Sign in with
Sign up | Sign in
Your question

Security Breach w/ Your AT&T/Cingular Customer's Personal ..

Last response: in Network Providers
Share
Anonymous
a b 8 Security
August 12, 2005 5:31:33 PM

Archived from groups: alt.cellular.cingular (More info?)

I was recently very concerned about a security flaw in AT&T/Cingular's
web access requirements to login to a user's account.

Did you know that all you need in order to access any AT&T/Cingular
Customer's full account information, call logs, call history, account
history, etc. is there mobile phone number and their zip code? Yes
that is all that is needed and you have full access. Considering you
probably already have the access to their phone number, all you need
then is access to their zip code (duh their mailing address) and you
have full access. Thus any family member, friend, co-worker, business
associate, etc. that has these relatively easy to find pieces of
information can have full access to your cellular phone account.

I need you help to convince AT&T/Cingular that this is a serious
concern. Please contact Cingular in the way that is the most
convenient for you (link provided below for your convenience).

[L=http://www.cingular.com/customer_service/contact_us]http://www.cingular.com/customer_service/contact_us[/L]
Anonymous
a b 8 Security
August 12, 2005 5:50:28 PM

Archived from groups: alt.cellular.cingular (More info?)

Simply register a new account and you will see all you need is the
cellular phone number and the zip code to access the account. Just
pick any AT&T or Cingular phone number that you know the user's zip
code of and viola you have access. You can find cellular customers by
checking your own bill for shared minutes (free minutes) then just snag
their zip code (I assume you know them).

Imagine the problems this could create for ex-wives or husbands, high
school kids, or future hackers that just setup a randomizer to populate
the zip code field of a known cellular phone number. Then they will
know all the phone numbers on your account. They can then state that
you gave their name as a referral. Oh, it gets quite scary the more you
think about it. It is really easy to make a randomizer to create
different zip codes (there are less than 99999 or them in the US,
taking a computer only a few seconds to locate the one that works
properly).
Anonymous
a b 8 Security
August 12, 2005 8:46:01 PM

Archived from groups: alt.cellular.cingular (More info?)

bpayne@gmail.com wrote:

>I was recently very concerned about a security flaw in AT&T/Cingular's
>web access requirements to login to a user's account.
>
>Did you know that all you need in order to access any AT&T/Cingular
>Customer's full account information, call logs, call history, account
>history, etc. is there mobile phone number and their zip code? Yes
>that is all that is needed and you have full access. Considering you
>probably already have the access to their phone number, all you need
>then is access to their zip code (duh their mailing address) and you
>have full access. Thus any family member, friend, co-worker, business
>associate, etc. that has these relatively easy to find pieces of
>information can have full access to your cellular phone account.
>
>I need you help to convince AT&T/Cingular that this is a serious
>concern. Please contact Cingular in the way that is the most
>convenient for you (link provided below for your convenience).
>
>[L=http://www.cingular.com/customer_service/contact_us]http://www.cingular.com/customer_service/contact_us[/L]
>
>
>
Do you have any kind of citation?
Related resources
Can't find your answer ? Ask !
Anonymous
a b 8 Security
August 12, 2005 8:58:54 PM

Archived from groups: alt.cellular.cingular (More info?)

===============================================
* Reply by Jack D. Russell, Sr. <jackru$$ell2@notmail.com>
* Newsgroup: alt.cellular.cingular
* Reply to: All; <bpayne@gmail.com>
* Date:Fri, 12 Aug 2005 16:58:08 -0500
* Subj: Security Breach w/ Your AT&T/Cingular Customer's Personal
Account Information
=====================================================

b>I was recently very concerned about a security flaw in
b>AT&T/Cingular's web access requirements to login to a user's
b>account.

b>Did you know that all you need in order to access any AT&T/Cingular
b>Customer's full account information, call logs, call history,
b>account history, etc. is there mobile phone number and their zip
b>code? Yes that is all that is needed and you have full access.
b>Considering you probably already have the access to their phone
b>number, all you need then is access to their zip code (duh their
b>mailing address) and you have full access. Thus any family member,
b>friend, co-worker, business associate, etc. that has these
b>relatively easy to find pieces of information can have full access
b>to your cellular phone account.

b>I need you help to convince AT&T/Cingular that this is a serious
b>concern. Please contact Cingular in the way that is the most
b>convenient for you (link provided below for your convenience).

b>[L=http://www.cingular.com/customer_service/contact_us]http://www.
b>cingular.com/customer_service/contact_us[/L]


B...S...!
--
Jack
Anonymous
a b 8 Security
August 12, 2005 9:12:22 PM

Archived from groups: alt.cellular.cingular (More info?)

bpayne wrote:

>Simply register a new account and you will see all you need is the
>cellular phone number and the zip code to access the account. Just
>pick any AT&T or Cingular phone number that you know the user's zip
>code of and viola you have access. You can find cellular customers by
>checking your own bill for shared minutes (free minutes) then just snag
>their zip code (I assume you know them).
>
>Imagine the problems this could create for ex-wives or husbands, high
>school kids, or future hackers that just setup a randomizer to populate
>the zip code field of a known cellular phone number. Then they will
>know all the phone numbers on your account. They can then state that
>you gave their name as a referral. Oh, it gets quite scary the more you
>think about it. It is really easy to make a randomizer to create
>different zip codes (there are less than 99999 or them in the US,
>taking a computer only a few seconds to locate the one that works
>properly).
>
>
>
That's odd...when I try it, the system prompts me for the last 4 digits
of a qualified SSN.
Anonymous
a b 8 Security
August 13, 2005 1:24:38 AM

Archived from groups: alt.cellular.cingular (More info?)

[POSTED TO alt.cellular.cingular - REPLY ON USENET PLEASE]

In <1123878693.825916.59160@o13g2000cwo.googlegroups.com> on 12 Aug 2005
13:31:33 -0700, bpayne@gmail.com wrote:

>I was recently very concerned about a security flaw in AT&T/Cingular's
>web access requirements to login to a user's account.
>
>Did you know that all you need in order to access any AT&T/Cingular
>Customer's full account information, call logs, call history, account
>history, etc. is there mobile phone number and their zip code?

How and where? Every page I've seen asks for more than the ZIPcode.

>Yes
>that is all that is needed and you have full access. Considering you
>probably already have the access to their phone number, all you need
>then is access to their zip code (duh their mailing address) and you
>have full access. Thus any family member, friend, co-worker, business
>associate, etc. that has these relatively easy to find pieces of
>information can have full access to your cellular phone account.

NOT if there is a passcode on the account.
If you don't have a passcode, get cracking!

--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular&gt;
!