Forgot your password?
typodupeerror

AT&T Crack Part of a Phishing Operation 96

Posted by Zonk
from the crafty-crackers dept.
JohnGrahamCumming writes "According to a story in the San Francisco Chronicle the AT&T store crack was the prelude to a very sophisticated phishing operation. The phishers were aiming to use the information from the store to fool existing customers into divulging SSNs and other personal information." From the article: "'The information that was provided by customers who ordered DSL-related equipment included name, address, e-mail address, phone number, credit card number and credit card expiration,' the memo says, adding that the hacked data didn't include Social Security numbers or birth dates. But the hackers had a scheme to get this extra info. After accessing the customer data, they incorporated it into phishing messages that were promptly sent to AT&T's DSL customers ... Each message included a legitimate order number culled from the AT&T vendor's database to create an illusion of authenticity. Messages also included the recipient's home address and the last four digits of his or her credit card number. "
This discussion has been archived. No new comments can be posted.

AT&T Crack Part of a Phishing Operation

Comments Filter:
  • by mabu (178417) on Friday September 01, 2006 @03:26PM (#16026171)
    This is just one of many, many issues of privacy violations [bsalert.com] that have happened in the last year. And the feds seem mainly interested in letting states regulate and report on security breaches. So far only a few states have legislation to notify consumers of database compromises, which is a shame. The sad part is many people may have had their information stolen and they will never know until the information has been exploited, all the while the corporations have been aware of this for a long time and choose not to reveal the violations in fear of a negative PR.

    • Re: (Score:3, Insightful)

      by Meshach (578918)
      I have to say that I would never give any info to anyone who called me uncolicitated. Period.

      That seems to be always how these scams work. Someone calls and uses some credentials to get people to reveal personal information. No company worth dealing with would ever initiate contact with customers over the phone were it not previously arranged.

      When will this become common knowledge
      • by Gill Bates (88647) on Friday September 01, 2006 @03:34PM (#16026228)
        I have to say that I would never give any info to anyone who called me uncolicitated.

        I would never call you uncolicitated. Now, can I have your information?
      • Re: (Score:2, Interesting)

        by Anonymous Coward
        "No company worth dealing with would ever initiate contact with customers over the phone were it not previously arranged."

        Most reasonable credit card companies / banks will contact customers if there is activity typically associated with fraud spotted on the account.

        What is the real solution to unsolicited calls?
        Don't give out information; hang up and call back using the real customer service number.
      • Re: (Score:3, Informative)

        by L7_ (645377)
        There are actual student loan companies that make thier living getting Student Loan information and contact information from the Dept. of Education and cold-call and/or send snailmail to students claiming that they need to do something with thier student loans. Most of the time it is just to consolidate them to save money or to start paying them to avoid the credit ding. They have all of the students information and just need verification to take action on the funds.

        People respond to this because they are l
      • by blowdart (31458)
        For it to come "common knowledge" it also needs work on behalf of the companies. My bank is an internet and telephone bank so they react well when I ask them to prove who they are on the rare occasions they ring me, however doing the same with other companies is pretty much impossible. There's either silence or outrage when you try to turn the tables and most companies refuse. Of course as they're mostly marketing calls it's actually amusing :)
      • Re: (Score:3, Insightful)

        by Code Master (164951)
        My wife had her credit card compromised a couple months ago and huge cash advances were placed on it. The card was never lost, nor did she give out any information. But, MasterCard did contact us unsolicited about it several times (when we were out). They would leave messages saying to call MasterCard security at a given number. The first couple times I heard the mesage, I ignored it because I figured they would never do that. So after looking at her card statement when it arrived, we saw the problem and i
        • by bluekanoodle (672900) on Friday September 01, 2006 @05:08PM (#16026942)
          Perhaps a better practice would be to make the unsolicited calls but ask customers to call back on the card loss number on the back of their card or to find the phone number on the last statement.

          When I train individual on Social Engineering techniques, I always tell them that if they receive a message (voice or email) claiming to be from their bank, to do a call back using a known good number from their previous correspondence.

          I've noted that some banks, when communicating via email, will tell you to log into your account by manually TYPING in an URL in your browser rather then providng any types of hyperlinks.

          • by geobeck (924637)

            I've noted that some banks, when communicating via email, will tell you to log into your account by manually TYPING in an URL in your browser rather then providng any types of hyperlinks.

