Pre-paid phone account security

Discussion in 'iPhone' started by Retired Cat, Jun 16, 2014.

  1. Retired Cat macrumors 65816

    Joined:
    Jun 12, 2013
    #1
    To log into an AT&T GoPhone account, all that is required is the phone number and a 4 digit PIN.

    4 digits? That's absurdly weak.

    If someone wanted to prank me and knew my phone number, it would be easy to get into my account, change billing settings, sign up for all sorts of "feature" packages, and who knows what else.

    Are prepaid accounts generally secured this weakly? I googled around and saw that some Verizon prepaid users had their accounts hijacked (4-digit "security code" guessed by hacker when talking to Customer Service), and their phone service re-directed to another mobile phone.

    The hacker would then use their minutes.

    Is there any prepaid carrier that takes security more seriously?
     
  2. serega macrumors regular

    Joined:
    Nov 19, 2007
    Location:
    Seattle
    #2
    What if you don't tell anybody that your phone is pre paid. I had one for about 3 months, never thought about. On the other hand most bank's cards have 4 digit security code. So it even worse.
     
  3. Altemose macrumors G3

    Altemose

    Joined:
    Mar 26, 2013
    Location:
    Elkton, Maryland
    #3
    Don't use the same PIN as the last 4 digits of your phone number. I doubt someone will take the time to call AT&T, wait on hold, speak to a rep, guess the code, add packages, deplete your balance, then laugh. Seems like a lot of work that would offer no reward to even the most serious of pranksters or dirtbags.

    That being said, you give your credit card number to the pizza man when ordering and all that needs is a PIN.
     
  4. Applejuiced macrumors Westmere

    Applejuiced

    Joined:
    Apr 16, 2008
    Location:
    At the iPhone hacks section.
    #4
    So someone is going to sit there and try to guess 9,999 possible combinations of pins to get into your prepaid settings? And how is that easy and weak and why wouldn't the system lock him out after a certain number of failed attempts?
     
  5. 617aircav Suspended

    Joined:
    Jul 2, 2012
    #5
    How would they get your pin though?
     
  6. Newtons Apple Suspended

    Newtons Apple

    Joined:
    Mar 12, 2014
    Location:
    Jacksonville, Florida
    #6
    If all they did was use your minutes then the world will not end. I have my doubts about anyone will to spend the time to go though all the 9999 combinations, just to steal your minutes.
     
  7. kupkakez macrumors 68000

    kupkakez

    Joined:
    Apr 4, 2011
    #7
    That would be one of the world's lamest pranks.
     
  8. Retired Cat thread starter macrumors 65816

    Joined:
    Jun 12, 2013
    #8
    Pre-paid phone account security


    It turns out that many 4-digit PINs can be easily guessed:
    http://lifehacker.com/5944567/the-m...rs-and-numeric-passwords-is-yours-one-of-them


    For some people at least, a hacker wouldn't have to cycle through thousands of combos. Not all systems lock out after X failed attempts.



    The more serious problem is that they can (1) deny you your phone service and (2) impersonate you. If someone gains control over your phone number they can send SMS as you. If you rely on your phone for business or other important things, having your connection hijacked, even temporarily, could be a huge PITA.

    In the Verizon incident I read about, someone's phone service was redirected to another phone out of their state.

    Is a redirect attack likely? For most people maybe not, but you never know who will try to hack your systems, even if it's just for the lulz.
     
  9. BeeJee macrumors 6502

    Joined:
    Nov 27, 2011
    Location:
    Long Island/North Jersey
    #9
    What do you mean by redirect? All AT&T stores require ID for a new sim so they couldn't get a sim on the account. Also, there is very little someone could do on the GoPhone login. All they show is the address and balance on the account. I'm not sure how they store debit and credit card information because I use refill cards, so I wouldn't keep a card number attached to the account. However, I do agree it is odd there is no option for a stronger password. But like others said someone would need to match a phone number to a pin which could be difficult, with very little reward.
     
  10. Retired Cat thread starter macrumors 65816

    Joined:
    Jun 12, 2013
    #10
    Pre-paid phone account security


    The redirect happened on a Verizon prepaid account, not AT&T.

