Slashdot Mirror
AT&T Crack Part of a Phishing Operation
JohnGrahamCumming writes "According to a story in the San Francisco Chronicle the AT&T store crack was the prelude to a very sophisticated phishing operation. The phishers were aiming to use the information from the store to fool existing customers into divulging SSNs and other personal information." From the article: "'The information that was provided by customers who ordered DSL-related equipment included name, address, e-mail address, phone number, credit card number and credit card expiration,' the memo says, adding that the hacked data didn't include Social Security numbers or birth dates. But the hackers had a scheme to get this extra info. After accessing the customer data, they incorporated it into phishing messages that were promptly sent to AT&T's DSL customers ... Each message included a legitimate order number culled from the AT&T vendor's database to create an illusion of authenticity. Messages also included the recipient's home address and the last four digits of his or her credit card number. "
well if I was getting paid 7$ an hour at an AT&T store, I'd probably find a way to rip people off as well!
This is just one of many, many issues of privacy violations that have happened in the last year. And the feds seem mainly interested in letting states regulate and report on security breaches. So far only a few states have legislation to notify consumers of database compromises, which is a shame. The sad part is many people may have had their information stolen and they will never know until the information has been exploited, all the while the corporations have been aware of this for a long time and choose not to reveal the violations in fear of a negative PR.
From the headline it sounded like I was in trouble with the FBI for buying AT&T Crack.
I'm sure glad I trust my private information to AT&T... whoops
-Daniel
That's pretty clever. If someone can come up with something like this and almost pull it off, you have to wonder if what they could accomplish if they put their effort towards something better (ie - vista or Duke Nukem Forever).
I saw a comment either on Fark or Slashdot about a someone that placed an order with AT&T to order a friend the power supply for their modem or router or whatever it was.
A few days later they received an email asking for their SSN and other personal information that they shouldn't have been asking for. Of course they didn't fall prey to it, but it contained the order number and order details of the order they had placed! Its the ultimate phishing scam. They can now be virtually indistinguishable from the AT&T people. All it takes is a few people to screw up.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
You (should) still be immune to phishing scams if you refuse to give _any_ personal information out unless _you_ initiated the contact (and then only with known-good contact info for a business, such as calling a number printed on your phone bill). If you get an email like this, _call the company._ Yes, I know that it's usually impossible to get through, but even if you can't or don't, nothing bad will happen.
I wish we could get more people to realize this.
I hear tell that AT&T volunteer full access to db information and raw telecom data.
The only people who should have your SSN are your employer, the government, and your bank(s). AT&T shouldn't have anyone's SSN except its own employees.
You are reading a copy of my copyrighted post.
You'd be amazed at how easy it is to get a certified copy of your social security card...last time I lost my driver's license I only had to know my mom's maiden name and the city I was born in. Dadgum feds....
Quiz: True or False -- On a scale of 1 to 10, what is your middle name?
I can't help but wonder whether the payment card industry will adjust their security standards in the face of this kind of threat. Currently, the security standards stipulate that a credit card number has been sufficiently protected/destroyed if only the last four digits of the account number are kept. In the face of this kind of attack, would that be enough? All of a sudden, what information is left is being used to obtain whatever was missing.
I can see security requirements being adjusted in a couple of ways: First, require complete obliteration of the credit card account number when it is no longer needed. Don't even keep the last four digits. Second, require that various pieces of information be kept in separate logical or physical databases. If card numbers are stored separate from addresses and other personal information, it's one more barrier for an attacker to overcome.
Wait, I thought the NSA spying operations at AT&T were a fishing expedition, looking for political espionage/blackmail content, but people told me I was a "conspiracy theorist". Now you're telling me that I was just a typo conspiracist?
--
make install -not war
This is bad, I believe I am an affected customer. This morning I had random charges on the credit card that I used to pay my AT&T bill with. Although it is a little relief that the report says that they did not take any social security numbers (which I do not believe I gave it to them anyways), I hope there is something I can do to keep myself proactive in protecting my identity. Anyone have any suggestions (other can canceling my CC#, which has already happened)?
Also, for anyone else, follow in my footsteps: DO NOT GIVE THE PHONE CALLERS ANY PERSONAL INFORMATION. PERIOD. If there is an issue, call your bank number personally on a known verified phone number and have the clerk verify ALL NAMES AND NUMBERS AND REASONS. (I've gotten calls already with people asking for my account information this morning as well from unverified numbers. Its happening).
An SSN number is needed for a credit check. Therefore any company, like AT&T, that does end-of-the month billing will run a credit check on all of their customers. From their perspective they are giving one month of credit every month.
The solution is to ban the use of SSN for credit files. Use a number that the consumer controls.
Also, let customers pre-pay monthly. I know how much my monthly cell phone billing is going to be, let me pre-pay and avoid the forced use of credit (which gets reported to the credit agencies).
From TFA: .com) Web address.
