back to article Two-factor FAIL: Chap gets pwned after 'AT&T falls for hacker tricks'

A software developer says a thief siphoned cash from his PayPal account – after a dumbass AT&T rep handed control of his cellphone account to a hacker, thus defeating his two-factor authentication. Justin Williams, an iOS code jockey based in Denver, Colorado, said someone was able to dupe an AT&T support tech into assigning …

  1. Nate Amsden

    why would anyone link their bank accnt to paypal

    Unless it is a throw away account that only has funds for a limited time.

    I don't use paypal often but when I do i only use protected credit cards issued by in my case bank of america shop safe. Credit line is set for the purchase price in paypal. I make the purchase and the virtual card is useless after that.

    As for sms and 2 factor. It's still better than single factor. None of my bank accounts with major banks have 2 factor as far as I know. Though each account has a unique username a unique password, and a unique email address hosted on my personal server(which does NOT correspond to any user accounts on my server, i have a general login account with access to my dozens of email inboxes and 150 or so email addresses spread over multiple domains).

    1. Anonymous Coward
      Anonymous Coward

      Re: why would anyone link their bank accnt to paypal

      I agree 100%. Originally it was horror stories about Paypal reversing charges on the say-so of someone else that made me resolve to never link it to a bank account, this is merely another reason. I have linked it to a credit card, so if a fraudulent charge is ever made, I can go to my credit card company and have it reversed, instead of being at the mercy of Paypal.

      If you have a lot of money coming in to Paypal you may have reason to link it to a bank account, but IMHO it should be a bank account you open specifically for that purpose, and have some sort of automated 'sweep' function set up to leave as little money in it as possible to minimize potential losses. Linking to your own main/only bank account is criminally stupid, and you deserve what you get if you do that.

      1. Anonymous Coward
        Anonymous Coward

        Re: why would anyone link their bank accnt to paypal

        "I have linked it to a credit card, so if a fraudulent charge is ever made, I can go to my credit card company and have it reversed"

        Are you sure about that? Have you tried it? You have explicitly authorised PayPal to take money from that account so, as far as the bank is concerned, their transaction with PayPal is authorised. Whether the original PayPal transaction with the external party is legitimate has nothing to do with the bank as they aren't a party to that transaction and they would be well within their rights not to get involved or issue a refund.

    2. Anonymous Coward
      Anonymous Coward

      Re: why would anyone link their bank accnt to paypal

      Credit cards? Ah yes, I've heard of them. People use them to get massively into debt with really high interest rates right?

      I don't like borrowing money, I'll stick to debit thanks.

      1. Cuddles

        Re: why would anyone link their bank accnt to paypal

        "I don't like borrowing money, I'll stick to debit thanks."

        Or you could just set up a direct debit to pay the whole bill every month, and enjoy the better protections provided through credit card use without ever going into debt. As is so often the case, just because some people misuse a thing does not mean such misuse is required for all users. It makes no more sense than complaining that some people are bad at painting so you'll stick to having bare plaster for your walls.

        As for the article itself, pretty much a big "eh". Yes, social engineering remains by far the biggest threat when it comes to fraud. Humans are always the weakest link when it comes to security; as long as there is someone, somewhere, with the ability to screw around with your account details, this kind of fraud is always going to be possible. And since changing account details is something that often needs to be done legitimately, that's never going to change.

      2. Dabooka

        Re: why would anyone link their bank accnt to paypal

        Typical AC comment, blame 'the system' for lack of control.

        As has been pointed out, using a CC has many benefits to the user. I have a low limit card for all online purchases (yes I even keep rejecting their limit increases) my logic being if it got hacked it'd a) not be my money anyway and b) the amount they could obtain would be limited to a few hundred quid.

        I can happily argue with a CC company or PayPal until the cows come home, my current account is totally unaffected; mortgage, gas, mobile etc all get paid. Try that when your debit card is trashed and your account is plundered. Yes you may get a refund eventually but trying to cover bills or plead with service providers isn't my idea of fun.

      3. KorndogDev

        Re: why would anyone link their bank accnt to paypal

        "Credit cards? Ah yes, I've heard of them. People use them to get massively into debt with really high interest rates right?"

        I happen to have 6 CC's. Not a single dime in debt. You should hear more broadly.

