Ask a question
Search in Wireless Forums

Wireless Forum

Reply
Posted Nov 25, 2013
12:01:08 PM
View profile
Why is my password emailed to me after changing it?

I was surprised to get an email with my password in the clear after resetting it from my iPad.

Email is by no means secure.  This policy is VERY bad.

 

Can somebody from AT&T comment?

 

Thanks.

I was surprised to get an email with my password in the clear after resetting it from my iPad.

Email is by no means secure.  This policy is VERY bad.

 

Can somebody from AT&T comment?

 

Thanks.

Why is my password emailed to me after changing it?

753 views
22 replies
(0) Me too
(0) Me too
Reply
View all replies
(22)
0
(0)
  • Rate this reply
View profile
Nov 25, 2013 3:20:46 PM
0
(0)
Community Manager

Hello bacaboy,

 

Thank you for your feedback, we'll make sure it gets to right people.

 

Dmitriy,

Community Forums Team


Rethink Possible


Did a post have a solution that worked for you? Help other people find solutions faster by marking posts that helped you as an "Accepted Solution". Learn about accepted solutions: Learn More.

Hello bacaboy,

 

Thank you for your feedback, we'll make sure it gets to right people.

 

Dmitriy,

Community Forums Team


Rethink Possible


Did a post have a solution that worked for you? Help other people find solutions faster by marking posts that helped you as an "Accepted Solution". Learn about accepted solutions: Learn More.

I am an AT&T employee and the postings on this site are my own and don’t necessarily represent AT&T’s position, strategies or opinions.
*I am an AT&T employee and the postings on this site are my own and don’t necessarily represent AT&T’s position, strategies or opinions.

Re: Why is my password emailed to me after changing it?

2 of 23 (727 Views)
0
(0)
  • Rate this reply
View profile
Nov 30, 2013 7:03:20 PM
0
(0)
Guru
If they email you the password it also means that they aren't hashing the passwords.
If ATT did the crypto correctly then even they themselves would not be able to send the plaintext password.
If they email you the password it also means that they aren't hashing the passwords.
If ATT did the crypto correctly then even they themselves would not be able to send the plaintext password.

Re: Why is my password emailed to me after changing it?

3 of 23 (618 Views)
0
(0)
  • Rate this reply
View profile
Dec 1, 2013 4:34:39 AM
0
(0)
Expert

harryspar wrote:
If they email you the password it also means that they aren't hashing the passwords.
If ATT did the crypto correctly then even they themselves would not be able to send the plaintext password.

or they are sending a one time use password to verify

 

1. you are who you claim to be

2. to notify you that a password request was made on the account

3. to let you choose the password that you wish to utilize

 

Banks, online financial houses, anti-virus companies, online retailers all use the one time password change verification method, the number of online access firms that allow you to change the password on the fly are shrinking, at this is a good thing, any online retailer that still does this needs to have a security audit on their systems to see how many accounts have been compromised by this irresponsible method of immediate password change ability with no verification.


harryspar wrote:
If they email you the password it also means that they aren't hashing the passwords.
If ATT did the crypto correctly then even they themselves would not be able to send the plaintext password.

or they are sending a one time use password to verify

 

1. you are who you claim to be

2. to notify you that a password request was made on the account

3. to let you choose the password that you wish to utilize

 

Banks, online financial houses, anti-virus companies, online retailers all use the one time password change verification method, the number of online access firms that allow you to change the password on the fly are shrinking, at this is a good thing, any online retailer that still does this needs to have a security audit on their systems to see how many accounts have been compromised by this irresponsible method of immediate password change ability with no verification.

Re: Why is my password emailed to me after changing it?

4 of 23 (602 Views)
0
(0)
  • Rate this reply
View profile
Dec 2, 2013 6:34:15 AM
0
(0)
Tutor

It is NOT a one time password.  It is the password I entered.

It is NOT a one time password.  It is the password I entered.

Re: Why is my password emailed to me after changing it?

