June 17, 2014
At least 500 AT&T customers have become the victims of a security breach, exposing sensitive personal information like victims’ Social Security numbers and birth dates.
However, this wasn’t a traditional instance of hacking to commit financial fraud (like, for example, recent cyberattacks). AT&T says that the intent of the attack, which occurred between April 9th and April 21st, was to request codes from AT&T that are used to “unlock” AT&T mobile phones in the secondary mobile market.*
In short, hackers (reportedly employees from an outside service vendor) pretended to be AT&T customers in order to unlock old, used devices.
Debate surrounding the “unlocking” policy has made news in the past (Major US Wireless Carriers Will Allow Device Unlocking) – Last year, FCC Chairman Tom Wheeler promoted an agreement between carriers and The Wireless Association (CTIA) adopting a voluntary set of unlocking policies.
The problem is that, because the process requires altering a locked device’s firmware, unlocking is considered a violation of the Digital Millennium Copyright Act (DCMA) when performed without carrier permission.
Currently, AT&T and other carriers allow device unlocking, but with restrictions: Users can only request unlocking at the beginning or end of their two-year contracts, and requests can only be made through their carriers.
Opponents argue that carriers’ unlocking policies are too strict, unnecessarily tying consumers to their carrier while simultaneously making it difficult to reuse old devices. This is important, especially considering today’s huge market for refurbished phones (despite the fact that the smart device industry continues to grow).
On the other hand, carriers claim that if devices aren’t initially set up to access their networks, users won’t be able to access embedded services anyway. In addition, CTIA is concerned that the bulk unlocking of devices will increase the potential for stolen mobile devices.†
If nothing else, however, this recent breach clearly demonstrates the fact that users would compromise our most sensitive information just to recycle used devices.
In light of AT&T’s breach, experts wonder whether more progressive unlocking policies would prevent future attacks; meanwhile, wireless industry officials argue that these policies help regulate a “gray market” for stolen phones that could carry malware to steal personal information.*
Yet for now, and especially for those affected by the cyberattack, it seems that these strict regulations are forcing the market in that direction.
Whatever the case, the policy still has a long way to go. For now, AT&T will reportedly provide victims with one year of free credit monitoring.†
* Fung, Brian. Carriers’ tight grip on cellphone unlocking seems to have resulted in a cyberattack, The Switch, The Washington Post.
† Meyer, Dan. AT&T warns of potential account hack tied to device unlocking request, RCR Wireless.