AT&T @Home

by m0rtis

Here's some interesting information about AT&T @Home.

I have been working for their First-Level Tech Support for a while now.  In this time I have gotten quite a bit of knowledge about the service and how AT&T handles its subscribers.

Now I could go into great length about a lot of their procedures and regulations, but I won't bore you with most of that.  We all know what you're here for.  The down and dirty information.

AT&T @Home (for those who don't know this already) is a cable modem network.  In 1998, AT&T purchased a chain of cable companies called TCI.  TCI and Excite had a working partnership in the @Home service.  Since then, AT&T has purchased many, many more independent cable companies for cable modem and cable TV reasons.  AT&T is truly only interested in the American Greenback and Canadian Loons.  AT&T @Home has grown so large that AT&T really can't keep up with its own service.  It is so large that AT&T outsources its tech support to the highest bidders.  I work for the largest of the companies.

Let's start with the beginning of a typical call.  It should go something like this:

Agent:  Thank you for calling AT&T @Home.  Can I have the telephone number on your account please?

Sub:  (NPA) NXX-XXXX.

Agent:  Thank you.  May I verify your full name and address please?

Sub:  [Insert your address and name.]

Agent:  Finally, can I have your Personal Access Code (PAC)?

Sub:  [Gives code.]

This is important to know.

If you ever wished to social engineer your way into someone's account this is what you will need.  Generally, the basic information should be simple to get and AT&T really doesn't care much about it except for legal reasons.

What they look for in verification is the PAC.  The PAC is generally one of a few things: mother's maiden name, pet's name, last four-digits of a Social Security number or account number, although it is usually the mother's maiden name.

If for some reason you can't guess the PAC, AT&T asks for either the login ID or modem serial number.  The login ID is rather easy.

Just get their email address and there you have it.  Once you verify this information for them, you have access to their entire account within reason of the agent you're talking to.  Most agents aren't too bright.  They have to score a 30 percent on a general knowledge test to get the job.

When you ask to speak to a supervisor, you are transferred to a section of a call center called Floor Support.  These guys are no different really from any other Dick and Jane on the phones.  They just get Supervisor calls.  They can't do anything more than we can.  Save yourself the time and stick with the first person you talk to.  Generally it's about 30 minutes to talk to a Floor Support agent, just to get someone who can't do what you want.

When someone calls to get installed with a new account, they are set up with an account on that call.  The username, password, and PAC are all created at that time.  About 70 percent of the time the password to a sub's account is just "password" either in lower or upper.

This username and password is more than just access to get someone's email from them.  It also logs them into the @Home web page.  From here, you can do all kinds of things.

The @Home page is behind a proxy server (http://proxy:8080 on the @Home network).  Unless you are on the @Home network, you won't have a lot of luck getting in without some work.

However, if you are on the @Home network, you can log into someone's account from there.  This kind of access to someone's account can be dangerous (AT&T does nothing to discourage this either).

Some examples of things that could be done from inside the Member Services: add IPs, create email accounts (each account can have seven), and set up Net Mail and dial-up service:

Getting an Additional IP Address:  You could in theory take that IP address and Client ID and use it for your own purposes.

Adding Email Accounts:  Any needy hacker needs a few bogus email accounts outside of free services (Hotmail, USA.NET, and others).  Sure you could use a spoofed SMTP to send your mail from anywhere, but it's always nice to have someplace to get it too.

Net Mail:  Allows you to check your mail from anywhere on the web.  If you had a hacked email account that you added with the login and password you found, you could anonymously check it through a nice webpage that masks your IP address.  There are many who do this.

Set Up Dial-Up Access:  For a minimal $15 setup fee and 15 cents a minute, you can dial up to the @Home service.  No need to say anything more on this.

When you are transferred up to Tier 2, they have a rather interesting tool they use.  It's called The Matrixx.  This really makes me gag.  Both with its bad reference to a good movie, and its use.

When the AT&T @Home software is installed, it installs The Matrixx without asking the user if they want it.  It allows the T2 tech to take over a person's computer, change settings, and fix problems.

Now I don't know much about the program other than what it's - used for.  But I don' like it.  Perhaps someone who knows a bit more about it could post something that gives better detail (i.e., what port it uses, and how it's disabled/removed).

The damages to a person's account are enormous when looking at it from this perspective.  AT&T really hasn't done much to fix its problems with security, let alone the problems with its expanding service.

It reminds me of what happened with AOL only a few years back.  AT&T needs to take a step back and fix these obvious problems.

At the price you pay, is it worth it knowing that your account is ready for the plucking at the hands of a malicious criminal?  Just think about it.

Shouts to the Darkcyde crew.  Toast, southie, Morbid Engel.  S0dium, t0ne.  #2600 (DAL.net) and finally my fiancè Shell.