[ISN] Hack attack targets Verizon, AT&T wireless users

From: InfoSec News (isnat_private)
Date: Tue Jul 31 2001 - 00:31:53 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - July 30th, 2001"

    July 30, 2001
    Verizon Wireless Inc. and AT&T Wireless have started investigating a
    security breach that may have allowed outsiders to see confidential
    information of at least hundreds of their customers. The situation has
    prompted investigations by at least two police units in California and
    Officials at Bedminster, N.J.-based Verizon and Redmond, Wash.-based
    AT&T confirmed that they are looking into an apparent security breach
    that allowed information of a number of users to be publicly
    circulated in Internet chat rooms.
    Investigators in Kiowa County, Okla., are checking into complaints
    from customers who discovered that their private information had been
    posted publicly in a chat room and who noticed strange charges on
    their credit cards, according to Deputy Terry Tyler at the Kiowa
    Country Sheriff's Department. Tyler has contacted credit card
    companies about the matter, but Tyler couldn't provide other details
    at this time. A similar investigation is under way in Rancho
    Cucamonga, Calif.
    Chat room log files and online interviews with the victims indicate
    that many of the victims signed up for wireless service from either
    Verizon or AT&T between December and April of this year, with most of
    the users living in Indiana and Illinois, according to a report from
    Victims interviewed by MSNBC said they had ordered wireless services
    over the Internet from Verizon and AT&T. During the ordering process,
    victims were asked to provide credit card information, security
    experts said. The security breach therefore may have occurred between
    transmissions among the wireless service providers and credit card
    service providers, security experts said.
    The information being distributed likely includes credit card numbers,
    Social Security numbers and driver's license numbers, along with other
    personal data typically used in online applications for a variety of
    services, according to Jim Magdych, security research manager at PGP
    Security, a division of Network Associates Inc. in Santa Clara, Calif.
    The MSNBC report stated that log files revealed by chat room sources
    showed that private information was being posted at a rate of two new
    records per minute. At that rate, the security breach may have
    affected at least hundreds of victims, said Magdych.
    "It looks like some information may have been taken possibly from
    these wireless providers and also possibly from a third party that
    might be doing credit checks for the wireless providers," he said.
    The personal data was likely either leaked as a result of unencrypted
    files used by the wireless providers, by third parties with whom they
    work or by a malicious worker inside of one of the wireless or
    third-party companies, Magdych said. In any case, private information
    was posted in an Internet Relay Chat room.
    "We take the security of our customers very seriously and are
    investigating the situation," said a Verizon spokeswoman.
    AT&T offered a similar message: "We are completely committed to
    protecting the personal and financial information of our customers,"
    said a spokeswoman for AT&T Wireless. "We have our security folks
    investigating this right now."
    The distribution of customers' Social Security numbers and driver's
    license numbers could have much more damaging long-term affects on a
    user's life than just the typical online crime of credit card fraud,
    Magdych said.
    "If someone has the personal information and they commit identity
    theft, then that is something to be more concerned about," he said.
    "There is not a lot of remedial action you can take in that case."
    Unlike credit cards that can be easily canceled, Social Security
    numbers identify an individual throughout his life. A criminal armed
    with that kind of sensitive information could obtain financial
    information from banks, credit card companies or loan lenders on the
    person whose Social Security number has been obtained. It's also
    possible to set up bank accounts and obtain credit cards and loans
    under the person's name.
    A range of troubling scenarios can result from having a Social
    Security number fall into the wrong hands, and it can be particularly
    difficult to undo the damage, which in such cases often extends for a
    long time.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 02:59:07 PDT