[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] HP execs phone hack - SSNs *still* not secure for authentication
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] HP execs phone hack - SSNs *still* not secure for authentication
- From: "Dave \"No, not that one\" Korn" <davek_throwaway@xxxxxxxxxxx>
- Date: Fri, 8 Sep 2006 17:35:13 +0100
Haven't seen this mentioned before, but it's part of AT&T's explanation of
how a PI was able to falsely obtain the phone records of Thomas J. Perkins,
the board member who resigned over the illegal investigation:
http://www.thesmokinggun.com/archive/0905061hp3.html
[transcribed by me from the jpg, any typos are my fault]
" First, with respect to your "local" residential telephone account with
the former SBC (now AT&T), an online account was established on January 30,
2006. [ ... ] The person registering the online account did so through the
Internet and provided your telephone number and the last four digits of your
Social Security Number to identify himself/herself as the authorized account
holder. We have no way of determining how the person obtained this Social
Security Number information. "
How many more times are we going to see this exact same mistake over and
over again? SSNs are not secure and they are not proof of authority or
identity. AT&T have now locked the online account facility for Mr. Perkins.
That leaves .. let me see... every single customer except one still
vulnerable to having their accounts stolen in this way.
AT&T should disable this facility at once and not bring it back online
until it is secured.
cheers,
DaveK
--
Can't think of a witty .sigline today....
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/