HP execs phone hack - SSNs *still* not secure for authentication

["Dave \"No, not that one\" Korn" <davek_throwaway () hotmail com>]

  Haven't seen this mentioned before, but it's part of AT&T's explanation of 
how a PI was able to falsely obtain the phone records of Thomas J. Perkins, 
the board member who resigned over the illegal investigation:

http://www.thesmokinggun.com/archive/0905061hp3.html

[transcribed by me from the jpg, any typos are my fault]

"  First, with respect to your "local" residential telephone account with 
the former SBC (now AT&T), an online account was established on January 30, 
2006. [ ... ]  The person registering the online account did so through the 
Internet and provided your telephone number and the last four digits of your 
Social Security Number to identify himself/herself as the authorized account 
holder.  We have no way of determining how the person obtained this Social 
Security Number information.  "

  How many more times are we going to see this exact same mistake over and 
over again?  SSNs are not secure and they are not proof of authority or 
identity.  AT&T have now locked the online account facility for Mr. Perkins. 
That leaves ..  let me see...  every single customer except one still 
vulnerable to having their accounts stolen in this way.

  AT&T should disable this facility at once and not bring it back online 
until it is secured.


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/