Security flaws left T-Mobile, AT&T account PINs vulnerable

While not quite as bad as a situation involving hackers gaining access to a carrier's customer database, a recent pair of online security flaws put T-Mobile and AT&T customers at risk. Security researchers discovered the flaws on third-party websites, which left customer account PINs potentially exposed when they were meant to be used for account verification purposes.

In the case of T-Mobile, it was actually Apple's online store that was a security risk. During the checkout process of buying an iPhone, when asked to verify their T-Mobile account info, users were allowed infinite attempts to enter the PIN or last four digits of a social security number. This meant attackers had as many tries as they wanted to guess or enter every possibility for either of these numbers.

For AT&T, the problem was the website for Asurion, a company that handles carriers' insurance coverage for phones. If someone wanted to file a claim and knew the account's phone number, a webpage would give them unlimited attempts to enter the PIN.

If compromised, these PINs could lead to SIM cards and phone numbers being hijacked, and in turn give attackers access to any two-factor authentication that relies on text message. Fortunately for both T-Mobile and AT&T customers, the carriers have confirmed that the security issues were promptly fixed after being brought to their attention.

SOURCE BuzzFeed News