AT&T Crack Part of a Phishing Operation

JohnGrahamCumming writes "According to a story in the San Francisco Chronicle the AT&T store crack was the prelude to a very sophisticated phishing operation. The phishers were aiming to use the information from the store to fool existing customers into divulging SSNs and other personal information." From the article: "'The information that was provided by customers who ordered DSL-related equipment included name, address, e-mail address, phone number, credit card number and credit card expiration,' the memo says, adding that the hacked data didn't include Social Security numbers or birth dates. But the hackers had a scheme to get this extra info. After accessing the customer data, they incorporated it into phishing messages that were promptly sent to AT&T's DSL customers ... Each message included a legitimate order number culled from the AT&T vendor's database to create an illusion of authenticity. Messages also included the recipient's home address and the last four digits of his or her credit card number. "

Affected Customer

[macaulay805]

This is bad, I believe I am an affected customer. This morning I had random charges on the credit card that I used to pay my AT&T bill with. Although it is a little relief that the report says that they did not take any social security numbers (which I do not believe I gave it to them anyways), I hope there is something I can do to keep myself proactive in protecting my identity. Anyone have any suggestions (other can canceling my CC#, which has already happened)?

Also, for anyone else, follow in my footsteps: DO NOT GIVE THE PHONE CALLERS ANY PERSONAL INFORMATION. PERIOD. If there is an issue, call your bank number personally on a known verified phone number and have the clerk verify ALL NAMES AND NUMBERS AND REASONS. (I've gotten calls already with people asking for my account information this morning as well from unverified numbers. Its happening).

SSN is needed for credit checking

[vinn01]

An SSN number is needed for a credit check. Therefore any company, like AT&T, that does end-of-the month billing will run a credit check on all of their customers. From their perspective they are giving one month of credit every month.

The solution is to ban the use of SSN for credit files. Use a number that the consumer controls.

Also, let customers pre-pay monthly. I know how much my monthly cell phone billing is going to be, let me pre-pay and avoid the forced use of credit (which gets reported to the credit agencies).

How did they miss the .org?

[RobertB-DC]

From TFA:
"To update the credit card information details for your order, please select this link," the message instructed, directing people to a "spoof site" with an illegitimate sbcdslstore.org (not .com) Web address.

A personal website is one thing -- you might grab the .com and leave the .net and .org to whoever wants it. But wouldn't you think that a major company would think to grab sbcdslstore.org [domaintools.com] before setting up a nationally-advertised site at the corresponding .com [domaintools.com]? sbcdslstore.org was created on August 26, for crying out loud -- even if it only just dropped, surely AT&T should have been ready to scoop it up. And the .net [domaintools.com] variant was only registered this past May. Geez, if I can snag a previously lost domain name [dishchannelllist.com], surely Ma Bell can do the same?

Well, at least they've learned their lesson and scooped up the other major extensions... as [domaintools.com], of [domaintools.com] yesterday [domaintools.com]. What was that story about a cat, a bag, and a barn door?

Re:Privacy violations rampant

[L7_]

There are actual student loan companies that make thier living getting Student Loan information and contact information from the Dept. of Education and cold-call and/or send snailmail to students claiming that they need to do something with thier student loans. Most of the time it is just to consolidate them to save money or to start paying them to avoid the credit ding. They have all of the students information and just need verification to take action on the funds.

People respond to this because they are lazy with thier finances, they often don't understand thier student loans, and these people claim to be giving them an awesome deal.

Re:Affected Customer

[lawpoop]

You can get a copy of your credit reports for free, once a year, I believe. I went to freecreditreport.com, where they have links to the 3 major credit agencies. My reports checked out, AFAIK. The site does have links for what to do if you are a victim of identity theft, but I don't know how good they are.

If I were you, I would wait a while (for the theif to set up bogus accounts), then check out your credit reports, see if there are fraudulent accounts, and then follow up.

Re:Privacy violations rampant

[Farmer Tim]

What is uncolicitated, anyway?

Licit is the opposite of illicit. "co" means "between two (or more) parties". "un" is a prefix that denotes a negative (see "United Nations").

Therefore "uncolicitated" must mean "illegal between two parties".

(That whirring noise you hear is Samuel Johnson revving up.)

Re:Something does not compute...

[Anonymous Coward]

Why is AT&T collecting credit card information for ONE-TIME transactions (equipment purchase)?

Several (possible) reasons:
1) Not all Credit Card transactions are settled (ie. the company doesn't take the money) immediatly. That means that at the end of the day, they need to talk to the CC company get the money. That would certainly require your credit card number.
2) In case you decide to cancel your order and want the transaction voided from your credit card.
3) If you later call up and say that someone has been racking up fraudulent charges on your behalf - wouldn't they want to double check with the credit card company later to verify your claim.

There are thousands of bad things that could happen if a company did not keep the most basic records of any monetary transaction.