            ...which is a great idea for security, but more work than the average Joe Mouse-clicker is willing to do--or capable of typing into his web browser without typos, leading to the potential for typo-squatting phishers.

          • by nanio (937692)
            If all banks adopted a text to use at the top of all correspondence with commonsensical instructions (1. Don't respond to this email or any bank email. 2. Don't click on any links in this email or any bank email. 3. Type in the URL 4. etc etc), it'd go a long way towards stopping the phishing problem. I'm thinking something in black text in a white text box, like the cigarette warnings or nutritional information on food packaging. Over time customers would come to expect such text on any email corresp
          • >some banks, when communicating via email, will tell you to log into your account by manually TYPING in an URL in your browser

            Except a phisher could do the same and simply ask someone to type in the wrong URL (foobank-visa.com instead of foobank.com, for example). At least it would prevent the obfuscated link problem and force phishers into providing a lead for investigators at a domain registry.

            "Use a bookmark" would be better advice because it would require DNS poisoning in order to make the phishing
    • Re: (Score:3, Insightful)

      by lawpoop (604919)
      While this is a serious problem, I think the proposed solution that the politicians cook up will be much worse than the cure. I have the gnawing feeling that 'solution' for identity theft is going to be a national ID card, with biometric ids. And the public, not understanding electronic issues, will buy it. Then you will need crack only one system.

      In an ideal world, we could build some kind of peer-to-peer GPG web of trust, where the person themself has full control of establishing their identity.
  • Yep. (Score:2, Flamebait)

    by Renraku (518261)
    I saw a comment either on Fark or Slashdot about a someone that placed an order with AT&T to order a friend the power supply for their modem or router or whatever it was.

    A few days later they received an email asking for their SSN and other personal information that they shouldn't have been asking for. Of course they didn't fall prey to it, but it contained the order number and order details of the order they had placed! Its the ultimate phishing scam. They can now be virtually indistinguishable from
  • by Wilson_6500 (896824) on Friday September 01, 2006 @03:36PM (#16026252)
    You (should) still be immune to phishing scams if you refuse to give _any_ personal information out unless _you_ initiated the contact (and then only with known-good contact info for a business, such as calling a number printed on your phone bill). If you get an email like this, _call the company._ Yes, I know that it's usually impossible to get through, but even if you can't or don't, nothing bad will happen.

    I wish we could get more people to realize this.
    • by raehl (609729)
      with known-good contact info for a business, such as calling a number printed on your phone bill)

      Like the phone bill I send you that looks exactly like your normal phone bill, except that it has my number on it?
    • Re: (Score:3, Insightful)

      by mordors9 (665662)
      But that is sort of the point. You initiate the contact with AT&T and order something. Then you get a response back almost right away, confirming your order, your credit card number all of that info you just entered, and advising they need these additional pieces of information. I think there are going to be an awful lot of people hoodwinked by this. Because we have always been told the same advice you just gave, don't give info unless you initiate contact, they think this qualifies and they give them w
      • I use the information to send you a bill that says you've called a bunch of porn 900 numbers from your cell phone. With my contact number on it. Then I just wait for you to call me and 'verify' your information.
    • I agree, end users don't know how to tell a phishing scam email from a real one. I wonder if this particular scam had them email their ssn or go to a web page to put it in. If there is a different web page that it goes to than the link says thunderbird will warn you, but most people use Outlook Express. I am sure AT&T got a lot of calls about this from end users and the phishers probably got some peoples SSNs. I don't see any end to this sort of activity any time soon.
    • Re: (Score:3, Insightful)

      Excellent advice, but even that doesn't always work these days. Crooks are now using fraudulent call forwarding requests to divert calls from legitimate businesses that take credit cards over to the crooks's phone numbers. The pizza parlor call forwarding scam [sfgate.com].

      Isn't security fun?
    • by Essellion (669297)
      You (should) still be immune to phishing scams if you refuse to give _any_ personal information out unless _you_ initiated the contact (and then only with known-good contact info for a business, such as calling a number printed on your phone bill). If you get an email like this, _call the company._ Yes, I know that it's usually impossible to get through, but even if you can't or don't, nothing bad will happen.

