Two-factor FAIL: Chap gets pwned after 'AT&T falls for hacker tricks'
This is getting stupid now – time to dump SMS and switch to code-generating apps or tokens
A software developer says a thief siphoned cash from his PayPal account – after a dumbass AT&T rep handed control of his cellphone account to a hacker, thus defeating his two-factor authentication.
Justin Williams, an iOS code jockey based in Denver, Colorado, said someone was able to dupe an AT&T support tech into assigning his account to a new SIM card and phone – despite the miscreant not knowing the security code connected to the account. In other words, the criminal was able to persuade the US cell network's rep into making substantial changes to his account without the code, we're told.
Williams said the breach occurred last Thursday, when the hacker made multiple calls to AT&T support asking to transfer his account to a new phone. Initially, Williams said, AT&T staffers blocked the attempts when the caller could not give the phone account's correct passcode.
Eventually, however, someone at AT&T relented and, breaking protocol, agreed to reassign the phone to the new SIM card, it is claimed. At that point, the attacker was able to receive text messages to Williams' number on the new phone.
This allowed the attacker to go to PayPal and use the service's two-factor authentication (which sends a one-time code via SMS) to reset the password on his account and take control of that. By Thursday evening, Williams tells it, he became aware of what was going on:
"I restarted the phone. No help. Reset network settings in iOS Settings. Still no success. I checked my iPad because I carry it with me and keep a SIM in it. The iPad still has service, which seemed interesting. At this point I was still blaming iOS 11 because I'm a software developer and we always blame the software."
'Someone has been dialing the AT&T call center all day'
By now, the hacker had already used their access to the PayPal account to begin siphoning money. A $200 AUD payment had been made that showed up on Williams' bank account and alerted him to what was going on.
"I instantly called AT&T's customer service line to explain what is happening. I give them my name, my phone number, and my security passcode (this is key)," Williams explains.
"The man on the phone reads through the notes and explains that yes, someone has been dialing the AT&T call center all day trying to get into my phone but was repeatedly rejected because they didn't know my passcode, until someone broke protocol and didn't require the passcode."
The developer said he was able to get AT&T to deactivate the phone that evening and he has since gotten a new SIM card. He has also put in a payment dispute with PayPal to get that transaction overturned, but admits he is "not optimistic because PayPal is terrible."
The lesson, says Williams, is that even with two-factor authentication enabled, accounts can still be hijacked when one link of the chain (in this case AT&T's account recovery) is broken. He says he is keeping a close eye on his bank account and credit cards.
An AT&T spokesperson responded to our request for comment, saying: "Protecting customers and their accounts is a top priority. We take this very seriously and have various security measures and protocols to prevent this. In this case, those protocols were not followed and as a result we are taking additional steps to prevent it from happening again."
While SMS two-factor authentication is extremely handy, and blocks the vast majority of account takeovers, it is not infallible – to social engineering and SS7 attacks. Time and time again, we've heard of crooks tricking wireless support staff into handing over control of devices. If you can, now's the time to consider a hardware token or app-based two-factor authentication method.
Please, feel free to post your recommendations in the comments. ®
Sponsored: Becoming a Pragmatic Security Leader