Getting More From T-Mobile
by Psycho
I am a former employee of a T-Mobile retail store where I was primarily responsible for activating new accounts for customers.
The main system we used was called Watson. Watson is a web-based portal that allowed the user to run a credit check for a customer, activate prepaid phones, access customers accounts, access the Point of Sale (POS), run store reports, and the like.
Retail employees of T-Mobile use this system for every transaction that is done throughout the day. The tasty pearl of all of this is that the Watson portal is accessible from an outside IP address.
That means that you can do most of these functions from anywhere outside of a retail store. Now before I get into specifics, the standard disclaimer applies: This is for educational purposes only. Any actions that you take within this system are probably tracked. I am not responsible for anything you do with this information. And while the following explains possible ways to activate service through T-Mobile, doing so in this system from outside of a retail store is probably illegal. And as such, I have not actually completed an activation from outside of a retail store. So I have not verified if these processes are even fully possible. If you get stopped by Watson, too bad.
Now, like I said, Watson is accessible from outside the T-Mobile intranet. You can get to it by going to: watson3.voicestream.com
Click "Login" to get to the login page.
Here it asks you for a username and password.
These are the usernames and passwords of each retail employee that needs to get in. At the retail store, the username and password have to be entered before every transaction, so most employees make this something very simple that can be typed in quickly.
At the store where I worked, most of the people there used their username as the password. So, if your name was "John Thomas", your username might be jthomas and you might set your password to jthomas.
The password could be set to anything, but most people just use the username. The best way to get some usernames is to do some social engineering at your local store. Since the username is usually the first letter of the first name and the first six letters of the last name, you can get someone's business card and simply take the name off of that.
Keep in mind that if the person s last name is shorter than six letters, there is usually a number at the end. For example, John Smith might be jsmith2. So these might be harder to get.
Once logged in you are presented with the same screen that the employees get in the store. You have the following options:
- New Personal Account: Where you would run credit and activate a new personal account.
- New Business Account: Where you would activate a new business account.
- Add to Existing Account: Used to add a line onto an existing account.
- Work in Progress: Used to resume an activation that was interrupted. Asks for the Social Security number to continue.
- View an Existing Service Agreement: Where you can access a service agreement. Asks for Social Security number.
- Number Eligibility Query: Used to see if another provider's number can be ported to T-Mobile.
- Prepaid Menu: Where you can activate prepaid phones.
- POS Menu: Access the POS (does not seem to be accessible from outside the intranet).
- Customer Account Management (or CAM): Used to access the information on existing accounts (does not seem to be accessible from outside the intranet).
- SAP Retail Store: I am not sure what this is for. We never used it in the detail store. Does not seem to be accessible from outside the intranet.
- Change Password: duh.
- Log Off: duh.
Of all of these, only the POS Menu, CAM, and SAP Retail Store seem to be blocked from outside IPs. Only CAM would be useful for our purposes, but we can live without it.
Now, the fun comes when you realize just what you can do from here. Have you ever wanted to activate a new account for someone? Have you ever wanted to activate a prepaid phone for free? Have you ever needed to add a line onto some unsuspecting person's account? Well, here is how some of that can be done.
Activating Prepaid - The Easy Way to Go
Do you have an old T-Mobile phone that you want on prepaid without paying for the activation?
Then head to the Prepaid Menu in Watson. All you need is the SIM card number, the IMEI number of the phone, and a prepaid airtime card.
You can put in a bogus name and birthday (which is all that is required) and input the rest. You have to use a virgin SIM so just do some social engineering at a retail store to score one. And you can purchase a $10 prepaid airtime card from the store to use for the activation.
You see, when you activate a prepaid phone in the store, the activation is done separately from ringing up the sale. So you can activate it yourself in Watson, and then just not pay anything.
Activating Postpaid - The Harder Way to Go
I you head to New Personal Account, you are asked for a bunch of personal info.
This is information that is taken from a driver's license in order to run a credit check. After putting all this in, the credit result will give you a choice of rate plans that you are eligible for. After picking that, the system asks for the SIM card number, the IMEI number from the phone, which city you want your phone number in, and so on.
You have to use a virgin SIM so just score one from a retail store with some social engineering. If it all worked correctly, the contract will pop up and you will be activated.
Add to Existing Account
Using this area, it is possible to add a line onto someone's account using only their Social Security Number (SSN).
After you put in a customer's SSN, you can add on a line a process similar to creating a new account. What you can add depends on that person's credit. I do not recommend actually doing this because that person will definitely find out about it when they get their next bill. So this is only good for short-term phone usage.
Another great flaw in T-Mobile's system is their Customer Care department.
These guys normally handle most customer issues over the phone, but because of the inefficiencies in the Retail system, it is often necessary for employees to call Customer Care. An employee would have to call in to do credit checks or to activate phones if Watson won't let them. They also call in to change rate plans and to extend someone's contract.
Getting Customer Care to think you are an employee is painfully simple.
Every time an employee calls Customer Care, they ask for that employee's first name, first letter of the last name, and a dealer code.
All you have to do to get a set of these is to hang around in a retail store long enough for one of the employees to call Customer Care for someone. When they are on the phone, you will hear them give the name and dealer code to the representative.
Another way is to get a receipt that the particular employee rang up. On each receipt is an area called Employee ID, or the like, which has the dealer code listed there. Each employee has a unique dealer code that is looked up to make sure it matches the name given.
So a typical conversation would go like this:
Customer Care: "Thank you for calling T-Mobile. To better assist you, may I have your cell phone number starting with the area code?"
Employee: "Hi, my name is John and I am a direct dealer for T-Mobile."
Customer Care: "O.K. May I have the first letter of your last name and your dealer code?"
Employee: "First letter is T as in Tom and my dealer code is 0045678."
The dealer codes are usually always seven-digits long, but it doesn't always start with 00.
Another thing is to specify that you are a direct dealer when you identify yourself. These are people who work for direct T-Mobile stores as opposed to authorized agents of T-Mobile.
After you give them the info, the rep asks for the customer's phone number and name to verify the account. Sometimes they also ask for the last four-digits of the customer's SSN, but most of the time they trust you as a dealer and do what you want to the account.
Nine times out of ten, they do what you want without ever wanting to actually speak to the customer. With this total access to the account, you can change almost anything.
As long as the name and dealer code match in the system, they are yours to command. And it doesn't matter which department you speak to. They all ask for the same info. So you could talk to Customer Care, Consumer Credit, or Activations, and as long as the name and dealer code match, you are golden.
When you call Activations, you could activate phones manually through them without entering the store.
First you would talk to Consumer Credit to do a credit check, then you would go to Activations.
At Activations, they ask you for the SSN of the customer or Onyx reference number (which you get after the credit check). From there, they verify the name and address info that you ran the credit with.
After that, they ask which city you want your phone number in and which rate plan you want. Then they ask for the SIM card number and the IMEI number from the phone. Remember that it has to be a virgin SIM so score one from a retail store.
Now, activating a phone with a rep is not going to do you much good unless you do it under someone else's name. If you did it under your name, you would still be subject to the activation fee and to the annual contract.
Many of these huge security flaws could be easily corrected by blocking access to Watson from outside IP addresses. Changes also need to be made to the verification process that Customer Care goes through to ensure that they are actually speaking to a dealer.
Employee ID numbers should not be printed on anything that is given to the customer. With these simple changes, T-Mobile could take active steps in sealing these gaping holes.
So there you go, kids. Have fun, but don't do anything stupid. Now you can truly Get More from T-Mobile.
Shout outs to Amanda, Req, and the rest of the crew at the TPG.