      4. CrazyOldCatMan Silver badge

        Re: why would anyone link their bank accnt to paypal

        Credit cards? Ah yes, I've heard of them. People use them to get massively into debt with really high interest rates right?

        And people also use them correctly (as in: pay them off in full every month. Which, BTW, credit card companies *hate*).

        1. pmb00cs

          Re: why would anyone link their bank accnt to paypal

          Why would credit card companies hate being paid off in full each month?

          They get their funds from the Credit card transaction fees the merchant pays for the privilege of being able to take credit card payments, and they do so whilst accepting the minimum of risk of default from the card holder.

          Yes they can make money from your interest payments on any ongoing debt each month, but the risk of default is higher on credit cards than other unsecured debt, hence the higher interest rates. And in the UK the credit card company also has to accept the shops liability on certain purchases, so they get the risks from both ends. Surely anything that reduces that risk (like prompt payments from the card holder) would be positive thing.

          1. Anonymous Coward
            Anonymous Coward

            Re: why would anyone link their bank accnt to paypal

            Yeah, I doubt credit card companies care if you pay in full every month or not. They make money either way, and if you don't carry a balance they won't make interest charges but they also don't have to worry about selling the account into collections for pennies on the dollar if the person can't pay, disappears, dies etc.

        2. Anonymous Coward
          Anonymous Coward

          Re: why would anyone link their bank accnt to paypal

          I work for a Private Label Credit Card company that also does some Co-Brand stuff (your visas and mastercards) and we don't hate it. Its less whining out of you over late fees and finance charges which don't make us that much money in reality. We make a little less money off of having people clear balances on the monthly, but we're making plenty by lending to you in the first place.

    3. fbt3

      Re: why would anyone link their bank accnt to paypal

      This sounds suspiciously like what happened to me about four weeks ago.

      My first indication that something strange was going on was a text from T-Mobile on Saturday stating that I was a valued customer and to rest assured that my changes would handle quickly. Well, since I was at a BBQ and hadn't made any changes, I was suspicious, and called them. T-Mobile said that there were no changes and the text had been sent in error. Fast forward to Monday....

      My cell phone had no service and was in "searching" mode. So I opened up my web mail and reached out to T-Mobile. They proceeded to tell me how that was normal when my requested that my cell number be transferred to another phone on another carrier. Thus the battle began with them. At the time I thought it was just a phone related issue. Then the notification e-mails began coming in....

      I started getting user account modification e-mail notifications from my bank where the modification texts were being sent to my cell phone, which had been hijacked already. So I hung up with T-Mobile and immediately called my bank, while getting into my account. While setting on hold with the fraud department of the bank, while waiting to speak to someone, these clowns added themselves as an auto-pay recipient to my account and tried to send themselves two $1,000 transactions and one $2,000 debit. By the time that the account was closed down and a fraud alert put on it, the two $1,000 transactions were killed by the bank (only because they take 24 hours to process), but the $2,000 debit had gone through (which I am presuming that he had used the banking app to do as he had added his phone to it). It took them ten business days to get me my $2,000 back on a temporary basis. The phone that they used was a pre-paid "burn" phone.

      I was lucky. Because I had notifications set up, and because this guy missed it, I was able to catch it super early.

      1. diodesign (Written by Reg staff) Silver badge

        Re: fbt3

        Wow - how did they manage to transfer your T-Mobile number? (I'm assuming it's T-Mobile USA, right?)

        C.

        1. fbt3

          Re: fbt3

          Yeah. It was T-Mobile.

          They purchased a pre-paid Verizon phone. According to Verizon, they don't do any real checks when you buy a pre-paid phone because you're not technically getting an "account". So once they bought that phone they some how convinced Verizon to trigger an inter-carrier transfer. From what I was told by T-Mobile, there's no real verification done for inter-carrier transfers because they assume the requesting company has done their due diligence checks.

          With that being said, I am getting this info from phone lackeys, so I don't know what the real process is.

          I did verify with Verizon that they didn't have my SSN in their system anywhere, but I still can't guarantee that it wasn't a full identity theft. I treated it like it was and reached out to all of the credit agencies, the local police, the FTC, etc. and got everyone involved in it.

          1. diodesign (Written by Reg staff) Silver badge

            Re: fbt3

            Wow, that's crazy. Thanks for letting us know.

