Explore & discover

Helpful Links

AT&T Prepaid Account Password - Security Issue

Tutor

AT&T Prepaid Account Password - Security Issue

I have AT&T Prepaid account. To access the account, the only way is to login to paygoonline website.

And guess what, password is 4 DIGIT NUMBER.. !!!!

 

This is a very very serious security flaw

 

While the world has moved on to a complex password and two factor authentication, why is this not fixed yet for paygoonline???

 

I am hoping someone in AT&T see this post and act on it.

 

Thanks!!

995 Views
Message 1 of 25

Re: AT&T Prepaid Account Password - Security Issue

This is actually huge security risk.  Most people use their phone number as part of two factor authentication for many services online, including their bank accounts.  Protecting a prepaid account with a four digit pin is ridiculously easy to exploit. The risk is actually pretty good and the fact that you have not seen it in all the years you have been here does not mean it has not been exploited nor does that mean it won't.  Ever hear of SIM hijacking?  What if I was able to guess your pin, for your phone number and then I am able to convince AT&T to send me a SIM card through a bit of social engineering.  Now I can go to your google account and recover your password because who knows that might be one of the recovery methods you use for your Gmail account.  Once I have your email, I am able to go to your bank and recover your password.  Since I have your phone, now I can exploit your two factor authentication.  Do you want me to keep going?  So do you want to trust your AT&T account to a four digit PIN?  Two factor authentication is the industry standard these days for services that host personally identifiable information and I am pretty sure most of us at the very least have personally identifiable information in our AT&T prepaid account, like who we call, who we interact with....our first name, last name, email address etc.  

Message 16 of 25

Re: AT&T Prepaid Account Password - Security Issue

There is a huge risk.  There is personally identifiable information to start.  Secondly a lot of people use their phone for two factor authentication and password recovery.  There could be possibly SIM hijacking opportunities as well via social engineering.  So do you want to trust your account to a four digit pin number?

Message 17 of 25
ACE - Sage

Re: AT&T Prepaid Account Password - Security Issue

@coolsvan74

Okay, let’s say someone takes your phone.  It should be screen locked.  So they take the SIM card, which can be PUK locked.   That 2 other levels of security.

So if you don’t have those in place and someone takes your phone, they now have to figure out your passcode.  

While that is going on, you should have suspended your phone and had ATT make a new sim with your account, and changed your PIN.  

   Again, if it were an existing or reported problem, carriers would change it.  

(The following is included after all posts to save typing) I don’t work for AT&T. My replies are based on experience and reading content available on the website. Our answers are honest, but not always appreciated. If you posted personal information, please edit and remove.
Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 18 of 25

Re: AT&T Prepaid Account Password - Security Issue

Still a four digit password does not instill much sense of security for anyone.  Sounds like @lizdance40 you are really trying to defend this lackadaisical security stance that AT&T has chosen to go with.   There is still personably identifiable information in your AT&T account.  That is enough to warrant more than a four digit pin to protect your account.  Hey @lizdance40 why don't you post your phone number and see how long it takes someone to hack your account...Elizabeth or better yet I can find out on google and probably get your phone number pretty fast.  

 

 

Message 19 of 25
ACE - Expert

Re: AT&T Prepaid Account Password - Security Issue

@coolsvan74 No, no one is defending the practice. Your's and the OP's concern are legitimate. All we're saying is the risk of a prepaid account being hacked just aren't that great because the payoff for hacking a prepaid account is not that great. All of those possibilities you listed are conceivable but it would take someone with considerable skills to accomplish. Someone with those skills isn't going to waste their time going after prepaid, there are much more lucrative targets. I'm sure ATT's view is until it becomes a problem, no need to change the security. Maybe that's not smart but it is what it is. If the security risk is too great for you, don't use prepaid.

Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 20 of 25
ACE - Sage

Re: AT&T Prepaid Account Password - Security Issue

@coolsvan74

Ive already said I have a prepaid with Verizon with the same access method as ATT.  It’s a universal practice.  Without phone access my number isn’t enough. 🙄

 

(The following is included after all posts to save typing) I don’t work for AT&T. My replies are based on experience and reading content available on the website. Our answers are honest, but not always appreciated. If you posted personal information, please edit and remove.
Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 21 of 25
ACE - Expert

Re: AT&T Prepaid Account Password - Security Issue


@coolsvan74 wrote:

or better yet I can find out on google and probably get your phone number pretty fast.  

Are you threating to search out a forums member's number to see if you can hack their PIN???

 

 


 

  • Rember the Golden Rule: Treat others how you would like to be treated.
  • Just because my answer does not solve your issue (or agree with you), it may still be correct information...
  • Stating a fact about how something works, is NOT taking sides, it's just stating a fact...
  • Information provided might not be for "you" only, it might be clarification for other community members.
  • This is the public AT&T Community Forum (not AT&T support), please do not post personal info.
  • When provided an answer, please click "Accept solution" which helps other people to find an answer more quickly.
The (very) fine print - This footer is at the bottom of all my posts, its particulars may, or may not, apply to you & your post.
Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 22 of 25

Re: AT

Lol...it was an illustration of what someone might or could do...sadly.
Message 23 of 25
ACE - Expert

Re: AT


@coolsvan74 wrote:
Lol...it was an illustration of what someone might or could do...sadly.

A poor illustration as it illustrated nothing. Try something more practical instead of just complaining about this.


Why don't you try to take your number and start pumping in random PINs and see what the login does to you after you get it wrong a dozen times...?


Come back and let us know.

 

And IF (and only IF) you get in, tell us what you can realistically do.

 

 

  • Rember the Golden Rule: Treat others how you would like to be treated.
  • Just because my answer does not solve your issue (or agree with you), it may still be correct information...
  • Stating a fact about how something works, is NOT taking sides, it's just stating a fact...
  • Information provided might not be for "you" only, it might be clarification for other community members.
  • This is the public AT&T Community Forum (not AT&T support), please do not post personal info.
  • When provided an answer, please click "Accept solution" which helps other people to find an answer more quickly.
The (very) fine print - This footer is at the bottom of all my posts, its particulars may, or may not, apply to you & your post.
Award for Community Excellence 2019 Achiever*
*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 24 of 25
Highlighted
Contributor

Re: AT

For anyone who doesn't understand why this is a big deal, please just read this article:

 

https://techcrunch.com/2018/12/25/cybersecurity-101-guide-protect-phone-number

 

Message 25 of 25
Share this topic
Share this topic
Additional Support