Security Status

Next time you sign in to the US Mobile platform, you’ll be greeted by a landing page highlighting your account security status comprised of four components: Account Verification, Enable Two Factor Authentication (2FA), Enable Security Questions, and Secure Password Update. As you complete the journey to strengthen the security on your account, you will notice a status box signifying your progress.

The Year of Security
Status bar showing current progress towards strengthening your account’s security.

Account Verification

The first step towards securing your new or existing account will require verification of your registered email address. We use email to relay important updates related to your account’s privacy (e.g., password changes) and service (e.g., approaching line expiration). In addition, your verification status serves as a key data point in our fraud detection algorithms. Meaning, we consider unverified accounts to be untrustworthy and have placed limitations on what those accounts can access on our customer-facing platforms (e.g., shop, dashboard, product support). You can request a new verification email at any time so that you can become a trusted subscriber account.

Two-Factor Authentication (2FA)

Once your account is verified, you’ll be greeted by a second landing page where you can set up two-factor authentication (2FA) to protect your account. 2FA is one of the most requested features across the entire telecom industry, so we are very proud to be one of the first in the US to provide this functionality. Once 2FA is enabled, you will require both the correct credentials and a one-time-password (OTP) to sign in to your account. The OTP expires after authorization or a predefined expiration time. The OTP serves as a verification code that can only be viewed through your trusted contact method (email address, mobile phone number, etc.). As the only person able to access said method, it becomes more difficult for bad actors to sign in to your account, even if your password has been compromised.

The Year of Security

To provide a smooth user experience, you will have the flexibility to set up two trusted contact methods for your 2FA settings. These contacts can be any combination of email addresses or mobile phone numbers. So choose what works best for you in terms of accessibility and privacy. Meanwhile, we’ll keep building on this first iteration in order to bring you the latest advances in two-factor-authentication technology (e.g., app push notifications, biometric authentication, authenticator applications with TOTP, and more). Instructions for setting up 2FA for your US Mobile account are available here.

Security Questions

As you know, the US Mobile Product Support team is always there to provide you with 24-hour assistance wherever and whenever you need it. A key aspect of providing effective assistance is ensuring we are only interacting with the account’s authorized users. As an added step, we have released security questions as a supplemental method to verify your identity when communicating with our Product Support team. We tried to choose questions that have as little overlap with other platforms as possible (as well as having a little fun with it). Furthermore, your selected questions and answers will not be visible on the customer-facing applications. Because your security questions are not easily accessible, you will still have an added layer of protection against unauthorized transactions such as SIM swaps or port outs if your account is ever compromised.

After setting up 2FA, you will be directed to a landing page where you can choose three questions and answers to use for verification purposes. Unlike their usual implementation, our security questions will be used as a “verbal means” of authentication. By “verbal,” we mean that you will never be asked to submit your answers to an online form. Instead, you will be asked to provide answers through the product support chat or over the phone.

Here’s an example of what that might look like:

Subscriber’s Security Question and Answer

  • Question: What is your favorite line from a poem?
  • Answer: “Two roads diverged in a wood and I – I took the one less traveled by, and that has made all the difference.”

Conversation

  • Customer Support Agent: I will need you to answer one of your chosen security questions in order to verify your identity. Is that okay?
  • Subscriber: Yes, please go ahead.
  • Customer Support Agent: : What is your favorite line from a poem?
  • Subscriber: “Two roads diverged but I took the one less traveled by. That has made all the difference.”
  • Customer Support Agent: That is correct. Thank you for verifying.

Notice that even though the subscriber didn’t give the exact word-for-word answer, we could still verify their identity. Since humans will assess your responses, you will not have to provide exact answers verbatim. Hopefully, this will provide some flexibility in the responses you feel comfortable using. The more complex or unique your responses, the more difficult it will be for someone to guess your answers. Once your security questions are set up, our Product Support team will use them in conjunction with the standard verification requirements already active on your account (e.g., Account Lockdown). When you want to switch things up, you can reach out to Product Support to modify questions/answers, and even choose custom questions that are not a part of our pre-defined options. In a future release, you’ll be able to choose custom questions when you first set up security questions.

Secure Password Update

For new customers, you created your account using more stringent password requirements than your predecessors. For existing customers, we are asking you to make password updates at least once a year. These passwords will have to meet the same stringent requirements set for new users. The goal here is to encourage password changes that will not only align with modern security standards, but also protect your account against another platform’s data breach. Using a password manager can be very helpful in creating and storing a strong password.

Advanced Security Services

With the exponential adoption of mobile computing and smart devices, mobile network operators have become an even higher priority target for domestic and foreign hackers. Criminals are exploiting software vulnerabilities and using social engineering to gain access to user accounts. From here, SIM swapping and unauthorized port outs are used to steal phone numbers, leading to the hijacking of sensitive accounts (e.g. banks, social media, government) or request for ransoms to restore access. These nefarious activities are becoming even more prevalent due to the ease by which bad actors can gain access to off-the-shelf ransomware and distributed denial-of-service (DDoS) software.

