Apple's iPhone 4 pre-ordering has been a total disaster, but it gets much worse: An AT&T insider claims that this iPhonecalypse may be related to "a major fraud update that went wrong." The bug is exposing AT&T users' private information.
So far there have been at least three accounted cases of mistaken identities sent by Gizmodo.com readers—numerous readers are sending their cases in. See below.
This is how it happens: A customer tries to log into their AT&T account to order a new iPhone 4 upgrade. Despite entering their username and password, the AT&T system would take them to another user account. This gives access to all kinds of private information about the mistaken customer: Addresses, phone calls, and bills, along with the rest of private information, becomes exposed to random (in a note sent to Gizmodo, AT&T claims that they " have been unable to replicate the issue, but the information displayed did not include call-detail records, social security numbers, or credit card information.")
The latest case comes from reader John King:
From: john king
Date: Tue, Jun 15, 2010 at 2:04 PM
Subject: ATT WEBSITE LOGS ME IN AS ANOTHER CUSTOMER
I LOGGED IN AS ME AND IT BROUGHT UP A MARY ???? BIG PROBLEM
But according to an AT&T insider, there could be a lot more happening which are not being reported. These login problems, according to the source, are probably linked to an AT server software update that went wrong this weekend [Emphasis added]:
I work at a 3rd party order processing facility—what AT&T refers to as a 3CC. We process business-to-business, business-to-customer Wireline Indirect, and ACME/PAC (what AT&T calls their iPhone program internally). Agents use AT&T programs called Phoenix, Telegence, Compass, Ordertrack and myCSP to process orders.
Over the weekend there was a major fraud update that went down on all of AT&T's systems, from Saturday overnight to Sunday early morning. All systems were down and agents were unable to use any systems.
The issues people are seeing at AT&T stores and online are most likely related to this update that went wrong.
I do know that there was absolutely NO TESTING of this system done before the launch of the new iPhone. I know it's just heresay at this point, but I can confirm that there was a major outage over the weekend that impacted all ordering systems and programs, and I can confirm that there were multiple systems being upgraded/updated, with some updates being related to fraud.
At this point, I can say that the system that AT&T uses to send automated orders to be processed is as of this very moment down completely. Our facility is unable to process any orders by phone or by automation.
[Regarding the identity problem] Whenever we see people who are logging in and seeing other customer's account info, it is an issue with the databases that contain customer information. Orders that contain any information like this can cross customer information, and cause a customer be able to see other accounts by logging out and logging back in. This means that when they log in a few times, it gives them different customer account info every time. It's a rare occurrence, but it has happened in the past.
You might want to advise people to not get the upgrade at this point as it may be a doorway to a major privacy breach.
Unfortunately it appears that even if you don't upgrade your private information could be exposed as other people try to upgrade, allowing accidental access to your account. After we reported on the initial security breaches this morning, AT&T took down their account online system completely.
At this time (3:34PM EDT), the account system is back online, but the iPhone 4 eligibility page is still down.
AT&T and Apple have not issued any statement about this security problem or the nationwide pre-order disaster.
Update: Numerous readers are sending reports on this security problem:
Date: June 15, 2010 4:05:15 PM EDT
I logged in to Att.com in the pre-order frenzy. I was immediately greeted by someone elses personal information. Fearful that I had accidentally registered my iphone to someone elses name I refreshed the page. This time my account info came in correctly.
I just thought I would share this story to add to your piece.
From: Matthew Canning
Date: June 15, 2010 3:38:53 PM EDT
Subject: Another security breach screenshot
Happened to me this morning. See attached.
Matt Canning (not Andrew F)
From: Richard Sobel
Date: June 15, 2010 4:26:46 PM EDT
To: firstname.lastname@example.org, email@example.com
Subject: AT&T still broken
Clicked on Manage My Account to see if I, a person with zero hacking experience, could see someone else's account data. It took me back to my actual account information.
I'm not, in fact, Michael.
From: Ryan Jones
Date: Tue, Jun 15, 2010 at 3:59 PM
Subject: CASE #4 OF "ATT LOGS ME IN AS ANOTHER PERSON"
I just commented on your story about att security breaches. My username is orangebluedevil. It logged me in as a US NAVAL officer based in Hawaii named Scott.
From: SATX MINI
Date: June 15, 2010 4:45:05 PM EDT
Subject: iPhone 4 Order Security Breach Exposes Private Information
Hi Mr. Diaz,
I just wanted to let you know that this appears to be pretty widespread. I decided to call AT&T and inquire after this happened to me, and I was rapidly asked to clear my cache and cookies and try again. After I mentioned that I had retained screenshots for them, I was given an email address for a manager at Alorica (customer service company?). They didn't seem overly interested at all beyond that. Here's to hoping that AT&T addresses the issue soon....
From: David Anderson
Date: June 15, 2010 4:56:30 PM EDT
Subject: iPhone / AT&T Security Breach
Same thing happened to me - logged in and took me to some lady named Patricia in FL's account. Was very confused so backed out, and logged back in. Didn't think to take a screenshot...
Just an FYI, for what it's worth.
From: Jon Scheidell
Subject: AT&T Security Breach
Date: June 15, 2010 6:03:07 PM EDT
To: Jesus Diaz
Cc: firstname.lastname@example.org, email@example.com
In reference to your article, Jesus. Here is another documented case of AT&T mistaken identity today.
In this case, revealing account information for what appears to be an Air Force/Government customer.
The screenshot is time stamped via filename at 6/15/2010 12:55:47 EDT.
I've also copied the abuse desks of both AT&T and the Air Force should they desire to investigate this as well. Either party can contact me directly if they wish.
From: Charles J. Birk
Date: June 15, 2010 6:51:10 PM EDT
To: Jesus Diaz
Also happened to me. AT&T Sucks.