Path: utzoo!telecom-request Date: Thu, 9 May 91 22:20:30 GMT From: Jeremy Grodberg Newsgroups: comp.dcom.telecom Subject: AT&T Card PIN Disclosed Reply-To: Jeremy Grodberg Message-ID: Organization: TELECOM Digest Sender: Telecom@eecs.nwu.edu Approved: Telecom@eecs.nwu.edu X-Submissions-To: telecom@eecs.nwu.edu X-Administrivia-To: telecom-request@eecs.nwu.edu X-Telecom-Digest: Volume 11, Issue 351, Message 8 of 10 Lines: 54 I had an interesting, and slightly frightening experience over the weekend with my AT&T credit card. My card had just been renewed, and I was replacing the old one in my wallet with my new one, and since I usually use MCI but now had the AT&T card in my hand, I thought I'd check to make sure I remembered the PIN for it. I tried dialing a friend long distance using the AT&T card, and used the PIN I remembered. It didn't work. I called AT&T to ask them to change it. I had set my PIN over the phone originally, and although I was somewhat worried about this, I noticed that they had one person take all my personal information (account number, name, address, SS#, etc.), and a different person take my PIN, so I took the leap of faith to think that the person who took my PIN didn't know what account it was for. I was able to believe that they were taking good security measures. Anyway, I called and told the service rep that I had forgotten my PIN, and wanted to change it. Again I was taken through the most rigorous identification process of anyone I've done business with over the phone, including banks and stock brokers. The service rep asked what PIN I had used, at which point I was stunned; after a brief pause, I said "I'm not supposed to tell anyone my PIN, you literature says that real AT&T reps will never ask you for it." The service rep then pauses, stammers, and says "Well, I'm looking right at it. OK," she says, "did you use XXXX?" where XXXX was my real PIN! Not only did she have access to it (which she shouldn't need or have), she told it to me! Yikes! I am not amused. I bet many people use the same PIN all over the place, and allowing AT&T employees to see customer's PINs, and access to their credit records and telephone records, could be an invitation to fraud. I'm very glad the PIN I gave them is one I use no where else. Continuing, now that the service rep assured me I was using the right PIN, I naturally wanted to know why it didn't work. She told my that my card was shipped "in the same mail sack" as a bunch of other cards which were stolen from the mail. They had called and left a message ("I'm calling from AT&T. It's very important you return my call at 800 xxx xxx"), and when I didn't return the call, they blocked my account. I didn't return the call because they had cried wolf before, and when I called them back they couldn't even tell me why they had called me! It sure would have been helpful if they had left a more detailed message. Even a second phone call would have been nice. As it was I just thought it was some spurious sales call or friendly check to make sure that I had gotten my card, and since I had my card and didn't want to talk to a salesperson, I didn't call back. It just goes to show how hard it is to get this stuff right, and how the risks don't go away, they just transform themselves into new and unexpected forms. Jeremy Grodberg jgro@lia.com