5 of 23 (574 Views)
0
(0)
  • Rate this reply
View profile
Dec 2, 2013 6:36:55 AM
0
(0)
Tutor

EXACTLY.  Hard to believe they don't hash the passwords, but also that they'd email it back to you.

This is something I'd expect in 1997.

 

I'll have to think about moving to another carrier if this is how they handle security...

EXACTLY.  Hard to believe they don't hash the passwords, but also that they'd email it back to you.

This is something I'd expect in 1997.

 

I'll have to think about moving to another carrier if this is how they handle security...

Re: Why is my password emailed to me after changing it?

6 of 23 (574 Views)
Highlighted
0
(0)
  • Rate this reply
View profile
Dec 3, 2013 12:51:14 PM
0
(0)
Employee

Where did you change your password? From the myAT&T app or from the website? 

Where did you change your password? From the myAT&T app or from the website? 

*I am an AT&T employee and the postings on this site are my own and don’t necessarily represent AT&T’s position, strategies or opinions.

Re: Why is my password emailed to me after changing it?

7 of 23 (548 Views)
0
(0)
  • Rate this reply
View profile
Dec 3, 2013 1:00:45 PM
0
(0)
Tutor
Edited by bacoboy on Dec 3, 2013 at 1:10:04 PM

aBenjamin wrote:

Where did you change your password? From the myAT&T app or from the website? 


Neither.  I changed it on the iPad.

 

Settings -> Cellular Data -> View Account -> (then login) -> Edit User & Payment Information


aBenjamin wrote:

Where did you change your password? From the myAT&T app or from the website? 


Neither.  I changed it on the iPad.

 

Settings -> Cellular Data -> View Account -> (then login) -> Edit User & Payment Information

Re: Why is my password emailed to me after changing it?

[ Edited ]
8 of 23 (545 Views)
0
(0)
  • Rate this reply
View profile
Dec 5, 2013 4:12:48 AM
0
(0)
Guru
Similar observations were made here:

nakedsecurity.sophos.com/2013/04/01/rude-password-login-denied-the-att-april-fool-that-wasnt/

Basically, it is clear that ATT stores your passwords unsecurely.
Similar observations were made here:

nakedsecurity.sophos.com/2013/04/01/rude-password-login-denied-the-att-april-fool-that-wasnt/

Basically, it is clear that ATT stores your passwords unsecurely.

Re: Why is my password emailed to me after changing it?

9 of 23 (447 Views)
0
(0)
  • Rate this reply
View profile
Dec 5, 2013 7:03:44 AM
0
(0)
Tutor

harryspar wrote:

Basically, it is clear that ATT stores your passwords unsecurely.

That is becoming clear to me.  And since that occured almost a year ago, I can see they haven't done anything to really address the problem.

 

Can somebody from AT&T security chime in with something less speculative if we are in fact wrong about this?


harryspar wrote:

Basically, it is clear that ATT stores your passwords unsecurely.

That is becoming clear to me.  And since that occured almost a year ago, I can see they haven't done anything to really address the problem.

 

Can somebody from AT&T security chime in with something less speculative if we are in fact wrong about this?

Re: Why is my password emailed to me after changing it?

10 of 23 (412 Views)
0
(0)
  • Rate this reply
View profile
Dec 5, 2013 10:06:24 AM
0
(0)
Guru

Don't hold your breath. Their MO is to leave security holes and then if they ever get busted they will kill the messenger ala Weev.

 

Some consolation to the people whose accounts get hacked.

 

 

I wonder if this has anything to do with the current scam going around. Maybe this is how people on the inside get enough personal info to phish the customers who are being scammed?

 

http://www.nbc-2.com/story/22811096/some-att-customers-falling-victim-to-scam

 

http://www.techguylabs.com/episodes/1030/beware-att-cell-phone-scam

 

 

 

 

Don't hold your breath. Their MO is to leave security holes and then if they ever get busted they will kill the messenger ala Weev.

 

Some consolation to the people whose accounts get hacked.

 

 

I wonder if this has anything to do with the current scam going around. Maybe this is how people on the inside get enough personal info to phish the customers who are being scammed?

