A carrier mistake allowed Justin Williams to be hacked

Posted on Friday, July 7th, 2017 at 12:18 pm. PT

I really do hate when someone like Justin does everything they can to prevent hacking and then a carrier mistake leads to this much trouble.

rick gregory
The call center rep needs to be disciplined and the entire call center staff needs to have it reinforced that you NEVER do this. Forget your passcode? Oh well.
- SV650
  So an individual becomes obligated to abandon their account if they cannot recall their passcode? There needs to be alternatives for instances where the legitimate owner of an account needs to make changes while not remembering the passcode.
  - rick gregory
    Go to a store with proof of your ID (driver’s license, etc). Have some other piece of information that only you would know and that’s not easily guessable by a third party.
    But you CANNOT allow a customer service rep to simply override security or all of your security is at the mercy of some minimum wage employee.
    - Kriztyan
      There are other ways to authenticate a user account. How about the las 4 numbers of the CC used? Or security questions filled in when setting up the account.
      - rick gregory
        Uh… that was my second sentence though I wasn’t as specific. The challenge with security questions is that some of them are easy to get at now with social media. Before, I might not know the name of your dog if I didn’t know you pretty well, but nowadays there’s a good chance you’ll have pics of it on Facebook. The questions just need to be chosen more carefully.
        CC… could work unless the person was mugged/lost their wallet with their phone. But it’s not a bad idea.
      - Dean Lewis
        I have the last 4 digits of several CCs for my clients as they trust me to handle their domain and hosting accounts.
        Last 4 of the CC is not an adequate method to verify ID.
      - Dean Lewis
        I have the last 4 digits of several CCs for my clients as they trust me to handle their domain and hosting accounts.
        I also have several security question answers.
        Last 4 of the CC and security questions are not an adequate method to verify ID, especially once you are on the phone due to a lost password.
        Apple had a specially generated long code I had to print out at one time to have handy for my computer should I not be able to get in. That’s a little better — and they warned me if I lost that code, I was SOL. Still, someone can get the paper I printed it on…
Steven Fisher
Though I don’t recall any details right now, this isn’t the first time I’ve heard of this particular trick.
- Mo
  It’s easily the second or third such story both The Loop and Gruber have linked to within the past couple of years, about someone knowledgeable who did all the right things and was compromised by substandard customer support.
  - Steven Fisher
    I was thinking of the SIM trick in particular being used to compromise TFA. I think the other one was Amazon.
    - Mo
      Granted, but both cheats rely on manipulating customer service reps, correct?
- Kathleenkromero
  <
  blockquote>Managing director of Google says we are paying $97 per hour! Work for few hours and have longer with friends & family^ju193d: On tuesday I got a great new Nissan Versa from having earned $8752 this last four weeks.. Its the most-financialy rewarding I’ve had.. It sounds unbelievable but you wont forgive yourself if you don’t check it…See more ~va193d: ➽➽ ➽➽;➽➽ http://GoogleFinancialJobsCash193FinderDesigns/GetPay$97/Hour… ★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★:::::~va193o…
John Kordyback
“The man on the phone reads through the notes and explains that yes, someone has been dialing the AT&T call center all day trying to get into my phone but was repeatedly rejected because they didn’t know my passcode, until someone broke protocol and didn’t require the passcode.”
AT&T aren’t rocket scientists. Some carriers would have flagged this after a couple of tries and contacted the owner.
- SV650
  Which works well, unless the miscreant already has possession of the phone and can mimic the owner if contacted.
  - rick gregory
    If someone loses their phone or has it stolen and doesn’t report it that’s on them. This hack wasn’t like that though – it was a clear failure on the part of both the ATT rep and their systems.
    - SV650
      But the commentary has moved from the specific to the general……. The carrier has no real knowledge of who is calling – thus the need for means of ID that can address multiple instances of compromise of the ownership. In the instance initially described, the carrier CSR was definitely in the wrong, and as John Kordyback comments AT&T should have flagged the incident once more than one or two calls occurred, in effect locking down the ability to make a change until some further steps are taken. On the other hand, had Justin Williams legitimately changed his SIM card (possibly due to a new phone which would not accept his current one), AND he had forgotten his passcode, there needs to be a process to effect this. going to a physical location, may not be a reasonable possibility, depending on the particular situation.
      I don’t see a simple solution, BTW, just an ever keeping problem!
      - rick gregory
        If someone changes their SIM, forgets their passcode AND can’t go to physical location… again, their issue. At some point there’s personal responsibility involved.
        The carrier could use another personal piece of information but too many people would, if they could pick something, pick things like their city of residence, their dog’s name or other things that aren’t really hard to find out.
        The issue really aren’t the edge cases where someone is out of the country, changes their SIM, can’t remember their passcode etc. Those people have made choices and forgotten critical information. You want to protect people like Justin who did NOTHING and are hacked because of poor security (human and computer) on the part of their carrier.
      - Mo
        This conversation reminds me a tiny bit of the Monty Python bookshop sketch.
        https://www.youtube.com/watch?v=eCM2nEBE0RY
      - John Kordyback
        Is this the right room for an argument?
        I’ve told you once.
      - Mo
        No, no. That one’s about Windows.
  - John Kordyback
    I’m not concerned about miscreants. However ne’er do wells and dastardly cads pose a real threat.
    - Mo
      Oh, so I suppose rapscallions, scoundrels, and malefactors get a free pass, eh?
      - John Kordyback
        And I suppose you coddle knaves & scallywags?
        (Made me laugh)
      - Mo
        Boy howdy, do I ever.