      Actually, I've started to wonder why companies don't just digitally sign all their emails. If t
  • by paladinwannabe2 (889776) on Friday September 01, 2006 @03:42PM (#16026283)
    The only people who should have your SSN are your employer, the government, and your bank(s). AT&T shouldn't have anyone's SSN except its own employees.
    • by vinn01 (178295) on Friday September 01, 2006 @03:54PM (#16026374)
      An SSN number is needed for a credit check. Therefore any company, like AT&T, that does end-of-the month billing will run a credit check on all of their customers. From their perspective they are giving one month of credit every month.

      The solution is to ban the use of SSN for credit files. Use a number that the consumer controls.

      Also, let customers pre-pay monthly. I know how much my monthly cell phone billing is going to be, let me pre-pay and avoid the forced use of credit (which gets reported to the credit agencies).
      • Also, they could actually, you know, *tell you* why they need the SSN, so you can say, "Oh, don't trouble yourself. I'll just give you a deposit/pre-pay so you needn't rely on my creditworthiness." (British accent optional) I hated having to give them that, then have them look me up, only to find, "Oh, we can't trust you... deposit needed."

        Another thing on my wish list would be not being told that I have "no credit history" after two years of paying bills and rent.
      • by Qzukk (229616) on Friday September 01, 2006 @04:18PM (#16026544) Journal
        An SSN number is needed for a credit check.

        No, no it's not. It's needed for a credit check from lazy-assed credit companies who can't be bothered to do the legwork to actually identify you.

        That's why we have this identity theft problem in the first place. If we threw away the SSN and replaced it with any other identifier, the exact same thing would happen. If we replaced it with biometric ID cards, the exact same thing would happen (it would just be a little more work. You might be [cardandathumbprint] in person, but in the computer you're still going to be card #555-55-5555).

        If consumers started storming equifax and all these other credit companies' offices with pitchforks and torches for giving away their credit over such a lousy identifier, it'd get fixed. They would figure out a real way to identify the people. As it is, nobody even thinks "gee why did TransUnion tell MegaCorp that Mr. 555-55-5555 can handle taking a out a $422523523 loan without even making sure they were talking about the right person?"

        Hell, if the debt laws would be fixed so that companies who fucked up and issued credit cards or loans to the wrong people were saddled with the bad debt writeoffs instead of being allowed to send collectors after the real person, they'd be the first in line to kick down doors and get this shit fixed.
        • by vinn01 (178295)
          I mostly agree with you.

          But for the short term, using a number that could be changed by the consumer (like a password) would go a long way towards solving the problem. Any identifier that is difficult to change is ripe for abuse once it's been revealed. An SSN is difficult to change. A biometric ID would be the worst. That can never be changed without medical intervention.

          Then, TransUnion would tell MegaCorp that Mr. 555-55-5555 has changed his identifier and that number is no longer valid for taking
          • For the short term, using a number that could be changed by the consumer (like a password) would go a long way towards solving the problem. Any identifier that is difficult to change is ripe for abuse once it's been revealed.

            That is essentially how disposable credit card numbers work or controlled payment numbers [orbiscom.com] as they have been trademarked. MBNA/BoA, Citi, Discover and Paypal all use disposable credit card numbers to let card holders make purchases online with vastly reduced the risk of fraud. It's a b

            • by Buran (150348)
              I have a BoA Visa. I've never seen a way to generate a onetime card number. How do I do this?
              • Dunno, I have MBNA whom just bought or were bought by BoA, perhaps they will roll it out to the rest of BoA's customers. MBNA's name for the service is "shopsafe."
              • Re: (Score:1, Funny)

                by Anonymous Coward
                To activate this service simply send your card number, card expiration, home address, birth date and social security number to BoA@bankofamrica.com

        • by jandrese (485)
          I've refused to give my SSN to companies that want to perform a credit check before. I thought they might just take the extra effort to identify me, but instead they just refused to provide service or required a massive security deposit before they'd give me service. For instance, the power company wanted $500 (although they would take a credit card) security deposit because I refused to give them my SSN. They promised to return it if I wasn't late on any bills for a full year. It was clear to me that t
      • Use a number that the consumer controls.

        Because we all know how good average people are with passwords and id numbers.

        • by vinn01 (178295)
          Because we all know how good average people are with passwords and id numbers.

          And we all know how good the government is at using a 8 digit id for a password. A password that is rarely changed even after being revealed all over world via the Internet.
      • An SSN number is needed for a credit check. Therefore any company, like AT&T, that does end-of-the month billing will run a credit check on all of their customers. From their perspective they are giving one month of credit every month.