 

http://www.nbc-2.com/story/22811096/some-att-customers-falling-victim-to-scam

 

http://www.techguylabs.com/episodes/1030/beware-att-cell-phone-scam

 

 

 

 

Re: Why is my password emailed to me after changing it?

11 of 23 (409 Views)
0
(0)
  • Rate this reply
View profile
Dec 5, 2013 2:21:33 PM
0
(0)
Expert

harryspar wrote:

Don't hold your breath. Their MO is to leave security holes and then if they ever get busted they will kill the messenger ala Weev.

 

Some consolation to the people whose accounts get hacked.

 

 

I wonder if this has anything to do with the current scam going around. Maybe this is how people on the inside get enough personal info to phish the customers who are being scammed?

 

http://www.nbc-2.com/story/22811096/some-att-customers-falling-victim-to-scam

 

http://www.techguylabs.com/episodes/1030/beware-att-cell-phone-scam

 

 

 

 


did you even read the articles? The customer was the one that let loose the information not att.

 

example one from your first link

 

It starts innocently enough with a phone call from someone claiming to be with AT&T offering you a credit on your bill to take a short survey. The questions are all about service, but by the end you have unknowingly given up just enough information to grant the scammer access to your account.

 

Randy and his wife say this is their proof they were victims of a clever phone scam.

 

On your second link if you would have followed the link that was given in the article you would have seen this

 

http://www.11alive.com/rss/article/302420/40/Cell-phone-scammers-target-ATT-caller-ID

 

Takes nothing to spoof the ANI that is displayed on the lcd read out on your phone, I can make any one of our corporate phones show absolutely anything I want it to simple by making a 20 second change in the settings of the phone. The only portion of the ANI that cannot be spoofed is the one that goes to emergency services for 911 calls

 

Both of the articles you linked show that a phone scam survey by a 3rd party initated the call and was able to ask a few questions to obtain enough information to make changes on the account in question - the same thing happens at the other carriers also.

 

Pray tell, how exactly is it a security hole when the person in question handed all the information, including the SSN/TID number to the caller? You know comon sense dictats that if a incoming caller asks for personal information such as SSN, then something is rotten in Denmark.

 

 

 

 


harryspar wrote:

Don't hold your breath. Their MO is to leave security holes and then if they ever get busted they will kill the messenger ala Weev.

 

Some consolation to the people whose accounts get hacked.

 

 

I wonder if this has anything to do with the current scam going around. Maybe this is how people on the inside get enough personal info to phish the customers who are being scammed?

 

http://www.nbc-2.com/story/22811096/some-att-customers-falling-victim-to-scam

 

http://www.techguylabs.com/episodes/1030/beware-att-cell-phone-scam

 

 

 

 


did you even read the articles? The customer was the one that let loose the information not att.

 

example one from your first link

 

It starts innocently enough with a phone call from someone claiming to be with AT&T offering you a credit on your bill to take a short survey. The questions are all about service, but by the end you have unknowingly given up just enough information to grant the scammer access to your account.

 

Randy and his wife say this is their proof they were victims of a clever phone scam.

 

On your second link if you would have followed the link that was given in the article you would have seen this

 

http://www.11alive.com/rss/article/302420/40/Cell-phone-scammers-target-ATT-caller-ID

 

Takes nothing to spoof the ANI that is displayed on the lcd read out on your phone, I can make any one of our corporate phones show absolutely anything I want it to simple by making a 20 second change in the settings of the phone. The only portion of the ANI that cannot be spoofed is the one that goes to emergency services for 911 calls

 

Both of the articles you linked show that a phone scam survey by a 3rd party initated the call and was able to ask a few questions to obtain enough information to make changes on the account in question - the same thing happens at the other carriers also.

 

Pray tell, how exactly is it a security hole when the person in question handed all the information, including the SSN/TID number to the caller? You know comon sense dictats that if a incoming caller asks for personal information such as SSN, then something is rotten in Denmark.

 

 

 

 

Re: Why is my password emailed to me after changing it?

