leko's profile

New Member

 • 

6 Messages

Mon, Jan 4, 2021 3:18 PM

Feature request: ACCOUNT SECURITY: restrict which mobile number can receive SMS PIN's to reset online account password

This is a feature request to be able to restrict which mobile numbers on my ATT account can receive an SMS PIN to reset my online account password.

Use Case: if I go to att.com and click 'forgot password' then I am offered the option for any mobile number on my account to receive an SMS PIN/link to reset the password.  All of my account mobile numbers are listed with the last 4 of the telephone number displayed.  This is a problem because it means seniors, kids etc with a mobile device on my plan could reset my ATT password.

Real-world implication that happened!  My senior mom is on my plan and got wrapped up talking to an internet scammer.  She gave him her cell phone number so they could text, provided her first and last name (last name is same as mine) during the conversation, and told him she has an AT&T iPhone.  He then initiated a password reset and convinced her to send him the PIN that was SMS'd to her mobile device.  In a matter of 20 mins of sweet talk with my naive mom, he had access to the account.  This could also be exploited by children/teens wishing to change account settings or order new devices.

Solution: in account profile/security settings add an option "mobile numbers authorized to receive account security messages" and add checkboxes to select which mobile numbers are allowed to be used for account security changes.

Constructive

Employee

 • 

25.4K Messages

1 y ago

without your account pin no one can make changes, simple solution dont give anyone your pin

sandblaster

ACE - Expert

 • 

55.4K Messages

1 y ago

@Constructive Not true. The account pin is only used when dealing with an agent on the phone or in a store. Anyone able to gain online account access can make their own changes or order phones online. They could also reset the account pin.

New Member

 • 

6 Messages

1 y ago

The account PIN isn't required for online orders if someone has the online username and password.  In the above-listed use-case, the account PIN was not shared, but once the online account was accessed with the username and new password, the person was considered authenticated.  I can login right now using only a username and password and order myself a new iPhone without ever being prompted for my account PIN.

New Member

 • 

6 Messages

1 y ago

@sandbalster exactly! ATT considers you 100% authenticated to the web portal with only a username and password.  Since this happened I did enable "extra security" which requires entering the account PIN at logon, but this is not enabled on accounts by default and requires some digging to find the setting.  the account PIN can also be reset by SMS (I just did it yesterday) which my above usecase once again applies to.

ACE - Sage

 • 

92.1K Messages

1 y ago

There is definitely a problem with AT&T two-factor Authentication.    But a request for password reset should not have gone to any line.

Absolutely a breach of common sense. 

I agree with you there needs to be such a feature and you are not going to get it addressed by posting here. This is a customer populated Community not a way to reach AT&T customer support.

I would urge you to contact AT&T and ask some real hard questions about how you can put some restrictions on your account so that no one else other than you and maybe a spouse are getting any account information or passwords and certainly two-factor Authentication.

2FA is great if done right.  Unfortunately AT&T does not know how to do it right.

I switched over to Verizon about a year into the two-factor requirements. Verizon does to factor correctly.    Authorization codes are sent to the account owner/primary phone.  A secondary user can also request that information.  Users can't.  Which means the other three lines on my account have no access to upgrade, to make any account changes, or receive two-factor Authentication.  

   Contact att fraud if you haven't already. 

ACE - Sage

 • 

92.1K Messages

1 y ago

One of the features that Verizon has is the kids lines.  Now that AT&T is offering a mix plan they might want to consider making one of those a kids plan with a restricted amount of data option, parental controls included, and under no circumstances is the kids line ever going to receive two-factor authentication or password reset ability.

I know AT&T latest motto is, " it's not complicated", but some things should be complicated

(edited)

New Member

 • 

6 Messages

1 y ago

Thanks, @lizdance40  I did contact AT&T support and requested that password resets not be available for certain numbers on my account I got pretty much nowhere.  when I asked if there was a way to submit a feature request to add this functionality I was told to post on the forums as it is monitored by AT&T reps and engineers so they will pull from the forums for developments.  whether this is true or not, who knows.  Contacting AT&T's fraud dept is on my list to do later today.  I agree 100% that aT&T's 2FA is completely broken and this case proves it can be easily bypassed.

ACE - Sage

 • 

92.1K Messages

1 y ago

Well, that's smoke up your skirt!  I'll stifle surprise.  

File an FCC complaint and reconsider your carrier.  Meanwhile set up your mom's line with paid call protection.  It should prevent most spam calls.  Help her add her contact numbers regularly.

New Member

 • 

6 Messages

1 y ago

@lizdance40  LOL we'll both consider my skirt sufficiently smoke-filled.... if I wore skirts.... my coworkers would judge me if I did, and so would my wife... anyways...

I did submit a report to AT&T's bug bounty program hoping maybe that would get this in front of someone sufficiently technical who actually understands why this is an issue.  I won't hold my breath.

For now, Mom's phone is on lockdown and I have another device under my control, on her iCloud account where I can block contacts so the block will sync to her iPhone.  I have call protection enabled but most of the problematic contacts are suign google voice and rolling burner numbers so they usually arent flagged to be blocked.  I also wish there were a way to block numbers through AT&T for mobile lines but that's a complaint for another thread :)

If I hear anything productive from the Bug-Bounty program I'll be sure to report back.

Constructive

Employee

 • 

25.4K Messages

1 y ago

@lizdance40 well they didnt totally blow smokke as engineers and customer service reps do read the forums we just are forbidden to help in anyy official capacity :)

ACE - Sage

 • 

92.1K Messages

1 y ago

@leko

AT&T has a parental control app.  Obviously meant for parent to control a child, but in this case it's perfect.  I believe you can limit who can call or text her.

https://www.att.com/support/article/wireless/KM1299004/

It may resolve part of the problem.  But AT&T still needs to fix this. 

   

New Member

 • 

6 Messages

1 y ago

small - albeit useless- update.  the AT&T bug bounty program reported back and said they didnt have any interest in pursuing this issue.  Super disappointed in AT&T with this one.

ACE - Sage

 • 

92.1K Messages

1 y ago

🤦🏼‍♀️

Of course, 🙈🙉🙊 and think-no

Need help?
Fix, replace or check device delivery
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.