Exploring AT&T's Wireless Account Security
by satevia
I'm writing to inform the readers about the potential insecurities of their wireless phone service.
I used to work for Cingular, so most of this information will apply directly to their service. That's not to say that things are any different with other providers, but I have no specific internal experience with them. I'd also like to remind the readers that this information should be used to further secure access to your own wireless phone service account and not to breach the security of others.
Cingular has change its name to AT&T Mobility since I originally started writing this article. That's the only thing that has changed, so this does not make the article useless and does not mean that your account is any more secure.
Wireless carriers store a scary amount of information about each of their customers. Even scarier, every support representative has access to this information simply by plugging in any bit of identifying information about you or your account.
Among other options, this can be your name, date of birth, Social Security number, home address, home phone number or cell phone number. Just about anything specifically relating to you can be used to pull up even more information about you.
Even worse, much of this information can be used by anyone that calls into the support department to change information on your account, add services, or remove services. That list goes on and on too.
By default when you call in to AT&T customer care and reach an operator, generally after hours of holding, you're asked to confirm your wireless number.
This generally comes up automatically on the screen, which is called the "screen pop" internally. Along with that is the first screen that the representative must click through after they've confirmed your access to the account. They're supposed to click which of the security measures was used to verify your identity.
Representatives are told to ask for the last four digits of the Social Security number, though with enough complaining you can generally get them to give you access to the account by providing the billing address on file. Great!
After the representative has clicked through, confirming that your identity has been verified, a log entry is placed on the account showing which representative access the account and when. This can be easily bypassed by clicking the Cancel located on the screen pop window or by accessing the internal database, Telegence, directly and not through the initial verification system, the name of which escapes me.
Many representatives do this if they're lazy. Telegence is where all of the goodness is. The search feature allows the agent to pull up account using any of the identifying information above. You can generally pick out a lazy representative as one that asks you to confirm your phone number if you entered it when calling in or pressed 1 to confirm the Caller ID.
A quick note about notes (ha!): even though representatives may make notes on accounts and even though the system automatically makes notes for just about every action taken, they don't really mean anything good for you.
Generally notes are a place where representatives explain to other representatives that may field your call later whether or not they should believe what you say or go out of their way to help you. Did you get angry with a previous representative or sound frustrated? Yeah, that'll probably follow you for the life of your account.
The life of an AT&T representative is not a fun one and each day really drags along. You hear the same thing nearly every call and get yelled at nearly every call. The only way for representatives to get back at you without getting fired is to make your notes sound like you were as uncooperative as possible. And they will.
In addition to the information stored electronically, AT&T call centers always have pages and notepads filled with identifying information laying around. Representatives are trained to write down specific information gathered when on a call, in order to prevent having to ask a customer again.
This includes credit card numbers used for payments over the phone. Thankfully, security at the call centers themselves is pretty good (seriously), but visitors are allowed to be escorted throughout the building by an employee. Technically, guests are not allowed in the work area, but this rule is largely ignored. Badges must be displayed at all times and I've actually had security question me when mine had simply flipped around. Kudos for that.
Unfortunately, kindness is what breaks this down. It's quite easy to gain access to a call center itself simply by entering during the morning rush, when everyone else shows up for work. Despite the extensive video-based training advising that employees are to watch out for "tailing" through the entrance, it's human nature to hold the door open for your fellow representative as they come to the door after you. Everyone does this. This, coupled with sensitive customer information available on just about every desk, leads to potential for disaster.
Let's assume, though, that physical access is hard to get, but the fact that your information is available to all representatives opens a new door for anyone to get or change this information. A number of news articles have recently been published which show how easy it is to buy information about anyone's Social Security number or address.
This would allow the defeat of both security measures in place by AT&T. Even if you don't have this information or don't want to pay for it, losing your phone is a great start to giving up control of your phone service.
Many people don't think to call in and have their phone suspended immediately, so there's a great chance that dialing 611 (for customer service) on a found phone will be about the most effort needed to gain access to an account.
The automated voice prompt speaks back the phone number (write this down) that's calling, saving you from having to call yourself to find the phone number and placing your phone number on that customer's call log.
This answers question #1 by the representative, "What's the wireless number that you're calling in reference to?" Rarely, some representatives will ask for the full name of the person that's calling. It's for logging purposes only and gets entered into the notes of the wireless number's account; access is not restricted on a per-name basis.
If this happens, you can generally give any name you'd like and still proceed through the verification process.
Next, you'll go through the authentication process described above. Remember that knowing the victim's address is usually enough to get through. Once verified, the account is yours. You're free to add or remove services, change contact information, change wireless numbers, request that call records be mailed to an address, or anything else you like. Everything can be done over the phone once you're "verified."
You might be wondering exactly how you'd get someone's address, especially if you just found a phone lying around. That part is actually surprisingly easy.
Heading into an independent AT&T dealer with the phone number for the account is enough. Remember to call 611 and listen for the phone number to be repeated, so you don't have to call any of your phones and have your number logged into their call log.
If you did call your own number, the logs would be kept not just on the phone, but also on the computers used by AT&T to monitor minutes usage, and on the list mailed to customers each month as part of their bill.
You can generally distinguish a dealer from a corporate store by the actual name of the company running the store listed on or around the Cingular/AT&T logo on the door or window. Otherwise, you can always ask a representative as they're supposed to truthfully answer the question.
Dealers are generally underpaid representatives for a third-party company with no relation to AT&T other than their reseller status. They usually care about nothing more than getting you to upgrade your text messaging package or adding internet access as they make a large chunk of commission off of "extras."
With that comes a lack of care for the security of accounts. I guess that they assume that just knowing the phone number on an account and that the service is from AT&T is authentication enough for them and that this information alone should provide access to the account.
Next, asking to verify the billing address on file should be enough to get them to tell you. Writing this down would be a bad idea, so try to remember it. I'm sure you could also get them to give you the social security by stating you tried to call and the numbers you gave were denied, so they told you to come in to a store and have it changed.
Then all you need to do is call customer care again, address in brain, and you've successfully penetrated the deep defenses of AT&T.
A (semi-)great way to prevent all of this from happening is to place a password on the account. This password supersedes any other form of authentication at least, it's supposed to.
Provided the representative over the phone realizes that there is a password on the account, the account can not be accessed without knowing this password.
Unfortunately the only way a representative knows that a password is on an account is by the small, unbolded red text that appears as one of the authentication methods when you first call in.
Unfortunately, the system doesn't require that this method be used, and representatives are more in touch with their routine and are too preoccupied with the need to handle as many calls as possible in one day (call stats matter, you know) even to notice it most of the time.
Password-protected accounts are commonly accessed without the password over the phone due to the inattentive representative on the line. Scary! It's the only access control that you can place on your account, though.
Even if you do all that you can to protect your account, you can't compensate for poor corporate teaching. Encouraging representatives to write down personal information for customers they deal with is bad practice.
I'd much rather have to repeat my information than have it lying on someone's desk for the prying eye or unwanted visitor to see. The contracted cleaning crews that come in nightly probably don't care about your privacy either, and full credit card numbers with names and addresses are readily available for their viewing as they clean, unwatched, each night.
I hope that this article has proved useful to everyone with a cell phone.
They're not quite as secure and private as everyone imagines and expects them to be. With better training, better pay, and stricter hiring standards, AT&T could easily change this around and greatly increase the protection they provide for their customers' personal information.