07-14-2018 6:19 PM
I have AT&T Prepaid account. To access the account, the only way is to login to paygoonline website.
And guess what, password is 4 DIGIT NUMBER.. !!!!
This is a very very serious security flaw.
While the world has moved on to a complex password and two factor authentication, why is this not fixed yet for paygoonline???
I am hoping someone in AT&T see this post and act on it.
07-18-2018 11:20 AM
This is actually huge security risk. Most people use their phone number as part of two factor authentication for many services online, including their bank accounts. Protecting a prepaid account with a four digit pin is ridiculously easy to exploit. The risk is actually pretty good and the fact that you have not seen it in all the years you have been here does not mean it has not been exploited nor does that mean it won't. Ever hear of SIM hijacking? What if I was able to guess your pin, for your phone number and then I am able to convince AT&T to send me a SIM card through a bit of social engineering. Now I can go to your google account and recover your password because who knows that might be one of the recovery methods you use for your Gmail account. Once I have your email, I am able to go to your bank and recover your password. Since I have your phone, now I can exploit your two factor authentication. Do you want me to keep going? So do you want to trust your AT&T account to a four digit PIN? Two factor authentication is the industry standard these days for services that host personally identifiable information and I am pretty sure most of us at the very least have personally identifiable information in our AT&T prepaid account, like who we call, who we interact with....our first name, last name, email address etc.
07-18-2018 11:23 AM
There is a huge risk. There is personally identifiable information to start. Secondly a lot of people use their phone for two factor authentication and password recovery. There could be possibly SIM hijacking opportunities as well via social engineering. So do you want to trust your account to a four digit pin number?
07-18-2018 11:59 AM
Okay, let’s say someone takes your phone. It should be screen locked. So they take the SIM card, which can be PUK locked. That 2 other levels of security.
So if you don’t have those in place and someone takes your phone, they now have to figure out your passcode.
While that is going on, you should have suspended your phone and had ATT make a new sim with your account, and changed your PIN.
Again, if it were an existing or reported problem, carriers would change it.
07-18-2018 12:57 PM
Still a four digit password does not instill much sense of security for anyone. Sounds like @lizdance40 you are really trying to defend this lackadaisical security stance that AT&T has chosen to go with. There is still personably identifiable information in your AT&T account. That is enough to warrant more than a four digit pin to protect your account. Hey @lizdance40 why don't you post your phone number and see how long it takes someone to hack your account...Elizabeth or better yet I can find out on google and probably get your phone number pretty fast.
07-18-2018 1:14 PM
@coolsvan74 No, no one is defending the practice. Your's and the OP's concern are legitimate. All we're saying is the risk of a prepaid account being hacked just aren't that great because the payoff for hacking a prepaid account is not that great. All of those possibilities you listed are conceivable but it would take someone with considerable skills to accomplish. Someone with those skills isn't going to waste their time going after prepaid, there are much more lucrative targets. I'm sure ATT's view is until it becomes a problem, no need to change the security. Maybe that's not smart but it is what it is. If the security risk is too great for you, don't use prepaid.
07-18-2018 4:21 PM
Ive already said I have a prepaid with Verizon with the same access method as ATT. It’s a universal practice. Without phone access my number isn’t enough. 🙄
07-18-2018 9:13 PM
Lol...it was an illustration of what someone might or could do...sadly.
A poor illustration as it illustrated nothing. Try something more practical instead of just complaining about this.
Why don't you try to take your number and start pumping in random PINs and see what the login does to you after you get it wrong a dozen times...?
Come back and let us know.
And IF (and only IF) you get in, tell us what you can realistically do.
01-11-2019 11:09 AM
|08-11-2018 12:03 PM|
|02-17-2019 9:25 AM|
|02-15-2019 9:02 AM|
|01-29-2017 1:34 PM|
|03-10-2015 8:59 PM|