DOJ indicts man for paying AT&T employees to help him unlock millions of customers' phones

Originally published at:

It’s hard to say he shouldn’t get in trouble for buying access to customer records – my strong preference would be for folks to not do that – but it does seem messed up that none of this blows back on AT&T after they (a) milked millions of customers with contractual practices that at least skirt the limits of legality, and (b) apparently run such a loose ship that one guy in Honk Honk can cheaply buy unfettered access to private accounts for years.


Providers should just stop pretending they’re subsidizing phones and make it obvious to customers that they are paying for the phone in installments.

T-Mobile does this and the phone payments appear as a separate item on your bill. Once you’ve paid off the phone balance your bill goes down correspondingly.

This way it’s easier for the provider to say you’re free to leave anytime but you still have to pay for that expensive hardware you’re keeping.

But I guess most providers would just rather continue pretending they’re doing you some sort of favor by “giving” you a $1000 phone for $200 while charging you too much for your plan and then feeling justified in charging you a $350 fine if you have the gall to doubt their generosity before the mandated Period of Appreciation has expired.


My heart bleeds.


I’m more upset that the employees were okay with setting things up so some dude could just do things on their network. Free access to a corporate network? What’s the worst that could happen? (It probably has.)


This was the reason I ditched AT&T. Back in the early iPhone days you had to both buy the phone AND get a “subsidized” phone plan from AT&T. And then after two years when the phone was supposedly paid off…the rate stayed exactly the same. The only way to change the plan was to buy an entirely new phone. I’ve never been an AT&T customer since, nor will I ever be.


I’d be curious to know what the breakdown is between “maintain pretense of subsidy”; “make switching to a competitor substantially more expensive”; and “the technological measures are actually the only controls” is.

If you are dealing with an on-contract customer with reasonable credit I’d assume that it’s pretty much entirely a combination of the first two: the customer isn’t going to tank their credit rating or flee to somewhere exotic just to skip out early on a handset payment plan; but simply breaking out the payment plan as a separate item and not crippling the phone would make the arrangement more obvious to them as well as increasing the risk that they’ll indulge in cheap data abroad or similar.

In the cheap seats, the lockdown might actually be all their is: the sort of phones sold for prepaid purposes tend to be pretty grim; but often not grim enough to actually break even when retailing for $20; but in absence of a contract or any way to follow up the phone could well walk if it were technically capable of doing so.

None of these scenarios make me sympathetic to team telco’s position; but knowing their motives would be of interest.

Incidentally, this strikes me as a good instance for anyone who thinks that ‘golden key’ systems could possibly be secure against the human element, even if technically impeccable.

Phone unlock codes fall in the same category of per-device, supposed to be secret but rather desirable; and also needing to be widely available(for basically any local phone shop or call center to hand them out to the qualifying).

Shockingly, that isn’t an arrangement that keeps secrets. I don’t really follow the phone forums anymore; but if memory serves there are at least some handsets where no viable hack is known to exist; but there is little shortage of sketchy characters capable of conjuring up the key to a bootloader or SIM lock with just an IMEI and a suitable helping of US Treasury lettuce.


Buried the lede here a bit didn’t we?

I’m all for criticizing and taking the carriers to task for locking out services on devices you own (or are rent-to-owning, or whatever), but if someone bribes employees to weaken your network or otherwise breach your infrastructure, that changes things. No one who does that is getting off the hook in this security admin’s book. There’s too high a risk that these “changes” might let other bad actors with an eye to customer data getting in.


This topic was automatically closed after 5 days. New replies are no longer allowed.