To stay ahead, we are deploying a mix of software solutions and CRM tools aimed at securing the entire user experience from self-service to customer support. Our platform, which is now leveraging sophisticated machine learning algorithms built on top of both internal and global network traffic, has been further optimized with you at the center.

Account Notifications

We have built an extensive framework to audit transactions between customers and our platform as part of our machine learning pipeline. Now, we are bringing some of that functionality to you. We are increasing visibility into account changes so that we can improve our joint response to unauthorized activity on your account. Expect to see more notifications when we detect strange activity affecting your account and devices. In addition, we are building customer-facing alerts into the workflows for account changes such as updates to email, credit cards, and shipping addresses. We want to ensure that you have a comprehensive understanding of how your account is changing in real-time.

For those of you who enable 2FA, we’ll also be working to integrate the 2-step verification process into protecting critical account changes through the customer-facing applications. We are already leveraging OTP for real-time Authentication when interacting with Product Support. As we work to unify functionality between our services, you can expect to see further UX improvements in our verification processes.

Account Authorization

The following security protocols are a bit of a retread, but we believe it is really important to highlight them again. At US Mobile, you can place additional safeguards on your account by reaching out to our Product Support team. Enabling any of the below features will add extra layers of the security protocols to place your account behind authentication walls.

You can request any of the features below free of charge just by reaching out to us on chat, email, or phone. US Mobile will notify you via email or push notifications when changes are made to your account. If anything looks suspicious, we’ll instruct you to change your password immediately.

Never SIM Swap

When this feature is active on your account, all SIM swaps are restricted. Product Support will request more extensive verification before authorizing any SIM swaps on your accounts.

No Port Out

Similarly, when this feature is active on your account, all Port Outs are restricted. Product Support will request more extensive verification before authorizing any Port Out requests on your account.

Account Lockdown

In addition, you can request that your account be locked down. Once your account has been placed behind this authorization wall, all changes to the account will require extensive identity verification before being approved. 

Leveraging Machine Learning

As mentioned, we are combining our existing internal algorithms with a secure global network that leverages machine learning to identify malicious activity and shut it down. We have partnered with industry leaders in the cyber security space to establish a secure gateway to our services. The US Mobile progressive web application (PWA) that you have grown to love, is now able to learn in real-time from activity on our platform as well as from anywhere within the global security network. At the macro scale, our system can respond more effectively to brute force (e.g. DDoS, card testing, credential stuffing), man-in-the-middle attacks, and data leaks. At the user level, we’ve added a layer to further improve our ability to authenticate requests against both global network traffic and previous interactions with our platform.

How We’ll Continue to build the Most Secure Network

Balancing Security and User Experience (UX)

We acknowledge that improved security features can cause some headaches from a user experience perspective (i.e., looking at you sign in reCAPTCHA). However, we are continuing to optimize our application settings. In fact, you may have noticed that you can now stay signed in longer. With our recent platform updates, secure handling of application authorization across devices is now integrated not only at the subscriber level, but also across the platform. When you surf our website, we’ll autonomously handle discrepancies in session authorization and boot out any detected impersonators. If you ever feel that your credentials may have been compromised, you can change your password, then sign out all active sessions with a new feature on your settings page.

We hope you can tell that we aren’t just treating security as a nice-to-have and throwing around machine learning as a buzzword. The US Mobile website and dashboard are critical customer-facing applications that we are moving swiftly to modernize. Our end goal is always to make our platform as adaptive, secure, and user-friendly as possible. In the case where you need additional support, our Product Support team is always there with the assist.

Looking Forward

Over the last year, we delivered Pooled Plans, 5G Warp Speed, and eSIM capabilities that we hope will enable the next generation of innovative smart city design, grid edge technology, and adoption of IoT devices at scale. While we have experienced some great success, we aren’t resting on our laurels. In this age of constant cyberattacks, subscribers are seeking out platforms that offer great functionality while providing peace of mind through enhanced security features.

Our eyes are set on being the most advanced customer-centric network operator ever. To reach that goal, we know that US Mobile must not only be an industry leader in connectivity, but also in security. We hope that you will continue with us on this ride as we keep the focus on being a network that strikes a great balance between platform security and user experience.

FAQs

How do I set up Two-Factor Authentication (2FA) for your US Mobile account

To set up 2FA for your account follow the steps here.

How do I set up Security Questions for my US Mobile Account?

To set up security questions for your US Mobile account follow these steps. 

How do I update my US Mobile account password?

To make your US Mobile password more secure follow the steps here.

Total
0
Shares
Previous Post
Super LTE to Warp Speed 5G—a whole new way to connect

Super LTE to Warp Speed 5G—a whole new way to connect

Next Post
Connect in more places — Wi-Fi Calling is now on Warp 5G!

Connect in more places — Wi-Fi Calling is now on Warp 5G!

Related Posts
Total
0
Share