        This is nonsense. In other countries, like here in Germany, we have credit cards, too - but we don't even have social security numbers. Your reasoning is flawed if you assume that just because a problem exists in the USA, it must exist everywhere.
        Additionally, we have so [kuner.com]

    • I realized schools will need your SSN as well. Still, I'm pretty sure that AT&T doesn't need your social to provide DSL or phone lines.
    • by dpbsmith (263124) on Friday September 01, 2006 @04:33PM (#16026666) Homepage
      Yeah, right, never give out your SSN.

      When I was in the emergency room with chest pain and they handed me a form, with a place for my SSN on it, and I asked if I had to give it, and they said "you won't be seen until you fill it out," what would you have done? Argued with them? Called a lawyer? Whipped out a copy of the law that says they can't do this? Asked them to get an ambulance to take me to another ER? Raise the ante and see whether they were bluffing? No, I did what I thought would affect my blood pressure least, and get me seen soonest, which was... to cave in. I gave it to them, and I believe anyone with any sense would have done the same thing. Worry about it later. I had more important things to worry about.

      And I think I'm _reasonably_ assertive about such things. Back Massachusetts drivers' licenses had SSN's by default, I was one of the people who always asked for and got a different number. When the Red Cross wanted my SSN for blood donations, I said I wouldn't give it to them and they issued me a donor card with a non-SSN.

      When my company's medical insurance wanted my SSN, I said I wouldn't provide it. They said fine, but we won't insure you. So I called the Social Security office, and said "do I have to give it to them?" And their answer, practically verbatim, was, "No, you certainly don't. However, they are under no obligation to provide you with insurance unless you do."

      Whenever I'm asked for my SSN, I always ask if there's an alternative. (And wait while they check with their supervisor). I succeed maybe half the time. The other half, well, I usually cave.

      If you can get along without credit cards, auto loans, medical insurance, and emergency rooms, more power to you.

      That line on every social security card that says "Not For Identification Purposes" is a lie, plain and simple.
      • That line on every social security card that says "Not For Identification Purposes" is a lie, plain and simple.

        Because it's logically impossible. They can make people not ask for it, but they can't make people interact with you, so if a person/business couples one to the other, ... there you go.

        (Small digression: this is like employment law, e.g. min. wage, anti-discrimination. They can make someone *who actually decides to hire people* obey certain practices, but they can't *make people decide to hire*
      • That line on every social security card that says "Not For Identification Purposes" is a lie, plain and simple.

        No, that line is correct. The social security card is not for indentification.

      • by evilviper (135110)

        When I was in the emergency room with chest pain and they handed me a form, with a place for my SSN on it, and I asked if I had to give it, and they said "you won't be seen until you fill it out," what would you have done?

        I would have said, "No problem! My SS# is 1234-56-7890."

        You can be less obvious about it if you like, but I find being extremely vocal and obvious about such issues works better in the long run.

        This isn't a court where you have been sworn-in. You can lie your ass off, Mr. Smith, and it's

      • by cr0sh (43134)
        Whenever I'm asked for my SSN, I always ask if there's an alternative. (And wait while they check with their supervisor). I succeed maybe half the time. The other half, well, I usually cave.

        In many cases (particularly insurance) - you simply put on the form "please assign", and a number will be assigned to you. Do this at your job (for your medical insurance), then when you go to the emergency room, give them the card - it will all match. If not, they can't refuse you treatment in the emergency room (I am p

      • When I was in the emergency room with chest pain and they handed me a form, with a place for my SSN on it, and I asked if I had to give it, and they said "you won't be seen until you fill it out," what would you have done?

        123-456-7890 (or however many digits one has, and preferably a more random-seeming number). They probably won't hold up your emergency care while they verify that it is correct.

        Whenever I'm asked for my SSN, I always ask if there's an alternative. (And wait while they check with their

      • Fortunately, your social security number is 078-05-1120, right?

