Hack attack targets Verizon, AT&T wireless users

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO62673,00.html.html

By ASHLEE VANCE
IDG NEWS SERVICE 
July 30, 2001

Verizon Wireless Inc. and AT&T Wireless have started investigating a
security breach that may have allowed outsiders to see confidential
information of at least hundreds of their customers. The situation has
prompted investigations by at least two police units in California and
Oklahoma.

Officials at Bedminster, N.J.-based Verizon and Redmond, Wash.-based
AT&T confirmed that they are looking into an apparent security breach
that allowed information of a number of users to be publicly
circulated in Internet chat rooms.

Investigators in Kiowa County, Okla., are checking into complaints
from customers who discovered that their private information had been
posted publicly in a chat room and who noticed strange charges on
their credit cards, according to Deputy Terry Tyler at the Kiowa
Country Sheriff's Department. Tyler has contacted credit card
companies about the matter, but Tyler couldn't provide other details
at this time. A similar investigation is under way in Rancho
Cucamonga, Calif.

Chat room log files and online interviews with the victims indicate
that many of the victims signed up for wireless service from either
Verizon or AT&T between December and April of this year, with most of
the users living in Indiana and Illinois, according to a report from
MSNBC.com.

Victims interviewed by MSNBC said they had ordered wireless services
over the Internet from Verizon and AT&T. During the ordering process,
victims were asked to provide credit card information, security
experts said. The security breach therefore may have occurred between
transmissions among the wireless service providers and credit card
service providers, security experts said.

The information being distributed likely includes credit card numbers,
Social Security numbers and driver's license numbers, along with other
personal data typically used in online applications for a variety of
services, according to Jim Magdych, security research manager at PGP
Security, a division of Network Associates Inc. in Santa Clara, Calif.

The MSNBC report stated that log files revealed by chat room sources
showed that private information was being posted at a rate of two new
records per minute. At that rate, the security breach may have
affected at least hundreds of victims, said Magdych.

"It looks like some information may have been taken possibly from
these wireless providers and also possibly from a third party that
might be doing credit checks for the wireless providers," he said.

The personal data was likely either leaked as a result of unencrypted
files used by the wireless providers, by third parties with whom they
work or by a malicious worker inside of one of the wireless or
third-party companies, Magdych said. In any case, private information
was posted in an Internet Relay Chat room.

"We take the security of our customers very seriously and are
investigating the situation," said a Verizon spokeswoman.

AT&T offered a similar message: "We are completely committed to
protecting the personal and financial information of our customers,"
said a spokeswoman for AT&T Wireless. "We have our security folks
investigating this right now."

The distribution of customers' Social Security numbers and driver's
license numbers could have much more damaging long-term affects on a
user's life than just the typical online crime of credit card fraud,
Magdych said.

"If someone has the personal information and they commit identity
theft, then that is something to be more concerned about," he said.
"There is not a lot of remedial action you can take in that case."

Unlike credit cards that can be easily canceled, Social Security
numbers identify an individual throughout his life. A criminal armed
with that kind of sensitive information could obtain financial
information from banks, credit card companies or loan lenders on the
person whose Social Security number has been obtained. It's also
possible to set up bank accounts and obtain credit cards and loans
under the person's name.

A range of troubling scenarios can result from having a Social
Security number fall into the wrong hands, and it can be particularly
difficult to undo the damage, which in such cases often extends for a
long time.






-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.