Two-step authentication hacks through AT&T Messaging

A while back there was a bunch of noise on the net about single letter twitter handles getting blackmailed and how @h lost his.  Since I have a single letter twitter handle (@x) and know quite a few of the other single letter folks, I’ve noticed lots of random password reset notices and @ replies asking for my handle.

This isn’t something new, but one of the things recommended for security is to use two-step authentication.  Often this is done by having a code texted to you so when you log into a site, you use your username, password and that code to log in.  However, hackers have found it easy to hack AT&T Messaging and used that to view the text messages and thus could gain control to any accounts that might use two-factor authentication (so much for that!).

@j first had this happen and it happened to me at about the same time.  @j contacted AT&T support and didn’t have much luck getting the situation resolved and I had the same problem.  @t helped to get the word out about this vulnerability and @a had contacts at twitter that helped expedite both @j and I getting our accounts back.

For me the whole process started with some mysteriously random texts from those five digit text message return addresses reserved for notices.  They said something about AT&T Messaging, and it looked to me like they wanted me to sign up, so I just kept deleting them and thought nothing of it.  This was around May 19th, 2014 or so.

Around May 20th suddenly while I was out, when I tried checking twitter to see what was going on, it asked me to log back in and I couldn’t.  I thought it weird but didn’t do anything about it until I could check later on when I noticed my account wasn’t mine any more (screen shot below from May 20, 2014).

2014-05-20 22.08.40

 

Twitter was pretty responsive and I got my account back pretty quick with most of my account intact, but unfortunately @j lost all her info (although somehow she was still following me).  Contacting AT&T was much tougher and I got the runaround although they did their best to help, but the support folks didn’t really have a way to get the actual situation cleared up.  Through twitter I did get to talk to AT&T Customer Care, who provided one link that seemed to help.  Going back and forth to set up a AT&T Access ID was a pain but finally today I got ownership of the AT&T Messaging account and things seem to be back in order.

The most stressing thing about this is how easy it was for the hackers to get access to your text messages through AT&T Messaging.  This pretty much makes two-step authentication worthless and is a pretty serious security vulnerability.  At AT&T it seems that the way the accounts are set up between your actual AT&T account and the messaging account is not super well integrated either.  The fraud dept. couldn’t help me at all and their response was pretty much ‘not our department’ so luckily I was mostly able to get control back on my own.