12 of 23 (398 Views)
0
(0)
  • Rate this reply
View profile
Dec 5, 2013 2:44:30 PM
0
(0)
Guru
The callers already had the account holders' PII and account info even before asking any questions. This has nothing to do with caller ID spoofing and everything to do with loose security inside ATT.

The same is true of the Weev episode where they called looking at a public URL a "hack".

If ATT salted and hashed our passwords none of these things could have happened. Not the Weev "hack", nor the phone scams, nor email passwords in the clear.

Let's stay on the crypto topic in this thread, please. It is the crux of the situation.
The callers already had the account holders' PII and account info even before asking any questions. This has nothing to do with caller ID spoofing and everything to do with loose security inside ATT.

The same is true of the Weev episode where they called looking at a public URL a "hack".

If ATT salted and hashed our passwords none of these things could have happened. Not the Weev "hack", nor the phone scams, nor email passwords in the clear.

Let's stay on the crypto topic in this thread, please. It is the crux of the situation.

Re: Why is my password emailed to me after changing it?

13 of 23 (396 Views)
0
(0)
  • Rate this reply
View profile
Dec 5, 2013 5:08:34 PM
0
(0)
Expert

harryspar wrote:
The callers already had the account holders' PII and account info even before asking any questions. This has nothing to do with caller ID spoofing and everything to do with loose security inside ATT.

The same is true of the Weev episode where they called looking at a public URL a "hack".

If ATT salted and hashed our passwords none of these things could have happened. Not the Weev "hack", nor the phone scams, nor email passwords in the clear.

Let's stay on the crypto topic in this thread, please. It is the crux of the situation.

and you have proof of this? Sorry the two examples you left have nothing to do with this topic but everything to do with a phone scam and no indication of lax security on the carriers part. If you take the time to actually read the articles, the scammers gained all the information they needed from talking to them, absolutrly no indication that the caller already had the information.

 

If are assuming that the caller had the information prior becasue the att logo showed up on caller id you are incorrect, the information of what cell numbers belong to what carrier or provider is public domain and can be obtained from hundreds of websites on the internet, in fact if you are willing to pay a couple of bucks you can get address information also, once again all public domain information if you know where to look for it.

 

 You brought it up, not me, You should expect rebuttal when you claim something.


harryspar wrote:
The callers already had the account holders' PII and account info even before asking any questions. This has nothing to do with caller ID spoofing and everything to do with loose security inside ATT.

The same is true of the Weev episode where they called looking at a public URL a "hack".

If ATT salted and hashed our passwords none of these things could have happened. Not the Weev "hack", nor the phone scams, nor email passwords in the clear.

Let's stay on the crypto topic in this thread, please. It is the crux of the situation.

and you have proof of this? Sorry the two examples you left have nothing to do with this topic but everything to do with a phone scam and no indication of lax security on the carriers part. If you take the time to actually read the articles, the scammers gained all the information they needed from talking to them, absolutrly no indication that the caller already had the information.

 

If are assuming that the caller had the information prior becasue the att logo showed up on caller id you are incorrect, the information of what cell numbers belong to what carrier or provider is public domain and can be obtained from hundreds of websites on the internet, in fact if you are willing to pay a couple of bucks you can get address information also, once again all public domain information if you know where to look for it.

 

 You brought it up, not me, You should expect rebuttal when you claim something.

Re: Why is my password emailed to me after changing it?

14 of 23 (385 Views)
0
(0)
  • Rate this reply
View profile
Dec 5, 2013 6:17:06 PM
0
(0)
Guru
Yes, it was an error to introduce any extra information into the thread. It distracts from the main topic and tempts nitpickers.
Yes, it was an error to introduce any extra information into the thread. It distracts from the main topic and tempts nitpickers.

Re: Why is my password emailed to me after changing it?

15 of 23 (380 Views)
0
(0)
  • Rate this reply
View profile
Dec 6, 2013 6:24:29 AM
0
(0)
ACE - Professor

harryspar wrote:
Yes, it was an error to introduce any extra information into the thread. It distracts from the main topic and tempts nitpickers.

