iPhone 4 pre order security breach exposes private information

Discussion in 'iPhone' started by Inimical, Jun 15, 2010.

  1. Inimical macrumors newbie

    Joined:
    Dec 5, 2007
    #1
    Sorry if the story is a little messed up. I'm on my iPad. Here's the link to the actual story

    http://gizmodo.com/5564262/apple-iphone-4-order-security-breach-exposes-private-information

    Apple's iPhone 4 pre-ordering has been a total disaster, but it gets much worse: An AT&T insider claims that this iPhonecalypse may be related to "a major fraud update that went wrong." The bug is exposing AT&T users' private information.

    So far there have been at least three accounted cases of mistaken identities sent by Gizmodo.com readers. This is how it happens: A customer tries to log into their AT&T account to order a new iPhone 4 upgrade. Despite entering their username and password, the AT&T system would take them to another user account. This gives access to all kinds of private information about the mistaken customer: Addresses, phone calls, and bills, along with the rest of private information, becomes exposed to random strangers.

    The latest case comes from reader John King:

    From: john king
    Date: Tue, Jun 15, 2010 at 2:04 PM
    Subject: ATT WEBSITE LOGS ME IN AS ANOTHER CUSTOMER
    To: tips@gizmodo.com
    I LOGGED IN AS ME AND IT BROUGHT UP A MARY ???? BIG PROBLEM
    -JPK

    But according to an AT&T insider, there could be a lot more happening which are not being reported. These login problems, according to the source, are probably linked to an AT server software update that went wrong this weekend [Emphasis added]:

    I work at a 3rd party order processing facility—what AT&T refers to as a 3CC. We process business-to-business, business-to-customer Wireline Indirect, and ACME/PAC (what AT&T calls their iPhone program internally). Agents use AT&T programs called Phoenix, Telegence, Compass, Ordertrack and myCSP to process orders.
    Over the weekend there was a major fraud update that went down on all of AT&T's systems, from Saturday overnight to Sunday early morning. All systems were down and agents were unable to use any systems.
    The issues people are seeing at AT&T stores and online are most likely related to this update that went wrong.
    I do know that there was absolutely NO TESTING of this system done before the launch of the new iPhone. I know it's just heresay at this point, but I can confirm that there was a major outage over the weekend that impacted all ordering systems and programs, and I can confirm that there were multiple systems being upgraded/updated, with some updates being related to fraud.
    At this point, I can say that the system that AT&T uses to send automated orders to be processed is as of this very moment down completely. Our facility is unable to process any orders by phone or by automation.
    [Regarding the identity problem] Whenever we see people who are logging in and seeing other customer's account info, it is an issue with the databases that contain customer information. Orders that contain any information like this can cross customer information, and cause a customer be able to see other accounts by logging out and logging back in. This means that when they log in a few times, it gives them different customer account info every time. It's a rare occurrence, but it has happened in the past.
    You might want to advise people to not get the upgrade at this point as it may be a doorway to a major privacy breach.


    Unfortunately it appears that even if you don't upgrade your private information could be exposed as other people try to upgrade, allowing accidental access to your account. After we reported on the initial security breaches this morning, AT&T took down their account online system completely.

    At this time (3:34PM EDT), the account system is back online, but the iPhone 4 eligibility page is still down.

    AT&T and Apple have not issued any statement about this security problem or the nationwide pre-order disaster.
     
  2. jtara macrumors 65816

    Joined:
    Mar 23, 2009
    #2
    Probably related in some way to the iPad security breech.

    I'd guess that this caused IT people at ATT to look at their own systems in other areas to see if they had similar vulnerabilities. I imagine they found they did...
     
  3. ladysman macrumors regular

    Joined:
    Jan 29, 2008
    #4
    i saw this about 2 hours ago on Giz and thought, wow, I should check my account. I login (at least attempt 3 times) and it said wrong password. I knew 100% it was correct. I'm figuring i'm one of the misfortunate.

    Called CS at AT&T to be sure and got a friendly (for being the day it is) rep who checked over the account and verified 3 times nothing has changed and my order I placed around 8am CST went through without a hitch. She then changed my password to a temporary password.

    I just tried to login with the temp password and it didn't work. i did this twice as I didn't want to lock it again and beon hold...(lol) so I tried the OLD PASSWORD....and I got right in.

    This is really scary and bad....then again, welcome to AT&T..;)
     

Share This Page