Could AT&T's iPad Email Leak Really Be A Much, Much More Serious Security Breach?
from the doesn't-sound-good dept
Last week, we wrote about the security glitch by AT&T, that allowed hackers to figure out the email addresses of 114,000 iPad users. A few people in the comments mocked this news, claiming that such info was pretty much meaningless, as email addresses are hardly private info these days. Of course, that ignored the connection of the email address to the fact that you bought an iPad. But now, some are realizing the potential security problems with this may be significantly worse. Slashdot point us to a story where someone walks through how poor security choices by the various mobile operators means that knowing the information revealed by the glitch can actually reveal much, much more. As the blog post walks through the details, it concludes that potentially, the data from the breach in some cases (though, not all) could then be used to figure out a lot more:So yeah, knowing someone's ICCID can give you their full unpublished billing name, their cellular phone number (and hence their home address), their current location on a realtime basis, their voicemail, and if you're prepared to follow them around (within a few miles) then you get all their phone calls and SMS messages too.There is a later edit, when he realizes that the voicemail/phone calls/SMS stuff might not be that big of a deal, since the iPad is not a phone device, but it's still instructive of how a "simple" data breach can lead to much more in certain circumstances.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Perhaps it already exists, or perhaps many of the needed "pieces" are already in place waiting for someone or some group to recognize a potential integration of these "pieces" (perhaos in conjunction with new "pieces")into a system or method that mitigates data mining.
It is from situations such as this that "inventions" spring forth, some of which, of course, are more effective than others. And, it is in situations such as this that persons consider whether or not circumstances dictate that the filing of a patent application(s) may be prudent.
This is not meant to be a "see, patents are important" comment, but merely to note that not everything is necessarily obvious to those of ordinary skill in the relevant art.
[ link to this | view in chronology ]
Do you own homework.
Please open thy eyes to the world around you!
Telecoms fund and supply info to big brother too.
Rage against the machine.
[ link to this | view in chronology ]
Re: Do you own homework.
If so, Good job. I'm really looking forward to the Chris Matthews interview with Alex Jones tomorrow night.
[ link to this | view in chronology ]
I have some theories, but frankly, I have no desire to seek out or analyze the list unless someone legitimately provides it along with a check for $20,000 along with an NDA that states they would be hold me harmless, protect, indemnify and defend my analysis.
Until then, well, I guess the FBI will do their job. After all, us tax payers depend on AT&T's security.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
I find this especially true if they favor Microsoft. Anything to scare people away from good platform, they jump on.
[ link to this | view in chronology ]
Re:
ANY leak of major personal information can be narrowed down to specific person, and linked to numerous other databases of information.
You'd be surprised how easy it is to identify you with a little bit of data, and just how much can be gained from that.
[ link to this | view in chronology ]
Wow people are really missing the risk
So let's say the average phishing attack with 1 piece of info has just a .1% success rate. (Making this up so no not citing any studies) In this case that would mean 114 people fell for it and gave of info enough to clean them out. Well with 2 pieces of info let's say they can now get to a whopping 2% success rate. That means 2280 fell for it. And then lets say each victim lost $500 in each case. 57,000 versus $1,140,00.
This can be illustrated by looking at spam. Why do you think you get so much spam? Because (last stat I saw) .001% of people buy the product in the spam. Well if you send out 500 million and your product offers $10 of profit of each sale, you make $50k not bad since it only cost $200 to send all that. Same with phishing attacks. All you want to do is increase your response rate. More info more success.
And for those that are slow the two pieces of info are your email address and that you own an iPad 3G with cell data service.
[ link to this | view in chronology ]
Re: Wow people are really missing the risk
[ link to this | view in chronology ]
* When SBC/BLS bought AT&T they blamed AT&T and said that they paid too much for AT&T.
* When SBC/BLS was screwing all their non-bargained employees for healthcare, they immediately blamed Obama's Healthcare plan for a $1,000,000,000 healthcare charge.
* When SBC/BLS didn't have a scalable network to support data users, they blamed their customers and put in place "a data cap you can't refuse."
* When SBC/BLS was offered constructive criticism by a customer, they told a customer about a thing called a cease and desist.
They may be "AT&T" in name, but it isn't the AT&T that survived 200 years and was a leader in practice. Skimping on security and QA is unacceptable and would be looked down upon by anyone who is familliar with The Bell System.
AT&T owns this. It's sickening that the Government has to get involved to help manage their security.
[ link to this | view in chronology ]
* When SBC/BLS bought AT&T they blamed AT&T and said that they paid too much for AT&T.
* When SBC/BLS was screwing all their non-bargained employees for healthcare, they immediately blamed Obama's Healthcare plan for a $1,000,000,000 healthcare charge.
* When SBC/BLS didn't have a scalable network to support data users, they blamed their customers and put in place "a data cap you can't refuse."
* When SBC/BLS was offered constructive criticism by a customer, they told a customer about a thing called a cease and desist.
They may be "AT&T" in name, but it isn't the AT&T that survived 200 years and was a leader in practice. Skimping on security and QA is unacceptable and would be looked down upon by anyone who is familliar with The Bell System.
AT&T owns this. It's sickening that the Government has to get involved to help manage their security.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
As to phone calls and SMS...
1. Sniffing email is probably just as bad. Many people specifically email things when they are in public places that they would not want to say aloud, so this might be even worse than sniffing phone calls. GPRS/EDGE has been cracked for as long as GSM, and UTMS probably won't be secure more than another year.
2. If they have access to all this other data, especially the location data, couldn't they just find the user's cell phone (probably also on AT&T) that's within 10 feet of the iPad, then confirm with the account data on the phone? In a way, this is worse than cracking their phone - cracking the iPad gives them access to both, with a little more effort.
Just some thoughts. I have a friend on AT&T who just ordered an iPad and she's VERY privacy-conscious. She's already kinda pissed about Apple eliminating the 1 button they used to have on the mouse and MobileMe being down half the time. It should be a lot of fun when I call her and tell her I know where she is...maybe enough to finally move her to Linux :)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
hire a hacker
[ link to this | view in chronology ]
iPad is so overrated
penny@dorne.info
[ link to this | view in chronology ]