Uniquely for you. Preorder the new Google Pixel 6.
JM999999's profile
JM999999
#1 Star!
The 5th element!
10th stratosphere!

Teacher

 • 

17 Messages

Wed, Sep 12, 2018 10:57 PM

Security and privacy risk on MyPrepaid customer account portal

I am absolutely shocked at the lax security you have on the Prepaid customer account portal, att.com/myprepaid.  

Your customer account portal website permits only 4-digit passwords: nothing longer than 4 digits, no letters, no symbols. This serious security and privacy lapse is compounded by the username being simply the 10-digit telephone number associated with the account.

Once logged into the user portal, someone can view the entire calling history on the account, order new services, change a plan, deactivate a device, and even cancel auto-pay, potentially causing the customer to lose his telephone number due to non-payment.

How can a major corporation like AT&T offer its customers such ridiculously insecure protection on their personal information and account settings?  Surely you can understand the need for permitting proper passwords, and even for offering protection beyond passwords, like 2-factor authentication.

sandblaster

ACE - Expert

 • 

53.4K Messages

3 y ago

Even though all of those things you mention can happen, they aren’t things thieves generally care about. All I can surmise is that those things don’t happen often enough for ATT to redesign the security for prepaid. We’ve seen your complaint before but I don’t ever recall a user saying it or anything like it happened to them. I can only presume ATT does not consider it an issue because it hasn’t been. There just isn’t much of a payoff for hacking a prepaid account, IMHO.

JM999999

Teacher

 • 

17 Messages

3 y ago

Waiting for the first major security/privacy breach before fixing an obvious
security/privacy issue is not a good plan. Increasing the length and
complexity of passwords is not a "redesign," it's just a reconfiguration.
AT&T owe their customers a duty of care: they have an obligation to provide
reasonable security and privacy protection, but the current implementation
is nothing short of negligent.

It worries me especially that this complaint, as you call it, has been
raised in the past (not by me, incidentally) but that nothing has been done
to address it.

As far as the not being "much of a payout for hacking a prepaid account,"
that's totally ridiculous; people hack accounts for all sorts of reasons,
including just for malevolent fun. There's little "payout" from setting
forest fires or putting toilet paper in trees, but people do it anyway.
Imagine what a disaster it would be for a customer to lose use of her phone
for a day or to lose her phone number or to find herself on a different data
plan because someone decided to have some fun. And there's also the privacy
risk of someone accessing the list of all my phone calls.

But actually, if someone gets into an account and changes the contact
information, he might be able to use the new information to convince a
customer service representative to mail him a new SIM card, at which point
he would have access to incoming text messages on an account, which might in
turn permit him to reset passwords for many other accounts like bank
websites and email accounts. There's really quite a bit of a risk here, and
a security chain is only as good as its weakest link. A 4-digit password is
a ridiculously weak link.
Gary L

ACE - Expert

 • 

15.8K Messages

3 y ago

@JM999999 

 

Do you have any other hacking tips that you wish to share with the public?   

 

 

/s

 

 

JM999999

Teacher

 • 

17 Messages

3 y ago

None of this is a state secret, and none of this is news.

 

This is not just a silly complaint, as you seem to suggest.  This is a very serious security and privacy risk, and it calls for corrective action, not snark.

 

(I can have a 20-character password on this forum, but only a 4-digit number on the account portal.  Something is seriously wrong with that.)

lizdance40

ACE - Sage

 • 

89.4K Messages

3 y ago

@JM999999

This is not the first complaint on this.  Yet we haven’t had anyone come on the forum and say their number was hijacked.   In short, if it’s not a reported problem, it doesn’t need fixing.  

 

JM999999

Teacher

 • 

17 Messages

3 y ago

@lizdance40 wrote:

"If it’s not a reported problem, it doesn’t need fixing."

Good thing you're not a doctor.

 

I'm reporting that this is a problem. It needs fixing.

lizdance40

ACE - Sage

 • 

89.4K Messages

3 y ago

From a medical prospective, it’s like telling me you might break an arm if you trip.  Well first, you have to trip...  You can look for problems that don’t exist, or fix actual problems.  

You are perfectly welcome to tell ATT you don’t feel secure. Enjoy the fake concern.  I’m sure they will take a note on that.   

When your concern becomes a reality, then I’m sure they will feel compelled to act.  

As opposed to postpaid, where there was a significant benefit to hacking accounts, to steal iPhones, and add number sync to make long distance calls.  These were actual problems.  

JM999999

Teacher

 • 

17 Messages

3 y ago

@lizdance40 wrote:

From a medical prospective, it’s like telling me you might break an arm if you trip.  Well first, you have to trip...  You can look for problems that don’t exist, or fix actual problems.  

No, actually, it's like asking somebody to fix the broken sidewalk before someone trips. In essence, you're suggesting that a broken sidewalk shouldn't be fixed until someone trips and breaks an arm.

 

Please limit responses to useful, substantive remarks. I don't really care that you don't really care. I posted the issue to get the attention of AT&T, not to get snarky, dismissive remarks from community "experts."

lizdance40

ACE - Sage

 • 

89.4K Messages

3 y ago

You posted on the community forum.  While ATT does occasionally see and respond, they may never see your post. 

 

Need help?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.