        If you want to be assertive, this can be contested after the fact, and the law about not refusing emergency care has real teeth. In theory, you can cost the hospital its Medicare billing privileges. You also have a private cause of action.
  • SSN (Score:3, Interesting)

    by EaglemanBSA (950534) on Friday September 01, 2006 @03:46PM (#16026314)
    You'd be amazed at how easy it is to get a certified copy of your social security card...last time I lost my driver's license I only had to know my mom's maiden name and the city I was born in. Dadgum feds....
  • I can't help but wonder whether the payment card industry will adjust their security standards in the face of this kind of threat. Currently, the security standards [visa.com] stipulate that a credit card number has been sufficiently protected/destroyed if only the last four digits of the account number are kept. In the face of this kind of attack, would that be enough? All of a sudden, what information is left is being used to obtain whatever was missing.

    I can see security requirements being adjusted in a couple of w
    • I agree with you somewhat, I was just placing an order online the other day and when I went to enter my credit card info, I saw that it was stored on the server, which I always said 'no' to...came to find out they had every credit card I'd ever used on the site stored with all my personal info without my knowledge.
    • by Shadyman (939863)
      Interesting, because a certain mastercard issuer who will remain anonymous as of my post requires only the last 4 digits of your credit card and one more rather flimsy information-based security device to access your card information on the phone.
  • Wait, I thought the NSA spying operations at AT&T were a fishing expedition, looking for political espionage/blackmail content, but people told me I was a "conspiracy theorist". Now you're telling me that I was just a typo conspiracist?
  • Affected Customer (Score:5, Informative)

    by macaulay805 (823467) on Friday September 01, 2006 @03:51PM (#16026357) Homepage Journal
    This is bad, I believe I am an affected customer. This morning I had random charges on the credit card that I used to pay my AT&T bill with. Although it is a little relief that the report says that they did not take any social security numbers (which I do not believe I gave it to them anyways), I hope there is something I can do to keep myself proactive in protecting my identity. Anyone have any suggestions (other can canceling my CC#, which has already happened)?

    Also, for anyone else, follow in my footsteps: DO NOT GIVE THE PHONE CALLERS ANY PERSONAL INFORMATION. PERIOD. If there is an issue, call your bank number personally on a known verified phone number and have the clerk verify ALL NAMES AND NUMBERS AND REASONS. (I've gotten calls already with people asking for my account information this morning as well from unverified numbers. Its happening).
    • Re: (Score:3, Informative)

      by lawpoop (604919)
      You can get a copy of your credit reports for free, once a year, I believe. I went to freecreditreport.com, where they have links to the 3 major credit agencies. My reports checked out, AFAIK. The site does have links for what to do if you are a victim of identity theft, but I don't know how good they are.

      If I were you, I would wait a while (for the theif to set up bogus accounts), then check out your credit reports, see if there are fraudulent accounts, and then follow up.
      • Go here [annualcreditreport.com] - not "freecreditreport.com". They will give you a report, but they also want to sign you up for monitoring, for a monthly fee.

        They do reference the truely free site - right on the front page, even if it is in a blue-on-blue color scheme.

  • by RobertB-DC (622190) * on Friday September 01, 2006 @03:56PM (#16026388) Homepage Journal
    From TFA:
    "To update the credit card information details for your order, please select this link," the message instructed, directing people to a "spoof site" with an illegitimate sbcdslstore.org (not .com) Web address.

    A personal website is one thing -- you might grab the .com and leave the .net and .org to whoever wants it. But wouldn't you think that a major company would think to grab sbcdslstore.org [domaintools.com] before setting up a nationally-advertised site at the corresponding .com [domaintools.com]? sbcdslstore.org was created on August 26, for crying out loud -- even if it only just dropped, surely AT&T should have been ready to scoop it up. And the .net [domaintools.com] variant was only registered this past May. Geez, if I can snag a previously lost domain name [dishchannelllist.com], surely Ma Bell can do the same?

    Well, at least they've learned their lesson and scooped up the other major extensions... as [domaintools.com], of [domaintools.com] yesterday [domaintools.com]. What was that story about a cat, a bag, and a barn door?
  • by gameforge (965493) on Friday September 01, 2006 @04:03PM (#16026436) Journal
    I go to school at Metro State College of Denver. About a year ago, a laptop got stolen that had much the same kinds of information in it on well over 50,000 students who had attended the college over several years.

    My mother works for Wells Fargo Home Mortgage; an independent company that was auditing their health insurance had one of their laptops stolen with similar information for thousands of WFHM employees (possibly other Wells Fargo employees too).

