dfedbeef 1 day ago

Probably hard for a telecom company to not keep IMSI -> account association somewhere

2
red-iron-pine 21 hours ago

randomized IDs and linked lists, which correspond to entries in DBs elsewhere.

IMEI 123456789 has ID sjkadnasf8uywjerhsdu, and then in the hyper locked down Mongo instance used by billing knows that sjkadnasf8uywjerhsdu relates to John Smith, credit card number xxxx xxxx xxxx xxxx

make it so you have to crack all of em, instead of just nailing one and walking out w/ all the crown jewels

mschuster91 22 hours ago

Yeah, in separate databases on separate systems. The network plane of a phone provider should only be able to access a database mapping IMSI -> account ID, and the billing/customer service department should only be able to access a database mapping account ID -> actual account data.

Unfortunately, anything involving phones is based on literally decades of stuff that was made in a time where every participant in the network was trusted by default, and bringing up the legacy compatibility stuff to modern standards is all but impossible.

kube-system 17 hours ago

> decades

ss7 was developed almost a half-century ago, wasn't it?