My AT&T Account was Hacked - How could we have avoided it?

Last week, our AT&T Wireless account was hacked on the web site.  The way they got in, was they probably guessed or stole the password for my wife's login from some other website, and tried it on a variety of carriers until it worked.  We got a text message from AT&T last week that the security questions had been changed.  When I went to look at it, they hadn't.  I immediately called the AT&T Fraud department, and they told me that no updates had been made, and no changes to the service, and that the system must have sent the message to me in error.

Yesterday, I got another text message on my phone, that my billing address had been changed.  It had been changed to a Miami Beach address.  At about that time, my wife called me from our kid's phone, saying that her phone no longer worked.  Neither did one of our other phones.  At that point, we realized that a new user had been authorized on the account, and that a new phone number had been added last week, and one of the phones (out of contract) had been used for an upgrade.  AT&T showed that the new phones had been picked up at the Apple store on Broadway, in New York.

Apparently this is very common, for thieves to use stolen credit cards, pay online on a hacked account, and pick up a phone from the store.  Once they do that, they sell the phone as quickly as they can, and pocket the cash.

Meanwhile, it took about 5 hours with AT&T Advanced Technical Support to get our phones restored, and with the Fraud department to get everything else straightened out.

The worst thing about all this was, it could have (and should have) been prevented!  How?  Let's look at the perfect storm of everything that went wrong:

1. AT&T Account Security provides a phone number, e-mail address, and generated access ID to log in and manage your account.  3 different ways of logging in.  Simplify it, give us 1!
2. AT&T Account Security has the option of requiring a PIN that you specify, for "any and all account changes that will cost you money."  Apparently that is misleading.  We turned on that PIN feature last year and set the PIN, however it only works for in-store purchases.  The web site does not require the PIN, and this is something they are aware of, and have not yet rectified.  Shame on them!  If they had required the PIN, then simply using the login stolen from somewhere else would have not been enough.
3. Simple Password Login - my wife (who will remain unnamed to prevent embarrassment) used to use the same password for everything.  Everywhere.  This practice is still rampant, and I strongly discourage it.  As I've recommended several times (1, 2), you should not know the vast majority of your passwords.  You should have a super secret master password that you only use one place, for your password vault, and have all others be randomly generated long alphanumeric with punctuation marks.  Thieves know that people like to use passwords that are easy to guess (by the way, if your password consists of a word, even if you change letters to numbers or add numbers at the end - it is extremely easy for computer software to guess), and use the same passwords everywhere.  Software is specially designed to exploit the patterns we use ($ for S, 0 for O, 1 for L, etc.) and crack the passwords within minutes (average is 6 minutes or less).  So even if thieves hack a system you logged into and steal encrypted passwords, they can decrypt it within minutes.
4. Text Confirmation PIN - Apple and many other companies send text messages to known, pre-registered devices to confirm identity.  For example, if I log into iCloud, it sends a PIN to my phone, which I then have to enter (after username and password) in order to access my cloud account.  This is simple and very easy, and should be done by AT&T and all mobile carriers to confirm something as basic as adding, removing, or upgrading a line.
5. Multifactor authentication - whenever this is available, turn it on and use it.  This means, instead of just asking for username and password, some other thing is asked for to prove you are legit.  For example, a lot of systems use Google Authenticator.  This is like those RSA secure keys you may have seen, which generate a new number every 30 seconds.  When you log in, you have to enter name, password, and the number - which follows a predictable pattern only known between your device and the site you are logging into.  Another example, is not just asking for name and password, but some other random mix of questions that you define, and answers you set up.  For example, "What was your first car?"  "1981 DeLorean" - if you set up 3 to 5 Q&A, then it randomly selects one, and you have to answer that plus name and password to log in.

Luckily, we caught this quick.  Chances are very slim it was quick enough to catch this thief, or even quick enough to prevent him from selling the phones he stole.  We lost a bit of peace of mind, and time spent dealing with it.  But other forms of identity theft can be much more damaging, and you owe it to yourself (and the efforts of law enforcement to catch these criminals) to learn what you can do, and prevent these from happening.

And whatever you do, don't believe it when a guy calls saying your PC has reported problems to their server!