It's not that introducing extra information is bad, but trying to use that extra information to support an assertion it doesn't is intellectually dishonest. 

 

The links do not support lax security within AT&T. There's no indication in either case that the fraudsters had any information from AT&T to perpetuate their scams. 


harryspar wrote:
Yes, it was an error to introduce any extra information into the thread. It distracts from the main topic and tempts nitpickers.

It's not that introducing extra information is bad, but trying to use that extra information to support an assertion it doesn't is intellectually dishonest. 

 

The links do not support lax security within AT&T. There's no indication in either case that the fraudsters had any information from AT&T to perpetuate their scams. 

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Re: Why is my password emailed to me after changing it?

16 of 23 (352 Views)
0
(0)
  • Rate this reply
View profile
Dec 6, 2013 7:41:17 AM
0
(0)
Guru
Maybe you missed the words "I wonder if" in that post. That is what we call a question, a conjecture. Nobody attempted to prove anything.

Yet you seize upon the opportunity to make an elementary cognitive error by thinking that if you can point out that the conjecture is not proven then it's OK to not encryt our data on thier servers.

They might be leaking data to scammers. They might not. We don't know. What's important is that it's a breach waiting to happen when you don't hash and salt.

Nuff said.
Maybe you missed the words "I wonder if" in that post. That is what we call a question, a conjecture. Nobody attempted to prove anything.

Yet you seize upon the opportunity to make an elementary cognitive error by thinking that if you can point out that the conjecture is not proven then it's OK to not encryt our data on thier servers.

They might be leaking data to scammers. They might not. We don't know. What's important is that it's a breach waiting to happen when you don't hash and salt.

Nuff said.

Re: Why is my password emailed to me after changing it?

17 of 23 (345 Views)
0
(0)
  • Rate this reply
View profile
Dec 6, 2013 7:58:09 AM
0
(0)
ACE - Professor

harryspar wrote:
The callers already had the account holders' PII and account info even before asking any questions. This has nothing to do with caller ID spoofing and everything to do with loose security inside ATT.

.

What I was referring to...


harryspar wrote:
The callers already had the account holders' PII and account info even before asking any questions. This has nothing to do with caller ID spoofing and everything to do with loose security inside ATT.

.

What I was referring to...

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Re: Why is my password emailed to me after changing it?

18 of 23 (343 Views)
0
(0)
  • Rate this reply
View profile
Dec 6, 2013 8:02:46 AM
0
(0)
ACE - Professor

bacoboy wrote:

aBenjamin wrote:

Where did you change your password? From the myAT&T app or from the website? 


Neither.  I changed it on the iPad.

 

Settings -> Cellular Data -> View Account -> (then login) -> Edit User & Payment Information


What information could someone get from that? If there's not sensitive information that could be obtained, it's possible that AT&T chose customer convenience over security.  There was recently a discussion regarding this over on the Uverse boards; http://forums.att.com/t5/U-verse-General-Care-and-Support/Network-key-is-in-the-clear-http-lt-router...


bacoboy wrote:

aBenjamin wrote:

Where did you change your password? From the myAT&T app or from the website? 


Neither.  I changed it on the iPad.

 

Settings -> Cellular Data -> View Account -> (then login) -> Edit User & Payment Information


What information could someone get from that? If there's not sensitive information that could be obtained, it's possible that AT&T chose customer convenience over security.  There was recently a discussion regarding this over on the Uverse boards; http://forums.att.com/t5/U-verse-General-Care-and-Support/Network-key-is-in-the-clear-http-lt-router-ip-gt/td-p/3681027#.UqH0-fS1ym4

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Re: Why is my password emailed to me after changing it?

19 of 23 (342 Views)
0
(0)
  • Rate this reply
View profile
Dec 6, 2013 9:38:24 AM
0
(0)
Tutor
Edited by bacoboy on Dec 6, 2013 at 9:40:21 AM

MicCheck wrote:
What information could someone get from that? If there's not sensitive information that could be obtained, it's possible that AT&T chose customer convenience over security.  There was recently a discussion regarding this over on the Uverse boards; http://forums.att.com/t5/U-verse-General-Care-and-Support/Network-key-is-in-the-clear-http-lt-router...

