All I Got Was This New SIM Card

Screen Shot 2017-07-07 at 21.01.51.png

Once I returned home I checked my email and saw two new emails. The first is from Google with a security reset code. I did a quick phishing check and the URLs were legitimate.

The second email I see was from PayPal stating that $200 AUD was transferred from my bank (which is an obscure / small bank) to another person. Again, checked for phishing just on the off chance that someone figured out who my bank was to craft an elaborate password fetching scheme. It’s valid… More here.

Read the whole story. Nothing less secure than people.

2 thoughts on “All I Got Was This New SIM Card

  1. “The man on the phone reads through the notes and explains that yes, someone has been dialing the AT&T call center all day trying to get into my phone but was repeatedly rejected because they didn’t know my passcode, until someone broke protocol and didn’t require the passcode.”

    Well, start thinking about why the system has this kind of loophole in the first place. It’s because people forget their damn passcode – I think AT+T’s is a stupid little 4 digit number, and many people won’t just use their ATM code or whatever since that kind of sharing feels unsafe, so it’s this number you hardly ever use, until suddenly you need it. So a system like this ultimately DOES need a fallback of “ok, we’ll do what you want even without the passcode” – though I think that should better be some kind of in-person presence somewhere, not just over the phone begging…

    But the really poorly designed part of that system is that, repeated failed attempts, or even one, should generate lots of noise to the actual device holder etc, giving that person a chance to call in and say “whoa, that’s not me, please put a 48 hour freeze on any attempts to do anything needing my passcode”. Each AT+T rep had access to that record log, but nothing in the system took the chance to act on what was clearly a sketchy situation. Yes, in the scenario where some poor soul is trying to get into their own account and forgot the passcode, the messages of “someone is trying to unlock your account!” would be extra frustrating, but that’s a lesser cost than relying on human sympathy to ultimately unbar the door.

  2. So if the bank/paypal don’t refund the $200 and any other consequential losses, AT&T are liable surely?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s