            C.

      2. Anonymous Coward
        Anonymous Coward

        Re: why would anyone link their bank accnt to paypal

        I've been close to having the same thing happen to my AT&T account, I think. We (several family members on the same account) received notice that our passcode had changed. Followed up and AT&T indicated that "someone logged on and changed the passcode". They couldn't tell us who changed it, or where they were from (or even confirm if it's from their app or from the website). Did the change password thing and reset the passcode. A few days later the same deal happened. AT&T was helpful in that they locked the account down completely for us. We left it that way for the rest of the billing cycle, then reset the password in the store. Now we have "enhanced" security, and need password + passcode for any changes.

        The unsettling part is not knowing the source. Rogue app on the landfill android tablet they sold (sorry: "gave for free") to my wife? Malware on the home PC? Some brute force attack from a bot farm overseas? Some 400# guy on his bed in his mom's basement? Hard to believe they don't have sufficient logging to track things down.

        Was wondering what the end game was. This makes more sense.

        Made sure my Paypal account isn't linked to my bank account... Keeping one extra eye on all financial stuff for the time being.

  2. Mark 85

    Any other luddites about?

    I guess I'm safe then... I only use my phone to make..<gasp> phone calls. No purchases, money transactions, etc. are done on it. I guess I'm a luddite at heart.

    1. FozzyBear

      Re: Any other luddites about?

      Yep another here. Considering all the data slurping that is also going on, best to leave the phone for phone calls and carry cash

    2. big_D Silver badge

      Re: Any other luddites about?

      The other problem is, using a token app is fine, as long as you are not / cannot access any services using those tokens on the smartphone... Then it is just 1.5 factor.

      My bank uses a token generator, where I have to enter the receiving account number and the amount into the generator, plug my chip-card into the device and it creates a unique code for that transaction. This should also stop MitM attacks, because I enter and confirm the recipient and the amount, if the MitM uses a different account or amount, the transaction code won't match and the transaction will be rejected.

      A bit of hassle, but worth it.

      1. CrazyOldCatMan Silver badge

        Re: Any other luddites about?

        My bank uses a token generator, where I have to enter the receiving account number and the amount into the generator, plug my chip-card into the device and it creates a unique code for that transaction.

        Likewise. Except, for me, it's not a bank, it's a building society. And bonus points for the fact that the device itself isn't unique (my wife has one too - and we can use each other's device) but the number generated is.

    3. Tim 11

      Re: Any other luddites about?

      you might only use your phone for calls, but the person who calls up and pretends to be you can then use it to order phone upgrades and tablets on your phone account (as I discovered to my cost).

      Fortunately it looks like AT&T are slightly more on-the-ball than EE, because the latter don't seem to have any security precautions at all - they let the hacker repeatedly access my account and order stuff (10 times in a month) despite not knowing any security details except my name and address.

    4. Shaha Alam

      Re: Any other luddites about?

      what you use your phone for is irrelevant.

      as long as your service providers allow the use of a phone number to secure your account, you're vulnerable - even if you dont even have a phone.

      what's a self professed luddite doing on a tech website anyway?

    5. fbt3

      Re: Any other luddites about?

      I use my phone for alot of data consumption...

      Because of this, to be on the safe side, I don't use my phone for actual financial transactions, luke Amazon Ordering, Banking apps, etc.

  3. Stevie

    Bah!

    Dimwit shaming the "tech" who "broke protocol"?

    Of course we all know that while we think of the call center people as working in an office of many, in actual fact they are working from home over a network connection. This week's customer account service technician is last week's full-time facebooker.

    1. kain preacher

      Re: Bah!

      ATT does not use work at home call center.

      1. Stevie

        Re: ATT does not use work at home call center.

        Assuming you are right (a big assumption, but I am implying AT&T obfuscation rather than kain preacher misdirection) then the "breach of protocol" is even more bewildering and should result in an immediate firing and outing on the intranet as a warning to others - just like they do in my own enterprise. Shouldn't be necessary, but sadly is. Dimwits infest the world.

        1. kain preacher

          Re: ATT does not use work at home call center.

          How is what I said is misdirection ? I've worked at an ATT call center. I can tell you what he did fireable offence.

          1. Anonymous Coward
            Anonymous Coward

            Re: ATT does not use work at home call center.

            Yep, sure is. I was at Rio Rancho and they'll terminate you an hour later for that kind of crap, if not sue you or have you arrested like those idiots who unlocked those hundreds of thousands of phones in Bothell in 2015.

    2. Voland's right hand Silver badge

      Re: Bah!

      Well, it is called two factor for a reason.

      How did the miscreant know the SECOND factor?

      If he can explain that, than he should be blame ATT for all it's worth. If his authentication was JUST SMS code, that's still SINGLE factor, not two factor.

      1. Cronus

        Re: Bah!

        They didn't know the second factor, as per the article:

        "This allowed the attacker to go to PayPal and use the service's two-factor authentication (which sends a one-time code via SMS) to reset the password on his account and take control of that"

  4. Anonymous Coward
    Anonymous Coward

    We need to collectively stop calling SMS/phone verification 2FA

    2FA should be for actual authentication. Time or token based systems do that. Verifying an email/phone/SMS line without authentication does not provide the same level of security. It should be used as the last resort option for customers without access to a smartphone/computer. It is especially galling as the time based 2FA is easy and free, and does not require the user to have an active network connection so it can be confirmed over the phone/face to face.

    They could easily use it as an alternate to ATM/Point of Sale pin codes as well, with only back end changes on the banks servers, which would really inconvenience ATM skimmers as well.

    The problem is the people running those systems are barbarians, and maliciously savage ones to boot. Squatting over musty heaps of old FORTRAN and COBOL punchcards, waving incantations over Visual Basic powered Excel spreadsheets. They invoke the names of Old Gods, and pray for the return of the AS/400 mainframe to the cave of the great wind god HAY-LON.

    They even managed in successive firmware updates to screw up Apple Pay. It asks for your PIN code now. The whole point of Apple Pay was it never needed your PIN code. Why are they even asking for it? To make A.P. as inconvenient as their highest profit/fee service is my guess. Possibly charging a phantom merchant fee and skimming the profit? Where is that PIN even GOING?

    The majority of these people will only change when it's mandated by an exterior force like the PCI standards body, and then only grudgingly and late...

    1. Anonymous Coward
      Anonymous Coward

      Re: We need to collectively stop calling SMS/phone verification 2FA

      Almost everyone takes this shortcut because it is easy - everyone has a phone and text messages are free for almost everyone these days. Personally I'd rather run a standard RSA app on my phone after having them provide me a seed, but what would really happen is that everyone would want their own damn app which is no kind of solution.

      However, a separate device is MUCH worse - then everyone will want their own separate device - the result would be that I simply wouldn't use 2FA unless forced because no way I'm carrying around a Paypal 2FA device, another for my bank, yet another for my retirement account, etc. etc. etc.

      The company I'm consulting for has smartcards that can be used with employer issued PCs that have a smartcard reader, or with a standalone PIN reader for those like me without employer issued PCs. They use these for remote access and access to most resources in their intranet.

      Last year they enabled SMS as an alternative to the smartcard, so now I use that, so when I got notification my smartcard certificate was going to expire I didn't even bother to renew it. I suppose it is less secure given that SMS is not secure and someone might be able to "brute force" AT&T and find a stupid rep who will transfer my phone number. But using my phone to login is a lot more convenient than using a PIN pad and smartcard that adds to the crap I have to carry around, so as long as they choose to allow it, I'll choose to use it. If there was a way I could use the RSA app on my phone, I'd switch to that from SMS.

      1. Bronek Kozicki

        Re: We need to collectively stop calling SMS/phone verification 2FA

        If everyone supported FIDO U2F , you would only need to carry one very small key. Google, Facebook, Dropbox, Github (to name just a few) do support it. Sadly PayPal cannot be bothered

        1. Anonymous Coward
          Anonymous Coward

          Re: We need to collectively stop calling SMS/phone verification 2FA

          I don't want to carry even one thing around. I want a single app, or I'm going to continue using SMS for 2FA because that's the only other alternative that doesn't make me carry shit around with me. It is 2017, there's no reason I should have to carry a physical object around with me for this purpose when I carry the equivalent of 1990's fastest supercomputer in my pocket!

          1. Bronek Kozicki

            Re: We need to collectively stop calling SMS/phone verification 2FA

            Fido U2F key is smaller than most door keys and can be conveniently attached to them. You probably carry your home keys with you?

