Need help understanding your bill?
sp67398's profile

Tutor

 • 

4 Messages

Sunday, July 15th, 2018 1:19 AM

AT&T Prepaid Account Password - Security Issue

I have AT&T Prepaid account. To access the account, the only way is to login to paygoonline website.

And guess what, password is 4 DIGIT NUMBER.. !!!!

 

This is a very very serious security flaw

 

While the world has moved on to a complex password and two factor authentication, why is this not fixed yet for paygoonline???

 

I am hoping someone in AT&T see this post and act on it.

 

Thanks!!

ACE - Sage

 • 

116.6K Messages

6 years ago

@sp67398

And Im saying “if it had happened, carriers would change it”.  It’s not happening on prepaid.  Mostly, as @sandblaster pointed out, there is zero benefit other than using up someone’s plan data. 

ACE - Expert

 • 

16.5K Messages

6 years ago


@sp67398 wrote:

All I am saying is having a 4 digit password in today's world is not secure. 

How long is your PIN for your ATM card?

 

 

I am not saying that I am hacked or anyone has already accessed. 

No one is saying you are saying this.

 

Shouldn't a user be concerned about this?


I DON'T KNOW as you are not answering my question.

Is that ALL you need to log in?  Your 10 digit number? Or does it text you a code to verify when you login? (I've asked this already).

ALSO -

What happens when you fail a log in, does it give you 10,000 tries or does it lock after 3 tries?

Does it notify you by text after you make a payment or change something in your account?

 

 

ACE - Sage

 • 

116.6K Messages

6 years ago


@Gary L wrote:

@sp67398 wrote:

All I am saying is having a 4 digit password in today's world is not secure. 

How long is your PIN for your ATM card?

 

 

I am not saying that I am hacked or anyone has already accessed. 

No one is saying you are saying this.

 

Shouldn't a user be concerned about this?


I DON'T KNOW as you are not answering my question.

Is that ALL you need to log in?  Your 10 digit number? Or does it text you a code to verify when you login? (I've asked this already).

ALSO -

What happens when you fail a log in, does it give you 10,000 tries or does it lock after 3 tries?

Does it notify you by text after you make a payment or change something in your account?

 

 


Prepaid does not have 2 step.   Just like debit card, you need the phone,  Phone number and PIN are required to login.  

I am able to login and refil my friends iPhone as we set it up on my iPad.  She knows how to change her PIn if she wants.

I see posts about stolen prepaid phones all the time.  Not one has said their account was hacked, CC data used,  number stolen, or identity stolen.  

    This is not the first time the 4 digit pin has been questioned.  Until it’s a problem, there is no need to change it.  So far, no problem.  

 

 

ACE - Expert

 • 

64.7K Messages

6 years ago


@sp67398 wrote:

All I am saying is having a 4 digit password in today's world is not secure. 

I am not saying that I am hacked or anyone has already accessed. 

Shouldn't a user be concerned about this?


As I said in my original response, yes you have a legitimate concern. What I also said was the risk of someone hacking you is not great because there just isn’t much of a reason for hackers to go after prepaid accounts. In all the years I’ve been on this forum, I don’t recall ever seeing anyone complain of their prepaid account getting hacked. I’ve seen complaints of prepaid accounts being taken over after someone loses their phone but never someone just getting hacked. 

Tutor

 • 

4 Messages

6 years ago

This is actually huge security risk.  Most people use their phone number as part of two factor authentication for many services online, including their bank accounts.  Protecting a prepaid account with a four digit pin is ridiculously easy to exploit. The risk is actually pretty good and the fact that you have not seen it in all the years you have been here does not mean it has not been exploited nor does that mean it won't.  Ever hear of SIM hijacking?  What if I was able to guess your pin, for your phone number and then I am able to convince AT&T to send me a SIM card through a bit of social engineering.  Now I can go to your google account and recover your password because who knows that might be one of the recovery methods you use for your Gmail account.  Once I have your email, I am able to go to your bank and recover your password.  Since I have your phone, now I can exploit your two factor authentication.  Do you want me to keep going?  So do you want to trust your AT&T account to a four digit PIN?  Two factor authentication is the industry standard these days for services that host personally identifiable information and I am pretty sure most of us at the very least have personally identifiable information in our AT&T prepaid account, like who we call, who we interact with....our first name, last name, email address etc.  

Tutor

 • 

4 Messages

6 years ago

There is a huge risk.  There is personally identifiable information to start.  Secondly a lot of people use their phone for two factor authentication and password recovery.  There could be possibly SIM hijacking opportunities as well via social engineering.  So do you want to trust your account to a four digit pin number?

ACE - Sage

 • 

116.6K Messages

6 years ago

@coolsvan74

Okay, let’s say someone takes your phone.  It should be screen locked.  So they take the SIM card, which can be PUK locked.   That 2 other levels of security.

So if you don’t have those in place and someone takes your phone, they now have to figure out your passcode.  

While that is going on, you should have suspended your phone and had ATT make a new sim with your account, and changed your PIN.  

   Again, if it were an existing or reported problem, carriers would change it.  

Tutor

 • 

4 Messages

6 years ago

Still a four digit password does not instill much sense of security for anyone.  Sounds like @lizdance40 you are really trying to defend this lackadaisical security stance that AT&T has chosen to go with.   There is still personably identifiable information in your AT&T account.  That is enough to warrant more than a four digit pin to protect your account.  Hey @lizdance40 why don't you post your phone number and see how long it takes someone to hack your account...Elizabeth or better yet I can find out on google and probably get your phone number pretty fast.  

 

 

ACE - Expert

 • 

64.7K Messages

6 years ago

@coolsvan74 No, no one is defending the practice. Your's and the OP's concern are legitimate. All we're saying is the risk of a prepaid account being hacked just aren't that great because the payoff for hacking a prepaid account is not that great. All of those possibilities you listed are conceivable but it would take someone with considerable skills to accomplish. Someone with those skills isn't going to waste their time going after prepaid, there are much more lucrative targets. I'm sure ATT's view is until it becomes a problem, no need to change the security. Maybe that's not smart but it is what it is. If the security risk is too great for you, don't use prepaid.

ACE - Sage

 • 

116.6K Messages

6 years ago

@coolsvan74

Ive already said I have a prepaid with Verizon with the same access method as ATT.  It’s a universal practice.  Without phone access my number isn’t enough. 🙄

 

Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.