Security News > 2001 > July > Hack attack targets Verizon, AT&T wireless users

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO62673,00.html.html By ASHLEE VANCE IDG NEWS SERVICE July 30, 2001 Verizon Wireless Inc. and AT&T Wireless have started investigating a security breach that may have allowed outsiders to see confidential information of at least hundreds of their customers. The situation has prompted investigations by at least two police units in California and Oklahoma. Officials at Bedminster, N.J.-based Verizon and Redmond, Wash.-based AT&T confirmed that they are looking into an apparent security breach that allowed information of a number of users to be publicly circulated in Internet chat rooms. Investigators in Kiowa County, Okla., are checking into complaints from customers who discovered that their private information had been posted publicly in a chat room and who noticed strange charges on their credit cards, according to Deputy Terry Tyler at the Kiowa Country Sheriff's Department. Tyler has contacted credit card companies about the matter, but Tyler couldn't provide other details at this time. A similar investigation is under way in Rancho Cucamonga, Calif. Chat room log files and online interviews with the victims indicate that many of the victims signed up for wireless service from either Verizon or AT&T between December and April of this year, with most of the users living in Indiana and Illinois, according to a report from MSNBC.com. Victims interviewed by MSNBC said they had ordered wireless services over the Internet from Verizon and AT&T. During the ordering process, victims were asked to provide credit card information, security experts said. The security breach therefore may have occurred between transmissions among the wireless service providers and credit card service providers, security experts said. The information being distributed likely includes credit card numbers, Social Security numbers and driver's license numbers, along with other personal data typically used in online applications for a variety of services, according to Jim Magdych, security research manager at PGP Security, a division of Network Associates Inc. in Santa Clara, Calif. The MSNBC report stated that log files revealed by chat room sources showed that private information was being posted at a rate of two new records per minute. At that rate, the security breach may have affected at least hundreds of victims, said Magdych. "It looks like some information may have been taken possibly from these wireless providers and also possibly from a third party that might be doing credit checks for the wireless providers," he said. The personal data was likely either leaked as a result of unencrypted files used by the wireless providers, by third parties with whom they work or by a malicious worker inside of one of the wireless or third-party companies, Magdych said. In any case, private information was posted in an Internet Relay Chat room. "We take the security of our customers very seriously and are investigating the situation," said a Verizon spokeswoman. AT&T offered a similar message: "We are completely committed to protecting the personal and financial information of our customers," said a spokeswoman for AT&T Wireless. "We have our security folks investigating this right now." The distribution of customers' Social Security numbers and driver's license numbers could have much more damaging long-term affects on a user's life than just the typical online crime of credit card fraud, Magdych said. "If someone has the personal information and they commit identity theft, then that is something to be more concerned about," he said. "There is not a lot of remedial action you can take in that case." Unlike credit cards that can be easily canceled, Social Security numbers identify an individual throughout his life. A criminal armed with that kind of sensitive information could obtain financial information from banks, credit card companies or loan lenders on the person whose Social Security number has been obtained. It's also possible to set up bank accounts and obtain credit cards and loans under the person's name. A range of troubling scenarios can result from having a Social Security number fall into the wrong hands, and it can be particularly difficult to undo the damage, which in such cases often extends for a long time. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.

News URL

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO62673,00.html.html