Photo by Thomas Hawk
While going over my finances yesterday, I noticed a strange anomaly with my bills. After 3+ years of sending out a regular phone bill in the mail, all of a sudden AT&T stopped. Concerned that there could be a mix-up with my account, I contacted AT&T’s customer support line and was told that ebilling had been activated on my account.
The only problem is that I’ve never registered for online account access, nor have I ever provided AT&T with an email address. When I asked where my bill was being emailed too, the agent couldn’t provide me with an answer, but did say that my statement had been sent out this way for the last 3 years!
People may not be able to siphon money out of your bank account with your phone records, but they can still use this information to harm you. A competitor could use the list of phone numbers you call to prospect for clients, a thief could look for patterns of activity so that they would know a good time to pull off a burglary or a home invasion or an upset ex could use the records to stalk and harass you. While I’m inclined to believe AT&T when they claim that this mixup was actually caused by one of their employees, the thought of someone (nefarious or random) seeing this level of personal detail is a little unsettling to say the least.
Given the fact that there could have potentially been an online intrusion into my privacy, I asked AT&T to investigate the matter further and even more importantly to disable access to my online account. After 30 minutes on the phone, the AT&T rep ultimately declined to investigate the matter further and told me that the company has no way of turning off access to your online bill. Her only solution was for me to register my account online and to set my own password, so that someone else couldn’t register without my being notified first.
While I imagine that a large percentage of AT&T’s customers register for online account access, I’ve got to suspect that I’m not the only one whose never taken the time to do this. In fact, I’d be willing to bet that less than 25% of all senior citizens haven’t registered for online access. Given that all one really needs is a copy of someone’s phone bill, AT&T’s policies are putting some of their least tech savvy customers at the greatest risk. With zero notification for when ebill gets turned on, customers who depend on the physical mail for their billing info must wait at least 30 days to find out that they could have been a victim to a crime. Meanwhile, someone could use the time they get from hijacking your billing, to put 1-900 charges on your phone or to sign you up for monthly plans that don’t really provide any benefits.
Other utilities that I’ve contacted, haven’t had any problems with this request. PG&E for example, won’t even provide me information over the phone, unless I show up to one of their retail locations with my ID in hand. This may seem a bit extreme for most people, but your smart meter data is just as vulnerable.
To say that 2011 has been the year of the hack is an understatement and while I’m sure that AT&T spends millions on internet security, no system is fool proof. Add the fact that AT&T actually receives a percentage of the proceeds from the estimated $2 billion illegal cramming industry and one could make an argument that this security vulnerability is by design so that AT&T can profit at the expense of their less savvy customers. I love the internet and how quick and easy it is to get access to important data in my life, but if other people can also access that data, I’m not sure that it’s worth the risk.