            I do understand your objection to carrying extra things with you though, but similarly some object to having such a crucial application installed in a not-so-secure environment which is a phone.

  5. Frozit

    No 2 factor authentication method will overcome social engineering. There will ALWAYS be a way to admin override the settings and reset them. You know this, you live it every day resetting user passwords.

    1. Charles 9

      And these always have to deal with human fallability. What happens the day you leave the fob at home on a crucial day you're hours away? Or what about the RSA attack which was apparently after secrets behind 2FA tokens so as to crack them?

    2. fidodogbreath

      There will ALWAYS be a way to admin override the settings and reset them.

      Suppose I use Authy or similar to generate TOTP codes and my phone is lost, stolen, or broken. I'm well and truly screwed. (Yes, I know about backup codes, but storing them securely so that they can be accessed from anywhere in an emergency without the 2FA device is problematic.)

      So here's the conundrum of 2FA as it exists now:

      * If there is no way to reclaim accounts without the 2nd factor, you're in a world of hurt if you lose access to the device.

      * BUT -- if there is a way to talk customer service into doing a password reset, then it's not really 2FA because you don't need the 2nd factor to get control of the account. So what's the point?

      It's fashionable so say that people should use 2FA for everything now. But doing so is not without risks, and those risks are rarely mentioned...until a story like this comes along and reminds us that the weakest link is always the wetware.

      1. DavCrav

        "If there is no way to reclaim accounts without the 2nd factor, you're in a world of hurt if you lose access to the device."

        I see this, but one solution would be a third factor, a letter sent to your home address. It'll take a while, but that one is even harder to deal with. Anyone who is up for stealing your phone, e-mail and intercepting your post, well, not every crime can be stopped.

    3. Paul Crawford Silver badge

      If you can reset the account with only access to the phone it is single factor, not two.

    4. Dan 55 Silver badge

      The software could not let the call centre drone get to do things if the customer doesn't get the password right.

      If the customer's forgotten the password it could go on to other security questions, again not letting the drone go on to later screens unless the customer gets most or all of them right.

      And it should certainly not allow repeated spamming of the call centre.

      If there is some doubt about the customer then the drone should be able to play back previous calls to the call centre to compare voices, check if the caller is calling from their own home or mobile, and so on.

      There are certainly ways to tighten up things.

      1. Charles 9

        But now you're on the sliding scale. Make things TOO tight and you end up with complaints from people who can't get their business done because they've LOST their second factors and can't get a new one issued. Too tight or too loose, you end up losing business, and there's always the risk the medium is not happy but UNhappy: loose enough that accounts STILL get stolen, yet tight enough that people STILL complain too much about losing access.

      2. Anonymous Coward
        Anonymous Coward

        The software could not let the call centre drone get to do things if the customer doesn't get the password right.

        If the customer's forgotten the password it could go on to other security questions, again not letting the drone go on to later screens unless the customer gets most or all of them right.

        That is always the process, but the issue is the operator. They are the ones who say, no you haven't got it right, but they also have to say, yes they did get it right.

        In this case, one operator eventually said, yes they did get it right, when they didn't. You can't stop that. Do you really think every 'drone' really cares that much about their job? Of course not, they do what they can for an easy life, and some people are easily persuaded...

    5. JimboSmith Silver badge

      Back in the day I went with a mate to his dad's business for the day as one of those bring your kids to work day jollys. They were a delivery firm and had been the target of an attack where someone had tried to change the delivery address of a regular order (of electronics if my memory serves me). The lady who ran the dispatch office had a novel solution to this problem and had her own version of two factor authentication. When you called there was amongst other things a codeword you had to use to change an address if they didn't supply that or got it wrong then nothing changed. She also had in the same book a series of letters next to the client. She'd got everyone listed with letters like SNB, FA, RA, DV (those are the ones I remember) which also related to the client. So if you called up as a customer and even if you gave the correct code word if you didn't sound like your acronym(s) Snobby (SNB), have a Foreign (FA) or Regional (RA) accent or Deep Voice (DV) then she'd be very wary.

      1. Charles 9

        "She'd got everyone listed with letters like SNB, FA, RA, DV (those are the ones I remember) which also related to the client. So if you called up as a customer and even if you gave the correct code word if you didn't sound like your acronym(s) Snobby (SNB), have a Foreign (FA) or Regional (RA) accent or Deep Voice (DV) then she'd be very wary."