    Here's the bottom line: Expect every person in the world to try and get at your life in anyway they can. That said, it's your job to protect yourself. Inconvenience, lack of technical knowhow, lack of time and etc. are not valid excuses; it's just too damn important. If someone nabbed Newegg.com's database right now, how many of you would be in great risk? Particularly if your record was the only one they stole; a Newegg.com employee could probably do that without Slashdot or ABC News ever knowing about it.

    If they got the card number you use at Newegg, how much money could they take? Is that a check card linked with your bank account? Your only bank account? Most credit card companies will immediately call you if there's all of a sudden a much greater than usual balance on your card. Banks won't call you of a large sum of money disappears out of your account.

    So, is most of your money in a savings account that NOBODY has the information for (except you)? Is your home address well secured? Do your kids know how not to get kidnapped? You do check your own credit semi-frequently, don't you? Does (whatever company) really need your SSN to sell you their product? Do you think their system will blow up if that field is left blank when you throw a fit? Do you refuse to send sensitive information over e-mail or IM or SMS (with a preference for telphone or in-person business)?

    Does your garage door opener hang proudly from your sun visor (with the corresponding home address on your registration & insurance in the unlocked glovebox)? Is a key to your house sitting in a Supra lockbox hanging on the door handle so the maid can get in? Or is it, perhaps, in that fake looking rock next to the porch? You know, the one your kid picks up every day when he gets home from school?

    Think. It's your job, not your government's, not the sheriff's, and not some corporation's... yours. There may be laws in place to protect you; people will break them. And then you're still out your valuables. Really: think.
    • MOD UP PARENT!
    • by Bozdune (68800)
      Congratulations, you go to college. Here's the first lecture in Physical Security 101:

      Any house can be broken into, simply by smashing a window or a slider with a large rock or brick -- an object that you don't even have to bring with you. You can probably find it right in the garden. There's no need for some imaginary and deeply clever criminal to snoop around peering at garage door openers and license registrations. The obvious corollary to this is that there's little need for you to lock your door in
      • by gameforge (965493)
        I'm glad you picked on me with your rant.

        If I knew you in person (you know, as a good buddy or something) I'd challenge you to break into my house.

        All of the lower-level windows and doors have bars on them (illegally; not the kind that can be broken out from the inside if there's a fire. I have a special plan for fires.) All doors leading outside have a storm door with a deadbolt (and the bars). The garage door is steel with deadbolts that lock when it closes. You can unlatch them from the inside.

        You co
        • by Bozdune (68800)
          I thought my rant was pretty funny, actually. I am my own best audience.

          But your response is kinda weird. I don't know ANYONE who takes their physical security that seriously. Perhaps Michael Moore is right -- our biggest enemy is fear itself, and a culture and news media that promotes it.

        • by Suidae (162977)
          just curious.

          Is your house brick or stone? If not, what's the siding made of, and whats under it?

          Many of the house around here, including mine, are 2x4s with foam, fiberglass insulation and drywall. The only thing stopping someone from punching through the wall with their bare hands is the siding, which is quarter inch manufactured board. With a big screwdriver and a few minutes away from public view anybody could go right through the wall with minimal noise.

          • by gameforge (965493)
            WTF? That's quite possibly the most ridiculous thing I've ever heard of. I don't think I've ever once heard of anyone breaking into a house this way. I mean I'm sure it's happened; I wouldn't expect it to be anything but fluke and rare (and INCREDIBLY stupid burglars). I guess I would expect that more if someone who knew me was really trying to get something of mine (or me) who might have lost it and isn't thinking about consequences.

            I mean I wish I could drive a Bradley tank around, but my Grand Am is
            • by Suidae (162977)
              WTF? That's quite possibly the most ridiculous thing I've ever heard of.

              http://en.wikipedia.org/wiki/Hole_in_the_Wall_Gang [wikipedia.org]

              It's really not that uncommon, and it doesn't take '15 or 20 minutes' if the home is built with foam board rather than plywood. All you have to do is lever up the siding (trivial for vinyl, not difficult for board) then push through the foam, insulation and drywall. In a back yard with a privacy fence you could easily accomplish this in under 5 minutes. If the walls are made of sterner
      • >there's little need for you to lock your door in the first place

        Your insurance company might have some thoughts of their own on that subject.

        Physical security 101 is knowing that people on the wrong side of the law hate making noise or taking a second longer than they need to.

