iPhone 4 Order Security Breach (Again AT&T?)
Tuesday, June 15, 2010 at 4:55PM From Gizmodo
Apple's iPhone 4 pre-ordering has been a total disaster, but it gets much worse: An AT&T insider claims that this iPhonecalypse may be related to "a major fraud update that went wrong." The bug is exposing AT&T users' private information.
So far there have been at least three accounted cases of mistaken identities sent by Gizmodo.com readers. This is how it happens: A customer tries to log into their AT&T account to order a new iPhone 4 upgrade. Despite entering their username and password, the AT&T system would take them to another user account. This gives access to all kinds of private information about the mistaken customer: Addresses, phone calls, and bills, along with the rest of private information, becomes exposed to random strangers.
The latest case comes from reader John King:
From: john king
Date: Tue, Jun 15, 2010 at 2:04 PM
Subject: ATT WEBSITE LOGS ME IN AS ANOTHER CUSTOMER
To: tips@gizmodo.comI LOGGED IN AS ME AND IT BROUGHT UP A MARY ???? BIG PROBLEM
-JPK
But according to an AT&T insider, there could be a lot more happening which are not being reported. These login problems, according to the source, are probably linked to an AT server software update that went wrong this weekend [Emphasis added]:
I work at a 3rd party order processing facility—what AT&T refers to as a 3CC. We process business-to-business, business-to-customer Wireline Indirect, and ACME/PAC (what AT&T calls their iPhone program internally). Agents use AT&T programs called Phoenix, Telegence, Compass, Ordertrack and myCSP to process orders.
Over the weekend there was a major fraud update that went down on all of AT&T's systems, from Saturday overnight to Sunday early morning. All systems were down and agents were unable to use any systems.
The issues people are seeing at AT&T stores and online are most likely related to this update that went wrong.
I do know that there was absolutely NO TESTING of this system done before the launch of the new iPhone. I know it's just heresay at this point, but I can confirm that there was a major outage over the weekend that impacted all ordering systems and programs, and I can confirm that there were multiple systems being upgraded/updated, with some updates being related to fraud.
At this point, I can say that the system that AT&T uses to send automated orders to be processed is as of this very moment down completely. Our facility is unable to process any orders by phone or by automation.
[Regarding the identity problem] Whenever we see people who are logging in and seeing other customer's account info, it is an issue with the databases that contain customer information. Orders that contain any information like this can cross customer information, and cause a customer be able to see other accounts by logging out and logging back in. This means that when they log in a few times, it gives them different customer account info every time. It's a rare occurrence, but it has happened in the past.
You might want to advise people to not get the upgrade at this point as it may be a doorway to a major privacy breach.
Unfortunately it appears that even if you don't upgrade your private information could be exposed as other people try to upgrade, allowing accidental access to your account. After we reported on the initial security breaches this morning, AT&T took down their account online system completely.
At this time (3:34PM EDT), the account system is back online, but the iPhone 4 eligibility page is still down.
AT&T and Apple have not issued any statement about this security problem or the nationwide pre-order disaster.
AT&T, Iphone, privacy in Mobile/SmartPhone 