Passwords just aren’t what they used to be.
Take the great grandaddy of all secret codes: “Open Sesame.” It first hit the scene over 300 years ago in “Ali Baba and the Forty Thieves.” In the tale, one that no doubt made all the rounds on Asia’s “Best Seller of 1706” lists, the titular character uses the phrase to open a cave a gang of thieves packed with hidden treasure.
Now imagine if those thieves secreted away their riches using today’s lax password standards. How long would it take Mr. Baba to crack “12345?”
The thought occurred to me after I spoke this week to a woman whose AT&T cell phone family plan got hacked by a man named Justin who waltzed into an Apple Store in New York, added a new iPhone to their plan and changed most their security settings.
Justin was not a long lost cousin twice removed. He wasn’t Uncle Justin, either. But on that day last week, Justin became part of the family.
Sandie Concannon noticed something was wrong when her elderly father and mother-in-law told her their phones had stopped working. Concannon, currently from the Philadelphia region, said she called AT&T to find out what was going on but got rebuffed by a customer service representative who told her she wasn’t an authorized account user and thus wasn’t privy to any account information.
Concannon told me she was in disbelief. It took her numerous phone calls and trips to two AT&T stores to get to the bottom of the issue. She eventually learned that a New York man named Justin was the culprit. The only problem was neither Concannon nor any of her family members had recently been anywhere near the state of New York.
She ultimately put a pass code on the account. It wasn’t Open Sesame.
Concannon asked me to check into what information a person walking into an Apple Store actually needed in order to access her account, so I reached out to a few Apple representatives and asked them to provide details on the purchasing process.
One customer service specialist told me a customer would generally need to provide ID and whatever cell phone provider information was associated with an account.
I asked: “Is that it?”
“I would think so,” the employee said.
If the crook attempted to make a purchase for an iPhone in conjunction with an upgrade under a specific cell phone carrier, the phone would be sent to the billing address on file with the service provider, said another employee.
All AT&T would reveal was that the company was actively investigating the incident.
“Protecting customer information is a top priority for us and we will stay in contact with the customer regarding progress of the investigation,” said Brandy Truskey-Bell, an AT&T spokesperson. Truskey-Bell couldn’t say whether the issue was common, again maintaining an open investigation was underway.
Concannon said all was resolved, except that her father and mother-in-law needed new SIM cards in their phones and she needed to mail them. The two would have to wait, she told me.
To their credit, AT&T did everything they could to make it right. They forgave the charges on the family’s account, cancelled Justin’s line and even offered the family an extra 5 GB of free data. Concannon told me her family doesn’t use much data. Oh well. It’s the thought that counts.
While it was unclear if a password would have prevented the incident outright, AT&T’s website suggests several ways to get out in front of identity theft. The one that stood out to me: “Protect your account with a password.”
“AT&T offers customers the opportunity to password-protect their account so that any changes to services or billing information requires a unique password. To establish a password-protected account, call an AT&T customer service representative using the phone number on your bill or in your phone directory.”
And please, be creative.
Reach Joe Dolinsky at 570-991-6110 or on Twitter @JoeDolinskyTL