        How did the secretary handle things, though, when the voice change was for a legitimate reason (usual person was on vacation, for example)? False negative?

        1. JimboSmith Silver badge

          No idea as I was only there for a day but it struck me as a good idea at the time. You would at least know that you weren't speaking to the regular person and then make further checks as to the veracity of the caller. Just seemed a better plan than accepting blindly the new address the person on the other end of the phone line was giving you. Could result in an expensive mistake otherwise.

  6. Francis Boyle Silver badge

    "PayPal is terrible"

    Yes, the problem is definitely PayPal.

    1. Stevie

      Re: "PayPal is terrible"

      No, the problem was the dimwit AT&T "technician", and a lack of AT&T gumption when it comes to how to react to individuals' repeated call-bombing the help and support center sans proper credentials.

      The PayPal part is the one where the attempt to make them act like a real bank hits their terms and conditions. I've only anecdotal evidence to offer, but there seems to be no dearth of people who are less than impressed by the problem mitigation offered by PayPal. The victim (who is of course being blamed in these comments - big surprise) is expressing a lack of sanguinity vis-a-vis a speedy and angst-free resolution of the breach caused by a dimwit working for AT&T.

  7. Anonymous Coward
    Anonymous Coward

    Simply dont

    leave money in a paypal account.

    As much as paypal like to bleat how safe they are, they are not goverened in the same way as banks are.

    They are free to do WTF they like with your money.

    Any seller on ebay who now insists on paypal only doesn't get my trade, when i sell on ebay i make a very clear point that i DONT accept paypal.

    You leave money in the hands of paypal and its a lottery if you ever see that money without jumping through numerous hoops.

    1. collinsl Bronze badge

      Re: Simply dont

      eBay requires paypal as a payment option.

      1. Anonymous Coward
        Anonymous Coward

        Re: Simply dont

        No, ebay insists you OFFER paypal but cannot make you use paypal as your only means of receiving monies.

        So, COD, cheque, BACS, matagalian gumbo beads etc are all valid and ebay MUST offer these other payment options.

  8. Sir Runcible Spoon
    Trollface

    This guy is lying

    "because I'm a software developer and we always blame the software."

    Bullshit, they always blame the network.

  9. Nick Kew

    Old news

    Here in Blighty, the BBC have reported several instances of exactly this hack over (from memory) at least two or three years. I think they also reported that one of our banks had stopped using SMS 2FA in response to documented cases of their users' phone numbers being hijacked.

    If 2FA is to work, it needs to be cryptographically secured. End to end, not just in components where it's easy.

    And to pre-empt the next hack, if a 2FA token is issued by the same Authority as the an https session where the transaction originated, we're staring at another single-point-of-failure.

    1. Anonymous Coward
      Anonymous Coward

      Re: Old news

      Keep in mind this is the US, a country where they have just started rolling out this wonderful new idea of putting chips in the bank cards. But no pin numbers for them, you still sign for the transaction.

      1. kain preacher

        Re: Old news

        C Hip and pin does exist in the US.

  10. Tom 38

    Yubikey + U2F

    Don't accept substitutes.

    1. Charles 9

      Re: Yubikey + U2F

      How do you use a YubiKey on your phone which has no USB ports?

      1. Swarthy
        Go

        Re: Yubikey + U2F

        How do you use a YubiKey on your phone which has no USB ports?

        USB OTG

        1. Charles 9

          Re: Yubikey + U2F

          Assuming your phone takes USB OTG. This isn't a given. Remember the phone with the non-standard port?

      2. Tom 38

        Re: Yubikey + U2F

        How do you use a YubiKey on your phone which has no USB ports?

        I tap it on the phone, as it is both USB and NFC enabled. As explained under the first hit if you google "yubikey phone".

        1. Charles 9

          Re: Yubikey + U2F

          And it doesn't support NFC either? Many older phones lack the NFC capability.

  11. Missing Semicolon Silver badge
    Unhappy

    Paypal 2FA

    Paypal used to sell you security fobs or cards to do the 2FA code for you, for about a fiver. The they introduced SMS-based "2FA". They didn't actually deprecate the old security token system, they just put the price up for a replacement fob to £20. At some point, they will turn it off, because "nobody uses it".

