Yesterday, I got another text message on my phone, that my billing address had been changed. It had been changed to a Miami Beach address. At about that time, my wife called me from our kid's phone, saying that her phone no longer worked. Neither did one of our other phones. At that point, we realized that a new user had been authorized on the account, and that a new phone number had been added last week, and one of the phones (out of contract) had been used for an upgrade. AT&T showed that the new phones had been picked up at the Apple store on Broadway, in New York.
Apparently this is very common, for thieves to use stolen credit cards, pay online on a hacked account, and pick up a phone from the store. Once they do that, they sell the phone as quickly as they can, and pocket the cash.
Meanwhile, it took about 5 hours with AT&T Advanced Technical Support to get our phones restored, and with the Fraud department to get everything else straightened out.
The worst thing about all this was, it could have (and should have) been prevented! How? Let's look at the perfect storm of everything that went wrong:
- AT&T Account Security provides a phone number, e-mail address, and generated access ID to log in and manage your account. 3 different ways of logging in. Simplify it, give us 1!
- AT&T Account Security has the option of requiring a PIN that you specify, for "any and all account changes that will cost you money." Apparently that is misleading. We turned on that PIN feature last year and set the PIN, however it only works for in-store purchases. The web site does not require the PIN, and this is something they are aware of, and have not yet rectified. Shame on them! If they had required the PIN, then simply using the login stolen from somewhere else would have not been enough.
- Simple Password Login - my wife (who will remain unnamed to prevent embarrassment) used to use the same password for everything. Everywhere. This practice is still rampant, and I strongly discourage it. As I've recommended several times (1, 2), you should not know the vast majority of your passwords. You should have a super secret master password that you only use one place, for your password vault, and have all others be randomly generated long alphanumeric with punctuation marks. Thieves know that people like to use passwords that are easy to guess (by the way, if your password consists of a word, even if you change letters to numbers or add numbers at the end - it is extremely easy for computer software to guess), and use the same passwords everywhere. Software is specially designed to exploit the patterns we use ($ for S, 0 for O, 1 for L, etc.) and crack the passwords within minutes (average is 6 minutes or less). So even if thieves hack a system you logged into and steal encrypted passwords, they can decrypt it within minutes.
- Text Confirmation PIN - Apple and many other companies send text messages to known, pre-registered devices to confirm identity. For example, if I log into iCloud, it sends a PIN to my phone, which I then have to enter (after username and password) in order to access my cloud account. This is simple and very easy, and should be done by AT&T and all mobile carriers to confirm something as basic as adding, removing, or upgrading a line.
- Multifactor authentication - whenever this is available, turn it on and use it. This means, instead of just asking for username and password, some other thing is asked for to prove you are legit. For example, a lot of systems use Google Authenticator. This is like those RSA secure keys you may have seen, which generate a new number every 30 seconds. When you log in, you have to enter name, password, and the number - which follows a predictable pattern only known between your device and the site you are logging into. Another example, is not just asking for name and password, but some other random mix of questions that you define, and answers you set up. For example, "What was your first car?" "1981 DeLorean" - if you set up 3 to 5 Q&A, then it randomly selects one, and you have to answer that plus name and password to log in.
And whatever you do, don't believe it when a guy calls saying your PC has reported problems to their server!