.com and leave the .net and .org to whoever wants it. But wouldn't you think that a major company would think to grab sbcdslstore.org before setting up a nationally-advertised site at the corresponding .com? sbcdslstore.org was created on August 26, for crying out loud -- even if it only just dropped, surely AT&T should have been ready to scoop it up. And the .net variant was only registered this past May. Geez, if I can snag a previously lost domain name, surely Ma Bell can do the same?
"To update the credit card information details for your order, please select this link," the message instructed, directing people to a "spoof site" with an illegitimate sbcdslstore.org (not
A personal website is one thing -- you might grab the
Well, at least they've learned their lesson and scooped up the other major extensions... as, of yesterday. What was that story about a cat, a bag, and a barn door?
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
I go to school at Metro State College of Denver. About a year ago, a laptop got stolen that had much the same kinds of information in it on well over 50,000 students who had attended the college over several years.
My mother works for Wells Fargo Home Mortgage; an independent company that was auditing their health insurance had one of their laptops stolen with similar information for thousands of WFHM employees (possibly other Wells Fargo employees too).
Here's the bottom line: Expect every person in the world to try and get at your life in anyway they can. That said, it's your job to protect yourself. Inconvenience, lack of technical knowhow, lack of time and etc. are not valid excuses; it's just too damn important. If someone nabbed Newegg.com's database right now, how many of you would be in great risk? Particularly if your record was the only one they stole; a Newegg.com employee could probably do that without Slashdot or ABC News ever knowing about it.
If they got the card number you use at Newegg, how much money could they take? Is that a check card linked with your bank account? Your only bank account? Most credit card companies will immediately call you if there's all of a sudden a much greater than usual balance on your card. Banks won't call you of a large sum of money disappears out of your account.
So, is most of your money in a savings account that NOBODY has the information for (except you)? Is your home address well secured? Do your kids know how not to get kidnapped? You do check your own credit semi-frequently, don't you? Does (whatever company) really need your SSN to sell you their product? Do you think their system will blow up if that field is left blank when you throw a fit? Do you refuse to send sensitive information over e-mail or IM or SMS (with a preference for telphone or in-person business)?
Does your garage door opener hang proudly from your sun visor (with the corresponding home address on your registration & insurance in the unlocked glovebox)? Is a key to your house sitting in a Supra lockbox hanging on the door handle so the maid can get in? Or is it, perhaps, in that fake looking rock next to the porch? You know, the one your kid picks up every day when he gets home from school?
Think. It's your job, not your government's, not the sheriff's, and not some corporation's... yours. There may be laws in place to protect you; people will break them. And then you're still out your valuables. Really: think.
I'm already on record here with my opinions and stance on phishing. Education, as has been pointed out in several comments, is key. The uninformed are the targets phishers seek. So how do you educate everyone on the internet? Most barely know more than "point and click" operation of their computer.
Paypal, for instance does not need your SSN, but by supplying it, you can earn 5% interest on the money sitting in your account. There are countless other legitimate examples.
How do you educate the world on a single issue, especially when there are more pressing issues that are higher on the global priority list? Hell, I bet most of you have a few friends on your instant messenger friends list, who still pass on those mass messages threatening to shut down the service if the message is not forwarded to everyone? All 4 of the biggies, Y!, AIM, MSN, and ICQ all state clearly in multiple places they will never do this... they will never send out a system wide message that has to be forwarded. Yet people still don't know this, even after 7 years. And those messages don't even look nearly as legitimate as some phishing sites.
"I love deadlines. I love the whooshing sound they make as they fly by." -D. Adams
...when you're using AT&T!
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
Phishing is the attempt to lure someone into a trap/trick with unsophisticated bait. This goes beyond using a worm... this is more like a using a Fembot or one of those peal-off faces in MI2. Anyone that is armed with customer records, credit card info, and a penchant for buggary will do fairly well even if the public is aware of phishing.
I use the information to send you a bill that says you've called a bunch of porn 900 numbers from your cell phone. With my contact number on it. Then I just wait for you to call me and 'verify' your information.
paintball
Yeah, right, never give out your SSN.
When I was in the emergency room with chest pain and they handed me a form, with a place for my SSN on it, and I asked if I had to give it, and they said "you won't be seen until you fill it out," what would you have done? Argued with them? Called a lawyer? Whipped out a copy of the law that says they can't do this? Asked them to get an ambulance to take me to another ER? Raise the ante and see whether they were bluffing? No, I did what I thought would affect my blood pressure least, and get me seen soonest, which was... to cave in. I gave it to them, and I believe anyone with any sense would have done the same thing. Worry about it later. I had more important things to worry about.
And I think I'm _reasonably_ assertive about such things. Back Massachusetts drivers' licenses had SSN's by default, I was one of the people who always asked for and got a different number. When the Red Cross wanted my SSN for blood donations, I said I wouldn't give it to them and they issued me a donor card with a non-SSN.
When my company's medical insurance wanted my SSN, I said I wouldn't provide it. They said fine, but we won't insure you. So I called the Social Security office, and said "do I have to give it to them?" And their answer, practically verbatim, was, "No, you certainly don't. However, they are under no obligation to provide you with insurance unless you do."
