This probably isn’t new news, but I find it rather disturbing (add it to the long list):
I didn’t remember the password for my T-Mobile account (and i needed to pay a bill), so I went to their site to find out how to be reminded of it. Most sites will do something like make you answer some challenge questions (which are also questionable, but i digress). T-Mobile decided to add an interesting twist; they send the password to your phone instead of to your email address.
The way it works is that you type in your number and click the ‘remind me’ button. The system then sends you your password (not even a new, temporary one) via an SMS message, which you receive on your phone. This sounded good at first (nice way to use a side channel to deliver the key). However, anyone with possession of your phone (which will of course also tell them the number), can simply use this feature to get your password as well. Locking your phone isn’t enough to fix this- the attacker can simply put your SIM card into another phone and use that. A pin-protected SIM might be the answer. Maybe its time to get one of these?