    I suspect they were forced into issuing security fobs by the ridiculous amount of PayPal phishing than went on, and lawyers were starting to be involved. Now SMS is deemed good enough, they can stop supporting that expensive security fob system.

  12. MAH

    regardless of 2FA or not, I believe AT&T is at fault....simply for the fact that there were numerous logged calls on the account by someone who didn't know the security code..repeatedly...

    that should have flagged all kinds of warning and triggered an escalation because its obvious someone was trying to compromise the account.

    A single call with no security code, fine..but multiple attempts....seriously...that should have flagged something with AT&T

    1. Swarthy

      that should have flagged something with AT&T

      Speculation on my part: It did.

      It triggered a soft-hearted reaction to a persistent sob story most likely "my phone was stolen, and I can't remember the security code because I had it written down (at home), and I am on the other side of the country for work, and I need to be available, can't you please just transfer my number to this SIM. (sob)"

      As we see, it only needs to work once.

      1. JimC

        Re: Speculation on my part: It did.

        Especially as we can bet that ATT get any number of genuine calls saying precisely that...

    2. Anonymous Coward
      Anonymous Coward

      It did. Mobility Clarify records each time somebody tried to access the account, if it came in verified over the IVR or the system that chat uses, who on our side touched it, and what the rep did. And it throws all kinds warnings if it even suspects something's wrong. It happens literally every day. And most of the time its older folks that can't remember what they did when they set their account up 20 years ago.

  13. Anonymous Coward
    Anonymous Coward

    For an insider's perspective....

    I'm posting anonymously since I've got first hand experience with people trying this unsuccessfully. Nobody ever made it past me. Generally, its unlock fraud but we do get billing and payment fraud too.

    I used to work for AT&T Mobility in Advanced Tech Support chat at Rio Rancho, which is internally MOBCARE-ATS-RRCC, which is where this probably happened, unless this guy's on a unified bill (and unified is stupider than shit) which ATS doesn't handle because a division over at wireline or uVerse handles them. I doubt that Bothell or Dallas did it, but it could have been them too. Bothell was the reason that agents can't do immediate unlocks in TORCH anymore and have to submit it to their supervisor or back office for approval.

    Thing is, Fraud is usually really, really easy to detect in Mobility Clarify, fairly easy in Telegence, even easier in System X where you order equipment like a handset, Microcell or SIM, and even easier than that if you're slightly evil and decide to play with settings in TORCH because you think the "cx" is playing fast and loose with the truth, if they have a connection to the network at all you can change settings, push them to the handset and then ask to see them.

    For example:

    ME: "I just sent you a multimedia message (or changed your VM pilot), I need you to tell me what the picture is/or what the new phone number for the VM pilot is"

    Lying Fake Customer: "The AT&T logo/+1636XXXXXXXX"

    ME: "No guy, its a balloon/+1212XXXXXXX, and I'll ask you to be honest with me in the future"

    ME: "I need your IMEI, you can see it by dialing *#06*#"

    LFC: its XXXXXXXXXXXX

    ME: "No, not quite"

    SYSTEM: "CHAT DISCONNECTED"

    Thing is, we stopped being allowed to PIN verify through sending an SMS, which is what happened here, back in November of last year. Its simply not good enough for the many reasons enumerated above. And we can't make any changes to the myAT&T information, customer has to do that themselves over the phone with voice ATS in Atlanta.

    I'm not saying the complainant is a liar, but I dont think he's being completely forthcoming nor is he as secure as he thinks he is. Especially by linking paypal to his bank. And it doesn't take that much time to get the fake charges dropped, even an ATS agent can waive the charges up to 1500 if there's a fraudulent charge affidavit in clarify, which there will be even though fraud usually just calls billing themselves.

  14. Fazal Majid

    That's why NIST deprecated SMS authentication

    in the draft SP 800-63-3 guidelines, which also discourages other security theater like forced password rotations and crackpot password composition rules:

    https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

    1. Charles 9

      Re: That's why NIST deprecated SMS authentication

      Why the thing against forced password rotations (which IIRC are meant to close and/or detect any unknown breaches)?

  15. Anonymous Coward
    Anonymous Coward

    Never, ever, ever use SMS for 2FA.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like