AT&T - Social Engineering

Justin Williams was the victim of an AT&T social engineering attack:

I instantly called AT&T’s customer service line to explain what is happening. I give them my name, my phone number, and my security passcode (this is key). The man on the phone reads through the notes and explains that yes, someone has been dialing the AT&T call center all day trying to get into my phone but was repeatedly rejected because they didn’t know my passcode, until someone broke protocol and didn’t require the passcode.

One of my co-workers reported this happening to him about three weeks ago (although he didn’t have any money stolen, to my knowledge). This is terrifying, and AT&T needs to address this.

Justin adds:

I’ve been told this is being escalated internally, but I haven’t heard anything from corporate channels, so I remain skeptical until I see or hear something.

I share his skepticism. This hole has existed for years, and AT&T has failed to patch it. I feel terrible for the situation Justin has ended up in, and I’m equally upset by the sense that I don’t have a way to protect myself from an attack like this.

Extra Security

I’ve had Extra Security enabled on my account for a long time, but it doesn’t seem like that would have helped me in this situation at all. From this page, the AT&T documentation says:

Benefits of extra security Without extra security, you or someone you authorize may need your wireless security passcode only in these situations:

  • Calling AT&T Customer Care.
  • Changing the passcode.
  • Managing your account in some retail stores.

When you add extra security to your wireless account, you or someone you authorize may need your wireless security passcode in these additional situations:

  • Managing your wireless account online.
  • Gaining secondary online access to the wireless account.
  • Managing your account in any retail store.

Extra Security doesn’t seem to change any of the requirements when calling in for support.

Additionally, every time I log in to their website, there’s a checkbox below the textfield for the passcode. On a site with normal 2-factor support, that checkbox says something like “Don’t require 2-factor on this machine for 24 hours”. On AT&T’s site, it says “Disable Extra Security”. I almost check this box every damn time, and have disabled it a few times.