Yesterday, I got another text message on my phone, that my billing address had been changed. It had been changed to a Miami Beach address. At about that time, my wife called me from our kid's phone, saying that her phone no longer worked. Neither did one of our other phones. At that point, we realized that a new user had been authorized on the account, and that a new phone number had been added last week, and one of the phones (out of contract) had been used for an upgrade. AT&T showed that the new phones had been picked up at the Apple store on Broadway, in New York.
Apparently this is very common, for thieves to use stolen credit cards, pay online on a hacked account, and pick up a phone from the store. Once they do that, they sell the phone as quickly as they can, and pocket the cash.
Meanwhile, it took about 5 hours with AT&T Advanced Technical Support to get our phones restored, and with the Fraud department to get everything else straightened out.
The worst thing about all this was, it could have (and should have) been prevented! How? Let's look at the perfect storm of everything that went wrong:
- AT&T Account Security provides a phone number, e-mail address, and generated access ID to log in and manage your account. 3 different ways of logging in. Simplify it, give us 1!
- AT&T Account Security has the option of requiring a PIN that you specify, for "any and all account changes that will cost you money." Apparently that is misleading. We turned on that PIN feature last year and set the PIN, however it only works for in-store purchases. The web site does not require the PIN, and this is something they are aware of, and have not yet rectified. Shame on them! If they had required the PIN, then simply using the login stolen from somewhere else would have not been enough.
- Simple Password Login - my wife (who will remain unnamed to prevent embarrassment) used to use the same password for everything. Everywhere. This practice is still rampant, and I strongly discourage it. As I've recommended several times (1, 2), you should not know the vast majority of your passwords. You should have a super secret master password that you only use one place, for your password vault, and have all others be randomly generated long alphanumeric with punctuation marks. Thieves know that people like to use passwords that are easy to guess (by the way, if your password consists of a word, even if you change letters to numbers or add numbers at the end - it is extremely easy for computer software to guess), and use the same passwords everywhere. Software is specially designed to exploit the patterns we use ($ for S, 0 for O, 1 for L, etc.) and crack the passwords within minutes (average is 6 minutes or less). So even if thieves hack a system you logged into and steal encrypted passwords, they can decrypt it within minutes.
- Text Confirmation PIN - Apple and many other companies send text messages to known, pre-registered devices to confirm identity. For example, if I log into iCloud, it sends a PIN to my phone, which I then have to enter (after username and password) in order to access my cloud account. This is simple and very easy, and should be done by AT&T and all mobile carriers to confirm something as basic as adding, removing, or upgrading a line.
- Multifactor authentication - whenever this is available, turn it on and use it. This means, instead of just asking for username and password, some other thing is asked for to prove you are legit. For example, a lot of systems use Google Authenticator. This is like those RSA secure keys you may have seen, which generate a new number every 30 seconds. When you log in, you have to enter name, password, and the number - which follows a predictable pattern only known between your device and the site you are logging into. Another example, is not just asking for name and password, but some other random mix of questions that you define, and answers you set up. For example, "What was your first car?" "1981 DeLorean" - if you set up 3 to 5 Q&A, then it randomly selects one, and you have to answer that plus name and password to log in.
And whatever you do, don't believe it when a guy calls saying your PC has reported problems to their server!
Yeah Jay!!! Good info. I had a similar issue.
ReplyDeleteProblem with using a pwd generator is you always need access to "use" it to login. I reverted to using complex rememberable pwds.
Yeah Jay!!! Good info. I had a similar issue.
ReplyDeleteProblem with using a pwd generator is you always need access to "use" it to login. I reverted to using complex rememberable pwds.
Jay,
ReplyDeleteThe same thing just happened to me. A phone was ordered online from my account and they changed my password, but luckily I caught it almost immediately. Interestingly, the phone was to be shipped to a house just across town. Should I be notifying the police of this?
How to hack a phone and monitor its activity without physical access to the cell, this can be answered here
ReplyDeleteMany organizations are thinking of intuitive approaches to better comprehend their client's understanding. This change is helping the media transmission industry develop immensely.https://www.customercaretoll.com/listings/att-telecommunication-customer-support-service-toll-free-phone-number
ReplyDeleteI have read this article it is amazing...
ReplyDeleteIn the AT&T Webmail Login , any incorrect information provided in the IMAP setting can make it hard for you to receive the emails at the time, or you may end up with not receiving the email at all.
Thanks For Sharing...
BE SMART AND BECOME RICH IN LESS THAN 3DAYS…It all depends on how fast you can be to get the new PROGRAMMED blank ATM card that is capable of hacking into any ATM machine,anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a month ago..It has really changed my life for good and now I can say I’m rich and I can never be poor again. The least money I get in a day with it is $10000.Only serious individuals should contact him because he is very straight forward and his series is 100% trusted i am a living testimony. Every now and then I keeping pumping money into my account. Though is illegal,there is no risk of being caught ,because it has been programmed in such a way that it is not traceable,it also has a technique that makes it impossible for the CCTVs to detect you.. For details on how to get yours today, email the hackers on: skylinktechnes@yahoo.com or whatsapp: +1(213)785-1553
ReplyDeletetell your loved once too, and start to earn money through the blank card or website: https://skylinktechnes.wixsite.com/info
Old but amazing article. My at&t account was hacked, I called AT&T support but they said there was nothing they could do to recover the account. Sentry is a teen white hacker in my neighborhood. He revealed to me later that I had downloaded some form of computer malware that was after saved online passwords to accounts on my device. I grateful the malware did not get other essential credentials. My neighborhood hacker's email is sentryinthewires @protonmail .ch
ReplyDelete