AT&T Crack Part of a Phishing Operation 96
JohnGrahamCumming writes "According to a story in the San Francisco Chronicle the AT&T store crack was the prelude to a very sophisticated phishing operation. The phishers were aiming to use the information from the store to fool existing customers into divulging SSNs and other personal information." From the article: "'The information that was provided by customers who ordered DSL-related equipment included name, address, e-mail address, phone number, credit card number and credit card expiration,' the memo says, adding that the hacked data didn't include Social Security numbers or birth dates. But the hackers had a scheme to get this extra info. After accessing the customer data, they incorporated it into phishing messages that were promptly sent to AT&T's DSL customers ... Each message included a legitimate order number culled from the AT&T vendor's database to create an illusion of authenticity. Messages also included the recipient's home address and the last four digits of his or her credit card number. "
yeah (Score:0, Insightful)
Privacy violations rampant (Score:5, Insightful)
Re:Privacy violations rampant (Score:3, Insightful)
That seems to be always how these scams work. Someone calls and uses some credentials to get people to reveal personal information. No company worth dealing with would ever initiate contact with customers over the phone were it not previously arranged.
When will this become common knowledge
Re:Privacy violations rampant (Score:3, Insightful)
In an ideal world, we could build some kind of peer-to-peer GPG web of trust, where the person themself has full control of establishing their identity.
One thing's still true (Score:5, Insightful)
I wish we could get more people to realize this.
Never give out your SSN (Score:4, Insightful)
What's your personal information's potential? (Score:5, Insightful)
My mother works for Wells Fargo Home Mortgage; an independent company that was auditing their health insurance had one of their laptops stolen with similar information for thousands of WFHM employees (possibly other Wells Fargo employees too).
Here's the bottom line: Expect every person in the world to try and get at your life in anyway they can. That said, it's your job to protect yourself. Inconvenience, lack of technical knowhow, lack of time and etc. are not valid excuses; it's just too damn important. If someone nabbed Newegg.com's database right now, how many of you would be in great risk? Particularly if your record was the only one they stole; a Newegg.com employee could probably do that without Slashdot or ABC News ever knowing about it.
If they got the card number you use at Newegg, how much money could they take? Is that a check card linked with your bank account? Your only bank account? Most credit card companies will immediately call you if there's all of a sudden a much greater than usual balance on your card. Banks won't call you of a large sum of money disappears out of your account.
So, is most of your money in a savings account that NOBODY has the information for (except you)? Is your home address well secured? Do your kids know how not to get kidnapped? You do check your own credit semi-frequently, don't you? Does (whatever company) really need your SSN to sell you their product? Do you think their system will blow up if that field is left blank when you throw a fit? Do you refuse to send sensitive information over e-mail or IM or SMS (with a preference for telphone or in-person business)?
Does your garage door opener hang proudly from your sun visor (with the corresponding home address on your registration & insurance in the unlocked glovebox)? Is a key to your house sitting in a Supra lockbox hanging on the door handle so the maid can get in? Or is it, perhaps, in that fake looking rock next to the porch? You know, the one your kid picks up every day when he gets home from school?
Think. It's your job, not your government's, not the sheriff's, and not some corporation's... yours. There may be laws in place to protect you; people will break them. And then you're still out your valuables. Really: think.
Education seems to be key. (Score:3, Insightful)
Paypal, for instance does not need your SSN, but by supplying it, you can earn 5% interest on the money sitting in your account. There are countless other legitimate examples.
How do you educate the world on a single issue, especially when there are more pressing issues that are higher on the global priority list? Hell, I bet most of you have a few friends on your instant messenger friends list, who still pass on those mass messages threatening to shut down the service if the message is not forwarded to everyone? All 4 of the biggies, Y!, AIM, MSN, and ICQ all state clearly in multiple places they will never do this... they will never send out a system wide message that has to be forwarded. Yet people still don't know this, even after 7 years. And those messages don't even look nearly as legitimate as some phishing sites.
Re:SSN is needed for credit checking (Score:5, Insightful)
No, no it's not. It's needed for a credit check from lazy-assed credit companies who can't be bothered to do the legwork to actually identify you.
That's why we have this identity theft problem in the first place. If we threw away the SSN and replaced it with any other identifier, the exact same thing would happen. If we replaced it with biometric ID cards, the exact same thing would happen (it would just be a little more work. You might be [cardandathumbprint] in person, but in the computer you're still going to be card #555-55-5555).
If consumers started storming equifax and all these other credit companies' offices with pitchforks and torches for giving away their credit over such a lousy identifier, it'd get fixed. They would figure out a real way to identify the people. As it is, nobody even thinks "gee why did TransUnion tell MegaCorp that Mr. 555-55-5555 can handle taking a out a $422523523 loan without even making sure they were talking about the right person?"
Hell, if the debt laws would be fixed so that companies who fucked up and issued credit cards or loans to the wrong people were saddled with the bad debt writeoffs instead of being allowed to send collectors after the real person, they'd be the first in line to kick down doors and get this shit fixed.
Re:One thing's still true (Score:3, Insightful)
Re:Privacy violations rampant (Score:3, Insightful)
Re:Privacy violations rampant (Score:4, Insightful)
When I train individual on Social Engineering techniques, I always tell them that if they receive a message (voice or email) claiming to be from their bank, to do a call back using a known good number from their previous correspondence.
I've noted that some banks, when communicating via email, will tell you to log into your account by manually TYPING in an URL in your browser rather then providng any types of hyperlinks.
Re:Privacy violations rampant (Score:4, Insightful)
Re:One thing's still true (Score:3, Insightful)
Isn't security fun?