    What happened to a customer was that an attacker guessed (or knew) the 4-digit PIN. The attacker called Verizon customer service and used the PIN to transfer the victim's phone service to a handset owned by the attacker.

    All the attacker had to do was call Verizon, present the phone number & PIN, provide a valid ESN for the attacker's phone, and they had stolen the victim's number. Any calls or texts sent to the victim's number would have gone to the attacker's phone.
     
  11. Applejuiced macrumors Westmere

    Applejuiced

    Joined:
    Apr 16, 2008
    Location:
    At the iPhone hacks section.
    #11
    I don't think he called customer support hundreds or thousands of times and just guessed.
    Like you said somehow he knew his pin.
    It can happen to any type of account if you don't keep your info private.
     
  12. Retired Cat thread starter macrumors 65816

    Joined:
    Jun 12, 2013
    #12

    My guess is that the PIN was something easy to guess, like Day/Month of birthday, or house number, or something that could easily have been found. It could even have been a carelessly chosen PIN like 1234.

    I just think that phone companies should take security more seriously.
     
  13. Newtons Apple Suspended

    Newtons Apple

    Joined:
    Mar 12, 2014
    Location:
    Jacksonville, Florida
    #13
    I think the phone users should take security more seriously. A 4 digit PIN is good enough security in this case. Most will not even bother to use any security at all:rolleyes:
     
  14. 617aircav Suspended

    Joined:
    Jul 2, 2012
    #14
    the only person that could guess my 4 disgit pin and knows my number is my brother. That's because my pin is my dad's date of birth. if he tampers with my account it's my fault for not having a strong pin.
     
  15. Altemose macrumors G3

    Altemose

    Joined:
    Mar 26, 2013
    Location:
    Elkton, Maryland
    #15
    I am surprised you are worried about your phone. If you look at credit and debit cards you give the numbers out over the phone all the time. Every time you order food, pay a bill, order a service, etc. you give the number out and the expiration date. You also give your name. So essentially it is a set of four numbers that keep them away from your account. Talk about insecure if you ask me.

    If the PIN is properly created it should be decently secure. In my opinion, I feel we all should be more secure about credit and debit cards that are the same thing rather than our phones. Maybe I am the crazy one though.
     
  16. Retired Cat thread starter macrumors 65816

    Joined:
    Jun 12, 2013
    #16

    Debit cards are definitely dangerous in that they allow someone to pull $ directly from your account. If they pull the wrong amount, either by accident or on purpose, it could screw up other payments very badly. Yes, this is a big hazard.

    Credit cards are less of a hazard because the money is not taken directly from your checking account, so other bills paid from your bank won't be affected. You can also easily dispute charges on a CC.

    Security in these systems is generally lax because consumers have relatively easy recourse. A stolen prepaid number, however, can be difficult to retrieve because there is not much paperwork or trail tying the number to the user. A GoPhone can be established quite anonymously. ATT will give the SIM for free and you can pay cash for refill cards. If the number is stolen there may be no way to prove the account is yours.
     
  17. Altemose macrumors G3

    Altemose

    Joined:
    Mar 26, 2013
    Location:
    Elkton, Maryland
    #17
    True, but I fail to understand why one would try to steal a GoPhone account or other prepaid cell phone account. I agree that it is rather insecure, but in the scheme of things it is the least of the issues. A good PIN that is not related to anything is a good idea and will protect the account. Also, unless the customer service rep is a total schmuck that will let a dirtbag guess the PIN more than three times, they will lock the system out. If you think a GoPhone is anonymous, you should see Tracfone's system for activating phones.
     
  18. ET iPhone Home macrumors 68040

    ET iPhone Home

    Joined:
    Oct 5, 2011
    Location:
    Orange County, California USA
    #18
    I have a GoPhone Account too. As far as the information on there, I never changed the generic personal information created by ATT when I first signed up for the pre-paid plan; all the information they have for my specific no# does not even apply to me. For example, the email they have for me is nana@att.com. (na = not applicable). I also don't have my cc# on file with them. I elect to pay on a per month basis.

    It's a non-obligatory plan, so just change the personal information on your account. You control whether or not to continue service or stop.
     

Share This Page