It hasn’t been a good week for telecommunications companies: security researchers have uncovered security flaws with systems at AT&T, Sprint, and T-Mobile that could have left customer data accessible to bad actors.
Yesterday,BuzzFeed Newsreported two flaws that left customer information information vulnerable at AT&T and T-Mobile. In T-Mobile’s case, an “engineering mistake” between Apple’s online storefront and T-Mobile’s account validation API allowed for an unlimited number of attempts on an online form, which would allow a hacker to use commonly-available tools to guess an account PIN or the last four digits in a customer’s social security number, in what’s called a brute-force attack.
A similar problem occurred with phone insurance company Asurion and its AT&T customers. An online claims form would allow anyone with a customer’s phone number to access a form that allowed them unlimited guesses to guess a customer’s passcode, leaving it vulnerable to another brute-force attack.
It’s worth noting that vulnerabilities aren’t necessarily breaches, but it’s vulnerabilities such as these that allow bad actors to gain access to a system and exploit the customer data that they access. These systems are by necessity complicated: companies like AT&T, Sprint, and T-Mobile have to balance providing access to employees to do their jobs and to customers to gain access to their information. But given the harm that a malicious actor can play with the vast amounts of data these companies have, it’s clear that they need to be more proactive in protecting their customers.