Print 34 comment(s) - last by smij.. on Jun 16 at 3:57 PM

  (Source: Know Your Meme)
One tech at an AT&T contractor suggests that you shouldn't preorder the iPhone 4

Security is a lot like combating illness -- sometimes you have a relatively minor issue that affects many people, other times you have a major issue that only affects a few.  AT&T's iPad email leak and its ramifications were bad enough, but AT&T's latest breach appears to be even worse.

This morning the iPhone 4 preorder process was having some serious denial of service issues thanks to a deluge of customers looking to order the hot new phone from Apple.  But AT&T's servers didn't just deny service to some -- they also apparently started doing some naughty things as well.  

Several customers have written reporting that they logged in to their AT&T accounts, only to enter another user's account.  Full information, including bills, phone numbers, possible credit card information, addresses, and more greeted them according to growing reports over at Gizmodo.

This nightmarish scenario, appears only to be affecting a few of AT&T's subscribers, but for those impacted it could lead to some very serious problems, should the info fall into the hands of someone who might be tempted to abuse it.

One user, John King, describes:
A tech at one of AT&T's contractors reveals an untested security update rolled out to servers over the weekend may be to blame.  They write:
I work at a 3rd party order processing facility—what AT&T refers to as a 3CC. We process business-to-business, business-to-customer Wireline Indirect, and ACME/PAC (what AT&T calls their iPhone program internally). Agents use AT&T programs called Phoenix, Telegence, Compass, Ordertrack and myCSP to process orders.

Over the weekend there was a major fraud update that went down on all of AT&T's systems, from Saturday overnight to Sunday early morning. All systems were down and agents were unable to use any systems.

The issues people are seeing at AT&T stores and online are most likely related to this update that went wrong.

I do know that there was absolutely NO TESTING of this system done before the launch of the new iPhone. I know it's just heresay at this point, but I can confirm that there was a major outage over the weekend that impacted all ordering systems and programs, and I can confirm that there were multiple systems being upgraded/updated, with some updates being related to fraud.

At this point, I can say that the system that AT&T uses to send automated orders to be processed is as of this very moment down completely. Our facility is unable to process any orders by phone or by automation.

[Regarding the identity problem] Whenever we see people who are logging in and seeing other customer's account info, it is an issue with the databases that contain customer information. Orders that contain any information like this can cross customer information, and cause a customer be able to see other accounts by logging out and logging back in. This means that when they log in a few times, it gives them different customer account info every time. It's a rare occurrence, but it has happened in the past.

You might want to advise people to not get the upgrade at this point as it may be a doorway to a major privacy breach.

So apparently the advice from at least one source close to AT&T is pretty drastic -- don't order the iPhone 4, if you don't want your credit cards and other info exposed.  One can only shake there head in amazement at how AT&T let this happen after their iPad bungle last week.

Update 1: Tues. June 15, 2010 8:45 p.m. 
We just received the following official statement from AT&T explaining their knowledge of the situation and what definitely has not been leaked.  The statement is as follows:
We have received reports of customers inadvertently seeing the wrong account information during the iPhone 4 purchasing process.  We have been unable to replicate the issue, but the information displayed did not include call-detail records, social security numbers, or credit card information.    In the meantime, we are looking into this matter.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

All of AT&T Breached?
By tjvanpat on 6/15/2010 6:55:25 PM , Rating: 2
I'm missing the part of this story that states only those performing iPhone 4 preorders were affected. This sounds to me like anyone with an account at AT&T had the potential to have their account breached. It seems more like coincidence that this was seen more often today (rather than Monday), because of the large number of people attempting to preorder iPhones.

To be entirely honest, while I prefer that my data is never exposed, I would rather some 'average Joe' comes across it (and likely backs out to reattempt the login), than someone that is maliciously looking for data. Whether or not my account got breached today seems to be entirely based on luck, with an even slimmer chance that anything happened if it did. This is not a case of a group of hackers obtaining millions of credit card numbers to be sold...yet.

However, don't get me wrong. I'm still not happy about this at all.

RE: All of AT&T Breached?
By thrust2night on 6/15/2010 8:53:36 PM , Rating: 3
Don't worry. Tomorrow morning AT&T will release a statement blaming Goatse Security. :D

RE: All of AT&T Breached?
By spread on 6/15/2010 9:02:39 PM , Rating: 3
Looks like AT&T has lots of gaping backdoors.

RE: All of AT&T Breached?
By muhahaaha on 6/15/2010 9:08:31 PM , Rating: 2
That statement made me shiver. I don't want anything to intrude into my "back door"

RE: All of AT&T Breached?
By Spivonious on 6/16/2010 9:47:00 AM , Rating: 2
Does anyone else find it funny that Goatse specializes in finding gaping backdoors?

RE: All of AT&T Breached?
By tastyratz on 6/16/2010 10:38:17 AM , Rating: 2
I also find strange amusement in his recent arrest including blow. I guess the blow plugs that gaping hole for at&t

RE: All of AT&T Breached?
By jhb116 on 6/15/2010 9:05:28 PM , Rating: 3
And the funny thing is that Apple (which I'm not a big fan of) ends up suffering. Is that Irony??

BTW - I hope everyone remember this is 5-10 years when Google or Microsoft (or possibly HP or RIM) rule the cell phone OS market and Verizon owns the cell market. One incident doesn't spell the end but AT&T is looking like an asylum run by the inmates....

RE: All of AT&T Breached?
By rs1 on 6/16/2010 1:43:02 AM , Rating: 5
I don't understand how any company as large as AT&T can roll out any sort of server update and do "absolutely no testing" on it. Their servers are their lifeblood, you don't just drop in a new patch without first thoroughly testing it in QA. They should fire whoever they have managing their deployment process.

Also, I love their official comments on the problem:


We have been unable to replicate the issue, but the information displayed did not include call-detail records, social security numbers, or credit card information.

So if you can't replicate it, how do you know that it did not include those details? You are relying on third-party accounts of the issue, and have no idea what is really happening. Ruling out possibilities is premature at this stage.

RE: All of AT&T Breached?
By lolmuly on 6/16/2010 7:39:08 AM , Rating: 2
aside from all of this AT&T's service still sucks balls.

I don't have a 3g phone (yet), but they still manage to drop 50% of my calls, and it sometimes takes hours for me to receive a text message. My girlfriend gets mad at me when she calls, because most of the time it doesn't go through to my phone, it just goes to voice mail and I don't even receive a missed call notice to tell me who it was from.

The worst part is I live in the middle of phoenix, the average building here is 2 stories tall, I can't imagine what it's like in new york.

I wouldn't even consider buying a 3g at&t phone, based on what my friends have told me the service is even worse.

RE: All of AT&T Breached?
By MrBlastman on 6/16/2010 9:23:18 AM , Rating: 2
Not only that...

Several customers have written reporting that they logged in to their AT&T accounts, only to enter another user's account.

These people that reported the problem will be illegally searched by the FBI and police and threatened to be thrown in jail for tainting the great AT&T's reputation.

With AT&T and Apple, there is only strict compliance--or you are executed, at which time your Liver is harvested for Steve.

RE: All of AT&T Breached?
By thrust2night on 6/16/2010 9:47:56 AM , Rating: 2
That's what they get for reporting gaping holes. And we all thought Jobs liked to keep it PG-13. :)

RE: All of AT&T Breached?
By HrilL on 6/16/2010 12:34:10 PM , Rating: 2
Seems like its time for a class action against At&t since money is their only motivator.

"Nowadays you can buy a CPU cheaper than the CPU fan." -- Unnamed AMD executive

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki