Besides being the points of connection, mobile numbers have long been associated with the identity of users and this is what was compromised in a major security breach that took place recently. As per Buzzfeed News, two individual flaws – one in Apple’s online store and another in the website of phone insurance provider, Asurion – might have revealed information about as many as 77 million T-Mobile and AT&T customers.
Exposed by security researchers Nicholas “Convict” Ceraolo and Phobia, the security flaws revealed the account PINs of customers of the two operators. Ironically, these PINs are what meant to protect data about mobile phone users from being stolen. These PINs are used to add a layer of security and prevent hackers from hacking your SIM card or sabotaging privileges like SMS-based authentication. With stolen PINs, a hacker can even order a duplicate SIM to exploit your smartphone for illegal activities.
As per the researcher, while Apple’s vulnerability which caused the leak of T-Mobile PINs was due to a technical error in the API provided by the carrier which facilitates monthly bill payments. In contrast, Asurion’s website left scope for a brute attack – or computer-backed guessing of a certain digit password or code repeatedly until a code gets accepted – because there was no restriction on the number of times one could try these pins for AT&T while other carriers had a rate limit.
Since most of these PINs are four digits, it is fairly easy to determine them by brute attacking “in a reasonable time frame.” After information by Buzzfeed News, both Apple and Asurion have fixed the vulnerabilities on their respective platforms.
While T-Mobile and Apple, apart from thanking the researcher, have kept mum about the issue, AT&T has responded by saying “In addition to the multiple layers of security we have in place to help protect our customers, we will continue to work with Asurion to investigate this. We will take any additional action that may be appropriate.“