Whenever I'm asked for my SSN, I always ask if there's an alternative. (And wait while they check with their supervisor). I succeed maybe half the time. The other half, well, I usually cave.
If you can get along without credit cards, auto loans, medical insurance, and emergency rooms, more power to you.
That line on every social security card that says "Not For Identification Purposes" is a lie, plain and simple.
"How to Do Nothing," kids activities, back in print!
"Now, can I have your information, dear customer"
All those pitches from PayPal keep calling me "dear customer". I was nearly hoodwinkled!
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Identity theives deserve no less than summary execution.
Huh ?
They were trying to push laws so that they would be in practical control of the net. So thats how it was going to be ?
Read radical news here
Additionally, we have some of the strictest laws governing the privacy of our data, and leaks of the magnitude and frequency that happen in the US are unthinkable and would be punished by up to two years in prison and a fine of up to 25.000 euros for each individual offense. So please don't generalize in such an uninformed fashion.
-- Language is a virus from outer space.
They do reference the truely free site - right on the front page, even if it is in a blue-on-blue color scheme.
This issue is a bit more complicated than you think.
I'm no tech genius, but wouldn't a common sense response to this by AT&T be to immediately put a server-side filter on the offending phishing? I mean - these emails are mostly gonna be coming in via *THEIR* SMTP boxes to *THEIR* customers' addresses. Can't imagine there are too many non-ATT customers purchasing from their site...
Instead of this - they give you the "free market" approach of doing nothing and forwarding the offending phish email on to the victims, holding back information for PR reasons, and blaming the victim if they are stupid enough to fall for it. Hey - they'll even pay for your credit monitoring after the fact. Sheesh.
The people were stupid enough to purchase from SBC/AT&T in the
first place - you gotta figure that many will be ignorant enough to reply to the phishing....
How is this "hacking"? They should blame this on criminals, and/or AT&T.
The light at the end of the tunnel is a train.
When are our legislators going to pass a law against this phishing nonsense?
"The information that was provided by customers who ordered DSL-related equipment included name, address, e-mail address, phone number, credit card number and credit card expiration..."
Why is AT&T collecting credit card information for ONE-TIME transactions (equipment purchase)?
so when will we wake up to how simple the whole identity issue is.
currently we use dob and ssn as the primary key to trusted electronic identity. they are managed by the state, which is slow and inefficient. when stole, there is almost no way to change ssn, and dob can never be changed.
the key should be a cert, under control of the individual, and the rest should be open or tied to a signature from that person's cert. a cert would be easy to fix/replace when it is lost or stolen.
community efforts exist now to start heading this way, but they are not taking hold - most are too complex, or they try and keep big business in their pocket.
>some banks, when communicating via email, will tell you to log into your account by manually TYPING in an URL in your browser
Except a phisher could do the same and simply ask someone to type in the wrong URL (foobank-visa.com instead of foobank.com, for example). At least it would prevent the obfuscated link problem and force phishers into providing a lead for investigators at a domain registry.
"Use a bookmark" would be better advice because it would require DNS poisoning in order to make the phishing scam work.
SSL was supposed to solve this problem. Maybe if the UI displayed the organization name as well as the URL, and if CAs all checked (as long as there's a single CA in the browser's list of trusted CAs that will issue a cert without checking the organization name then there is no protection).
Then, as Bruce Schneier pointed out, it's dead easy for malware to add a new and crooked CA to the browser's list of trusted CAs. Marketscore does just that to create a proxy that can pass SSL, and they've been accused of being spyware. See also the account from Roger Grimes. If you need to explain this to someone nontechnical, point them to my Security Mentor article about Marketscore.
>there's little need for you to lock your door in the first place
Your insurance company might have some thoughts of their own on that subject.
Physical security 101 is knowing that people on the wrong side of the law hate making noise or taking a second longer than they need to.
Physical security ties into protecting personal data directly when it comes to mail theft. This isn't academic, it's been happening to people a few blocks up the hill from my house.
Definitely true, the person was under oath for jury selection and I was in the same jury pool so I heard it direct. Lawyers wanted to know who had been the victim of a burglary.
The person had someone break in while she was at home. Very dangerous situation. Her dog was dying of leukemia and unable to move, so it wasn't going to be much help.
The intruder didn't know that and didn't stop to check. He turned around and left as soon as he saw a Rottweiler.
Don't get a dog just for security, though. They need affection and contact.
Now granted I'm just talking out of my ass and parroting the party line. However SQL 2005 is SOX compliant, and if AT&T was SOX compliant, such things wouldn't have happened. Unfortunately SOX is only a couple of years old, and the "enforcement" stage of it at this point only really required auditted companies to identify where they aren't compliant and make a promise to come into compliance. There aren't any real penalities for being out of compliance.
Are there any other SQL packages out there that offer out of the box, table and column encryption?
Sane: do crypto in the app, so the database never sees unencrypted data
Sane: do access control in the database
Crazy: encrypt parts of the database, but the database has the crypto key...