        Physical security ties into protecting personal data directly when it comes to mail theft. This isn't academic, it's been happening to people a few blocks up the hill from my house.
    • Is a key to your house sitting in a Supra lockbox hanging on the door handle so the maid can get in? Or is it, perhaps, in that fake looking rock next to the porch?

      I opted for the fake dog poop, myself.

      Three reasons. First, because I think it's funny. Secondly, because I figure if a burglar is willing to bend down and examine it for authenticity, there's a chance that he'll be wrong, at least once. And that would be funny. And last, because I own a dog He's not much of a watch dog, but at least he knew
      • Definitely true, the person was under oath for jury selection and I was in the same jury pool so I heard it direct. Lawyers wanted to know who had been the victim of a burglary.

        The person had someone break in while she was at home. Very dangerous situation. Her dog was dying of leukemia and unable to move, so it wasn't going to be much help.

        The intruder didn't know that and didn't stop to check. He turned around and left as soon as he saw a Rottweiler.

        Don't get a dog just for security, though. They need aff
  • by phulegart (997083) on Friday September 01, 2006 @04:09PM (#16026465)
    I'm already on record here with my opinions and stance on phishing. Education, as has been pointed out in several comments, is key. The uninformed are the targets phishers seek. So how do you educate everyone on the internet? Most barely know more than "point and click" operation of their computer.

    Paypal, for instance does not need your SSN, but by supplying it, you can earn 5% interest on the money sitting in your account. There are countless other legitimate examples.

    How do you educate the world on a single issue, especially when there are more pressing issues that are higher on the global priority list? Hell, I bet most of you have a few friends on your instant messenger friends list, who still pass on those mass messages threatening to shut down the service if the message is not forwarded to everyone? All 4 of the biggies, Y!, AIM, MSN, and ICQ all state clearly in multiple places they will never do this... they will never send out a system wide message that has to be forwarded. Yet people still don't know this, even after 7 years. And those messages don't even look nearly as legitimate as some phishing sites.
  • by Bromskloss (750445) < ... <at> <gmail.com>> on Friday September 01, 2006 @04:12PM (#16026480)
    ...when you're using AT&T!
  • Phishing is the attempt to lure someone into a trap/trick with unsophisticated bait. This goes beyond using a worm... this is more like a using a Fembot or one of those peal-off faces in MI2. Anyone that is armed with customer records, credit card info, and a penchant for buggary will do fairly well even if the public is aware of phishing.
  • Huh ?

    They were trying to push laws so that they would be in practical control of the net. So thats how it was going to be ?
  • How is this "hacking"? They should blame this on criminals, and/or AT&T.
  • When are our legislators going to pass a law against this phishing nonsense?
  • "The information that was provided by customers who ordered DSL-related equipment included name, address, e-mail address, phone number, credit card number and credit card expiration..."

    Why is AT&T collecting credit card information for ONE-TIME transactions (equipment purchase)?
    • Re: (Score:1, Informative)

      by Anonymous Coward
      Why is AT&T collecting credit card information for ONE-TIME transactions (equipment purchase)?

      Several (possible) reasons:
      1) Not all Credit Card transactions are settled (ie. the company doesn't take the money) immediatly. That means that at the end of the day, they need to talk to the CC company get the money. That would certainly require your credit card number.
      2) In case you decide to cancel your order and want the transaction voided from your credit card.
      3) If you later call up and say
  • so when will we wake up to how simple the whole identity issue is.

    currently we use dob and ssn as the primary key to trusted electronic identity. they are managed by the state, which is slow and inefficient. when stole, there is almost no way to change ssn, and dob can never be changed.

    the key should be a cert, under control of the individual, and the rest should be open or tied to a signature from that person's cert. a cert would be easy to fix/replace when it is lost or stolen.

    community efforts exist
  • ...with built-in column level encryption.

    Now granted I'm just talking out of my ass and parroting the party line. However SQL 2005 is SOX compliant, and if AT&T was SOX compliant, such things wouldn't have happened. Unfortunately SOX is only a couple of years old, and the "enforcement" stage of it at this point only really required auditted companies to identify where they aren't compliant and make a promise to come into compliance. There aren't any real penalities for being out of compliance.

    Are the

    • Sane: do crypto in the app, so the database never sees unencrypted data
      Sane: do access control in the database
      Crazy: encrypt parts of the database, but the database has the crypto key...

Nondeterminism means never having to say you are wrong.

Working...