Bad news for AT&T customers! You all are vulnerable to phishing scams – thanks to AT&T's text protocols. The actual problem lies in the way AT&T handles its customer alerts via text messages, as it’s very easy for cybercriminals to mimic.
In "Phishing" attacks, scammers attempt to trick victims into revealing their personal and financial information by sending email or text messages that appear to be from legitimate companies. Instead of emails, here hackers have targeted AT&T users with the text messages.
According to Dani Grant, the computer programmer who discovered the flaw and reported to the company, AT&T is making use of plethora for short codes, due to which its customers unable to distinguish between the legitimate and phishing messages.
The second issue is that some of AT&T's real links directs its users to att.com while others take you to dl.mymobilelocate.com.
"Another problem is that AT&T directs customers to URLs like dl.mymobilelocation.com which aren’t obviously associated with AT&T," Grant wrote. "Every AT&T text looks like this, so customers learn to trust any text that claims to be from AT&T, no matter on what they're being asked to click."
With little efforts, a scammer could send you alerts that look just like the legitimate one, as the "customers of AT&T don’t have a good way to know what texts are actually from their cell carrier, making AT&T an easy target to spoof."
Last but not the least, the AT&T text messages don't even have a consistent format. Sometimes the messages start in all capital letters: "AT&T FREE MSG" and at other times the messages are in all lowercase: "AT&T Free Msg."
In order to test her findings, Grant set up her own short code as she was able to find a free trial for 30 days of short code. Then she bought a legitimate-looking website address (attmobilityllc.net) for $10.89 and sent a message. Now, nobody could find a difference between both?
Grant reported the problems to AT&T as a security flaw but the company declined to comment on this issue. Though, AT&T isn't the only company which lacks the security of its customers. As CNN Money reported, "Verizon sends out text messages from a 12-digit number that changes depending on the customer, and it sends links to vzwmobile.com or vzw.com."
"T-Mobile sends alerts from a three-digit short code (also different for every user) and links to t-mo.co. SMS text messages are convenient, because they're reliable. You can get them anywhere, anytime on any phone."