If they aren't treating my password with due care, how do I know they are doing the same with my PII info?  Or my credit card number?  Security breaches happen all the time.

 

Email is not secure.  They are sending the entry mechanism into my account over an insecure channel.  Futhermore, they are storing it on their in the clear.  Unacceptable in 2013.


MicCheck wrote:
What information could someone get from that? If there's not sensitive information that could be obtained, it's possible that AT&T chose customer convenience over security.  There was recently a discussion regarding this over on the Uverse boards; http://forums.att.com/t5/U-verse-General-Care-and-Support/Network-key-is-in-the-clear-http-lt-router-ip-gt/td-p/3681027#.UqH0-fS1ym4

If they aren't treating my password with due care, how do I know they are doing the same with my PII info?  Or my credit card number?  Security breaches happen all the time.

 

Email is not secure.  They are sending the entry mechanism into my account over an insecure channel.  Futhermore, they are storing it on their in the clear.  Unacceptable in 2013.

Re: Why is my password emailed to me after changing it?

[ Edited ]
20 of 23 (333 Views)
0
(0)
  • Rate this reply
View profile
Dec 6, 2013 12:58:00 PM
0
(0)
ACE - Professor

bacoboy wrote:

MicCheck wrote:
What information could someone get from that? If there's not sensitive information that could be obtained, it's possible that AT&T chose customer convenience over security.  There was recently a discussion regarding this over on the Uverse boards; http://forums.att.com/t5/U-verse-General-Care-and-Support/Network-key-is-in-the-clear-http-lt-router...

If they aren't treating my password with due care, how do I know they are doing the same with my PII info?  Or my credit card number?  Security breaches happen all the time.

 

Email is not secure.  They are sending the entry mechanism into my account over an insecure channel.  Futhermore, they are storing it on their in the clear.  Unacceptable in 2013.


But what information could someone get with that password? Could someone with that password add a line? Get your credit card information?


bacoboy wrote:

MicCheck wrote:
What information could someone get from that? If there's not sensitive information that could be obtained, it's possible that AT&T chose customer convenience over security.  There was recently a discussion regarding this over on the Uverse boards; http://forums.att.com/t5/U-verse-General-Care-and-Support/Network-key-is-in-the-clear-http-lt-router-ip-gt/td-p/3681027#.UqH0-fS1ym4

If they aren't treating my password with due care, how do I know they are doing the same with my PII info?  Or my credit card number?  Security breaches happen all the time.

 

Email is not secure.  They are sending the entry mechanism into my account over an insecure channel.  Futhermore, they are storing it on their in the clear.  Unacceptable in 2013.


But what information could someone get with that password? Could someone with that password add a line? Get your credit card information?

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Re: Why is my password emailed to me after changing it?

21 of 23 (312 Views)
0
(0)
  • Rate this reply
View profile
Dec 6, 2013 1:15:33 PM
0
(0)
Contributor

Is that really the point here?

 

Post your password here then if you're that confident that it doesn't matter.

 

Is that really the point here?

 

Post your password here then if you're that confident that it doesn't matter.

 

Re: Why is my password emailed to me after changing it?

22 of 23 (308 Views)
0
(0)
  • Rate this reply
View profile
Dec 6, 2013 1:17:32 PM
0
(0)
ACE - Professor

Trencal wrote:

Is that really the point here?

 

Post your password here then if you're that confident that it doesn't matter.

 


I didn't say it didn't matter. I'm asking what information someone could get with that password, because I have no idea. 

 

 


Trencal wrote:

Is that really the point here?

 

Post your password here then if you're that confident that it doesn't matter.

 


I didn't say it didn't matter. I'm asking what information someone could get with that password, because I have no idea. 

 

 

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Re: Why is my password emailed to me after changing it?

23 of 23 (306 Views)
Advanced
You must be signed in to add attachments
Share this post
Share this post