STE WILLIAMS

A software developer says a thief siphoned cash from his PayPal account – after a dumbass ATT rep handed control of his cellphone account to a hacker, thus defeating his two-factor authentication.

Justin Williams, an iOS code jockey based in Denver, Colorado, said someone was able to dupe an ATT support tech into assigning his account to a new SIM card and phone – despite the miscreant not knowing the security code connected to the account. In other words, the criminal was able to persuade the US cell network’s rep into making substantial changes to his account without the code, we’re told.

Williams said the breach occurred last Thursday, when the hacker made multiple calls to ATT support asking to transfer his account to a new phone. Initially, Williams said, ATT staffers blocked the attempts when the caller could not give the phone account’s correct passcode.

Eventually, however, someone at ATT relented and, breaking protocol, agreed to reassign the phone to the new SIM card, it is claimed. At that point, the attacker was able to receive text messages to Williams’ number on the new phone.

This allowed the attacker to go to PayPal and use the service’s two-factor authentication (which sends a one-time code via SMS) to reset the password on his account and take control of that. By Thursday evening, Williams tells it, he became aware of what was going on:

“I restarted the phone. No help. Reset network settings in iOS Settings. Still no success. I checked my iPad because I carry it with me and keep a SIM in it. The iPad still has service, which seemed interesting. At this point I was still blaming iOS 11 because I’m a software developer and we always blame the software.”

‘Someone has been dialing the ATT call center all day’

By now, the hacker had already used their access to the PayPal account to begin siphoning money. A $200 AUD payment had been made that showed up on Williams’ bank account and alerted him to what was going on.

“I instantly called ATT’s customer service line to explain what is happening. I give them my name, my phone number, and my security passcode (this is key),” Williams explains.

“The man on the phone reads through the notes and explains that yes, someone has been dialing the ATT call center all day trying to get into my phone but was repeatedly rejected because they didn’t know my passcode, until someone broke protocol and didn’t require the passcode.”

The developer said he was able to get ATT to deactivate the phone that evening and he has since gotten a new SIM card. He has also put in a payment dispute with PayPal to get that transaction overturned, but admits he is “not optimistic because PayPal is terrible.”

The lesson, says Williams, is that even with two-factor authentication enabled, accounts can still be hijacked when one link of the chain (in this case ATT’s account recovery) is broken. He says he is keeping a close eye on his bank account and credit cards.

ATT declined to comment.

While SMS two-factor authentication is extremely handy, and blocks the vast majority of account takeovers, it is not infallible – to social engineering and SS7 attacks. Time and time again, we’ve heard of crooks tricking wireless support staff into handing over control of devices. If you can, now’s the time to consider a hardware token or app-based two-factor authentication method.

Please, feel free to post your recommendations in the comments. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/10/att_falls_for_hacker_tricks/