AT&T texts can be faked to hack you

There’s a problem with the way AT&T sends out customer alerts via text message: They’re too easy to mimic.

With little effort, a scammer could send you alerts that look just like the real thing. Click on a link and the hacker will grab your login credentials — or fool you into giving up your credit card too.

It’s yet another phishing scheme. But instead of email, hackers can target you with texts.

The problem stems from AT&T not making its real alerts look legitimate enough, said Dani Grant, the computer programmer who noticed the flaw.

“If the official texts look like phishing, it’s impossible for the customer to distinguish between what’s phishing and what’s not,” she said.

First, AT&T’s alerts come from a weird, four-digit “short code” number. Anyone can buy a short code (charities do it all the time). And even more confusing, different AT&T customers see different short codes.

Second, some of AT&T’s real links are funky. Some point to att.com while others take you to dl.mymobilelocate.com.

Third, the text messages don’t even have a consistent format. Sometimes they start in all capital letters: “AT&T FREE MSG.” At other times they’re lowercase: “AT&T Free Msg.”

To test her theory, Grant set up her own short code, bought a legitimate-looking website address and sent a message. Can you tell the difference?

AT&T declined to comment on this topic. Grant said she reported it to the company as a security flaw but hasn’t heard back.

To be fair, though, AT&T isn’t the only one. Verizon sends out text messages from a 12-digit number that changes depending on the customer, and it sends links to vzwmobile.com or vzw.com.

T-Mobile sends alerts from a three-digit short code (also different for every user) and links to t-mo.co.

SMS text messages are convenient, because they’re reliable. You can get them anywhere, anytime on any phone.

But Grant thinks these companies should opt for email instead, or communicate through a dedicated app. It’s easier for a company to make emails look official. And an app would, in most cases, keep out the bad guys.

Exit mobile version