Security Flaws Exposed Account PINs of T-Mobile and AT&T Customers

Amidst all the chaotic data security issues with Sprint, and EE, two more incidents add to the growing trail. This time, it involves another telecom company – AT&T, including T-Mobile. Two security researchers, Phobia and Nicholas Ceraolo, pointed out security flaws in the Apple online store and the website of Asurion, a phone insurance company. Both the security flaws exposed account PINs of customers of T-Mobile and AT&T respectively.

Security Flaws Exposed Account PINs Of T-Mobile Customers

Reportedly, a vulnerability on Apple’s online store site could allow an attacker to brute-force customers’ PIN numbers. Consequently, the flaw exposed the account PINs and social security numbers of T-Mobile customers. As stated by BuzzFeed,

“After shoppers initiate an iPhone purchase and select monthly payment installments through T-Mobile, Apple’s site takes shoppers to an authentication form that asks for their T-Mobile cell number, and the account PIN or last four digits of their Social Security number.”

This form had no limits on the number of attempts for entering Social Security numbers and passwords. Hence, guessing and brute forcing the credentials became easy for a potential attacker. Not to forget mentioning that this flaw affected only T-Mobile customers. Whereas, the customers of other carriers, such as Verizon, AT&T, or Sprint, capped the limit to 5 to 10 attempts, followed by a locking for 60 minutes, hence preventing brute force.

This security vulnerability allegedly affected 77 million T-Mobile customers, exposing their PINs online. According to Ceraolo, this site’s response to T-Mobile customers reaching the Apple’s online store may have appeared due to an engineering error supposedly occurred while connecting T-Mobile’s account validation API to Apple Store.

Asurion Website Glitch Exposed Account PINs Of AT&T Users

In another incident, the customers of AT&T were put at risk. Reportedly, a glitch in Asurion’s website exposed PIN numbers AT&T customers. Asurion is a phone insurance company, and the security flaw affected the AT&T users who interacted with Asurion regarding insurance of their phones.

According to BuzzFeed, neither AT&T, not Asurion specified any number of affected customers. Explaining the flaw, they state,

“On an Asurion webpage where customers can file claims, hackers with knowledge of an AT&T customer’s wireless number could gain access to another form that asked for the account holder’s four- to eight-digit passcode.”

Here too, the form put up no limits on the number of attempts. Therefore, brute forcing the passcode became much easier. Besides, the glitch affected the AT&T customers only. For all other carriers, the form applied rate limits.

Fortunately, both Apple and Asurion patched the vulnerabilities after BuzzFeed reported how the security flaws exposed account PINS. So, now, the T-Mobile and AT&T customers seem to be safe. Yet, one cannot overlook the harms of such vulnerabilities that could result in massive losses. The recent T-Mobile data breach affecting 2 million customers is one such example that happened around the discovery of these flaws.

Let us know your thoughts in the comments section.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients