After having his AT&T wireless account breached and his personal information posted on the web, famed hacker Kevin Mitnick thought the cellular service provider would compensate him for his troubles. Instead, the company informed Mitnick it plans to cancel his contract and not pay damages for the breach, he said. Now he may sue.
"AT&T wants me off their network because they can't secure my account, and after being a loyal customer for almost a decade I find that reprehensible," he told ZDNet UK's sister site, CNET News.com, on Thursday. "It apparently is more cost effective to drop me than to secure their customer's information." (At the time of writing, Mitnick's service was still in service.)
"My attorney is going to review my contract to see what, if any, restrictions are in my service agreement," he said. "I may file a lawsuit for invasion of privacy for the failure to adequately protect my information."
He speculates that whoever is responsible for getting into his account used social engineering to do so. Mitnick spent five years in jail for breaking into computer networks, mostly using social engineering to get information from insiders that enabled him to access their networks.
He describes such social-engineering techniques in fictional stories in his book The Art of Deception, including examples involving PacBell in which workers at retail stores reveal customer-account details over the phone to someone they think works for the company.
"These guys probably read my book and decided to steal my information using social engineering because it is so easy," he said. "I told AT&T about this and they just ignored it."
"The bigger issue is that this ineffective security affects all AT&T customers," he said. "They need to start shoring up their defences."
Mitnick learned in June that someone had posted his address, landline and mobile-phone numbers, PIN, email address, instant messenger handles and the last four digits of his Social Security number on the web in March.
When he failed to get a response from AT&T after he complained, he called a lawyer who asked AT&T to pay an undisclosed amount for damages to his reputation and property rights, he said.
"We investigated Mr Mitnick's claims and determined they were without any foundation," said AT&T spokeswoman Jenny Bridges. "We refused Mr Mitnick's demands for money, but did offer to let him out of his contractual obligations so that he could find a carrier that he would be comfortable with."
Asked if Mitnick could keep AT&T as his provider, Bridges said she could not comment beyond that statement.
Mitnick's high-profile status makes him a celebrity among some hackers and a popular target for others. He has had his website hacked numerous times over the years, including twice in the past several months. He has even had trouble with Facebook after the site disabled his account, believing him to be an impostor.
Most recently, Mitnick's site was among a group of security sites that were hacked and publicised on the eve of the Black Hat conference last month. As a result of the hacking, Mitnick was asked by his web-hosting provider, HostedHere.net, to find another place to host his site.
This is not the first time Mitnick's AT&T account information apparently has been breached.
CNET News.com learned almost a year ago that someone had gained access to Mitnick's mobile account while he was on a trip to Bogota, Colombia, but at the request of Mitnick agreed not to publish the information while the case was being investigated.
On his way to Colombia, during a stopover in Los Angeles, Mitnick received warning that his AT&T account would be breached with a social-engineering attack, he said in an instant message exchange in September 2008.
He called AT&T with the details and asked it to take extra precautions to protect his account and require someone trying to change the account to provide the password verbally and not just the Social Security number, he said. Despite that effort, when he landed hours later, his password had been reset and the account was no longer in his control.
"I learn that these hackers (they called to warn me first) called an ATT Corporate store in Idaho (I have the rep's name) and she changed my email address to what the hackers requested. So they just did a pw reset," he wrote in the IM exchange.
Asked about it in a follow-up conversation months later, Mitnick said the matter had been resolved and declined to comment further.
That Colombia trip was noteworthy for Mitnick for other reasons. On his return, Mitnick was detained for four hours and his computer equipment inspected after he landed in the Atlanta airport, for unknown reasons.
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
Hey - presume you mean something that builds on Apple's existing TV device? Apple have already had a couple of runs at building Apple TV and it's...
2 hours ago by Andrew Donoghue on Google's TV timing may reveal more to come
Google, Sony, Intel may build TV project www.zdnet.co.uk/news/emerging-tech/2010/03/18/google-sony-intel-may-build-tv-project-40088359/
3 hours ago on Twitter by BVE2011
70,0000 to 90,0000 computers? A very small number considering some of these botnets are in the millions, and there are so many of them operating,...
3 hours ago by ator1940 on Microsoft says it decimated Waledac botnet I agree Roger, and why can't they write secure code? What will happen when they find stolen code in windows? They have a track record of...
3 hours ago by ator1940 on Microsoft lashing out at Linux, open source Do you think it will really take days?
4 hours ago by ator1940 on Microsoft previews Internet Explorer 9 with HTML 5 support
Wonder how many days it will take before somebody codes an exploitive hack for IE9?
15 hours ago by Xwindowsjunkie on Microsoft previews Internet Explorer 9 with HTML 5 support
There are some really good people in Microsoft and I wonder, how embarassing it must be for them to see how the organisation behaves from it's...
20 hours ago by roger andre on Microsoft lashing out at Linux, open source
Great new look for ZDNET UK web-site http://bit.ly/9R5eAA to check it out @ZDNetUK #zdnet
24 hours ago on Twitter by ajclarke
Microsoft previews Internet Explorer 9 with HTML 5 support - zdnet.co.uk http://bit.ly/9FSh23
1 day ago on Twitter by feedfrog
We were just pondering on when IE will get HTML5 and CSS3 onboard! this is excellent
1 day ago by kencogold on Microsoft previews Internet Explorer 9 with HTML 5 support
RT @suziedaniels: relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
1 day ago on Twitter by riptari This is brilliant - I borrowed one and straight away saw that a few AP`s were set up to the wrong country. It gives interference levels on each...
1 day ago by Bob Preece on Fluke Networks AirCheck Wi-Fi Tester
http://www.zdnet.co.uk/news/networking/2010/03/11/european-parliament-votes-down-acta-treaty-40085614/ (Where does this leave #Debill?)
1 day ago on Twitter by _SimonArnoldme
relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
1 day ago on Twitter by suziedaniels
Redesign complet pour ZDNet UK et AU, Twitter au centre http://www.zdnet.co.uk/ http://www.zdnet.com.au/
1 day ago on Twitter by eparody
RT @eparody: Redesign complet pour ZDNet UK et AU, Twitter au centre http://www.zdnet.co.uk/ http://www.zdnet.com.au/
1 day ago on Twitter by cdutheil
Sharepoint 2010 in photo's http://www.zdnet.co.uk/reviews/communication-and-collaboration/2010/03/04/sharepoint-2010-screenshots-40070577/
1 day ago on Twitter by gerardv
Thanks for commenting and clearing that up, Richard. We look forward to seeing what the new clause, if it is not struck out due to protests and/or...
1 day ago by David Meyer on Rights holders vs digital rights activists - who wins?For multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
Talkback
To be changed having accounts tied to email address's is crap, we not only need to make the whole http transmissions encrypted, but also unique key generation system employed on a per sight & per user basis.
CA 22 Aug 09 20:01 ReplyWhere a person visiting a web site for the first time wishes to setup a forum account is asked by the server master key for a private key name of there choice, in which it will then generate a unique client key for them alone, there display name is nothing more than a changeable nick name that other user's see when they post.
So they is always at least two encrypted tunnels employed whenever a forum/account user uses any site they are affiliated with, on top of this the sites can employ a rotary system forcing user's to change there key every given time frame the site owners wish to employ, ie every 30 days or less.
The last thing that is needed at the end of the chain is secure key ring holder, either locally or remotely held, preferably via encrypted hard disk usage.
Kevin Mitnick the self proclaimed King of social engineering writes a book to cash in on his illegal exploits and someone uses the methods described therein against him.
SeanTheMac 24 Aug 09 20:57 ReplyWhat did he expect?
It's like giving a child a shotgun, showing them how to aim it and how to pull the trigger and then calling foul when they blow someones head off.
OF COURSE these sociopathic little hacker types are going to use the techniques against him (and others).
Some would say that writing a book describing in detail how he performed these illegal activities is itsself at best irresponsible and at worst incitement to commit crime.
As far as I am concerned when it comes to data security and privacy Mitnick waived the right to any at all when he illegaly abused several systems and compromised the data security and privacy of hundreds of law abiding decent people.