To log into an AT&T GoPhone account, all that is required is the phone number and a 4 digit PIN. 4 digits? That's absurdly weak. If someone wanted to prank me and knew my phone number, it would be easy to get into my account, change billing settings, sign up for all sorts of "feature" packages, and who knows what else. Are prepaid accounts generally secured this weakly? I googled around and saw that some Verizon prepaid users had their accounts hijacked (4-digit "security code" guessed by hacker when talking to Customer Service), and their phone service re-directed to another mobile phone. The hacker would then use their minutes. Is there any prepaid carrier that takes security more seriously?
What if you don't tell anybody that your phone is pre paid. I had one for about 3 months, never thought about. On the other hand most bank's cards have 4 digit security code. So it even worse.
Don't use the same PIN as the last 4 digits of your phone number. I doubt someone will take the time to call AT&T, wait on hold, speak to a rep, guess the code, add packages, deplete your balance, then laugh. Seems like a lot of work that would offer no reward to even the most serious of pranksters or dirtbags. That being said, you give your credit card number to the pizza man when ordering and all that needs is a PIN.
So someone is going to sit there and try to guess 9,999 possible combinations of pins to get into your prepaid settings? And how is that easy and weak and why wouldn't the system lock him out after a certain number of failed attempts?
If all they did was use your minutes then the world will not end. I have my doubts about anyone will to spend the time to go though all the 9999 combinations, just to steal your minutes.
Pre-paid phone account security It turns out that many 4-digit PINs can be easily guessed: http://lifehacker.com/5944567/the-m...rs-and-numeric-passwords-is-yours-one-of-them For some people at least, a hacker wouldn't have to cycle through thousands of combos. Not all systems lock out after X failed attempts. The more serious problem is that they can (1) deny you your phone service and (2) impersonate you. If someone gains control over your phone number they can send SMS as you. If you rely on your phone for business or other important things, having your connection hijacked, even temporarily, could be a huge PITA. In the Verizon incident I read about, someone's phone service was redirected to another phone out of their state. Is a redirect attack likely? For most people maybe not, but you never know who will try to hack your systems, even if it's just for the lulz.
What do you mean by redirect? All AT&T stores require ID for a new sim so they couldn't get a sim on the account. Also, there is very little someone could do on the GoPhone login. All they show is the address and balance on the account. I'm not sure how they store debit and credit card information because I use refill cards, so I wouldn't keep a card number attached to the account. However, I do agree it is odd there is no option for a stronger password. But like others said someone would need to match a phone number to a pin which could be difficult, with very little reward.
Pre-paid phone account security The redirect happened on a Verizon prepaid account, not AT&T. What happened to a customer was that an attacker guessed (or knew) the 4-digit PIN. The attacker called Verizon customer service and used the PIN to transfer the victim's phone service to a handset owned by the attacker. All the attacker had to do was call Verizon, present the phone number & PIN, provide a valid ESN for the attacker's phone, and they had stolen the victim's number. Any calls or texts sent to the victim's number would have gone to the attacker's phone.
I don't think he called customer support hundreds or thousands of times and just guessed. Like you said somehow he knew his pin. It can happen to any type of account if you don't keep your info private.
My guess is that the PIN was something easy to guess, like Day/Month of birthday, or house number, or something that could easily have been found. It could even have been a carelessly chosen PIN like 1234. I just think that phone companies should take security more seriously.
I think the phone users should take security more seriously. A 4 digit PIN is good enough security in this case. Most will not even bother to use any security at all
the only person that could guess my 4 disgit pin and knows my number is my brother. That's because my pin is my dad's date of birth. if he tampers with my account it's my fault for not having a strong pin.
I am surprised you are worried about your phone. If you look at credit and debit cards you give the numbers out over the phone all the time. Every time you order food, pay a bill, order a service, etc. you give the number out and the expiration date. You also give your name. So essentially it is a set of four numbers that keep them away from your account. Talk about insecure if you ask me. If the PIN is properly created it should be decently secure. In my opinion, I feel we all should be more secure about credit and debit cards that are the same thing rather than our phones. Maybe I am the crazy one though.
Debit cards are definitely dangerous in that they allow someone to pull $ directly from your account. If they pull the wrong amount, either by accident or on purpose, it could screw up other payments very badly. Yes, this is a big hazard. Credit cards are less of a hazard because the money is not taken directly from your checking account, so other bills paid from your bank won't be affected. You can also easily dispute charges on a CC. Security in these systems is generally lax because consumers have relatively easy recourse. A stolen prepaid number, however, can be difficult to retrieve because there is not much paperwork or trail tying the number to the user. A GoPhone can be established quite anonymously. ATT will give the SIM for free and you can pay cash for refill cards. If the number is stolen there may be no way to prove the account is yours.
True, but I fail to understand why one would try to steal a GoPhone account or other prepaid cell phone account. I agree that it is rather insecure, but in the scheme of things it is the least of the issues. A good PIN that is not related to anything is a good idea and will protect the account. Also, unless the customer service rep is a total schmuck that will let a dirtbag guess the PIN more than three times, they will lock the system out. If you think a GoPhone is anonymous, you should see Tracfone's system for activating phones.
I have a GoPhone Account too. As far as the information on there, I never changed the generic personal information created by ATT when I first signed up for the pre-paid plan; all the information they have for my specific no# does not even apply to me. For example, the email they have for me is nana@att.com. (na = not applicable). I also don't have my cc# on file with them. I elect to pay on a per month basis. It's a non-obligatory plan, so just change the personal information on your account. You control whether or not to continue service or stop.