AT&T Says Oops! Hacking Becomes Mobile's Soft Underbelly

AT&T (T) had a huge embarrassment yesterday, as a security glitch potentially exposed private information of 114,000 Apple (AAPL) iPad users, including email addresses and an ID used to authenticate subscribers on AT&T's network. The carrier has fixed the problem, and you could reasonably argue that it wasn't Apple's fault. But it doesn't matter. Apple, Google, and every other company in the smartphone business are about to find out how dangerous mobile devices can be when it comes to hacking.

The issue isn't even some organized group in Russia or China breaking into consumer records and stealing identities. Because handsets as phones are already tied into commerce, and given the expanding role smartphones will play in how people pay for goods and services, they become a dangerous cross between a computer and a bank account, opening new areas for fraud. Ryan Tate at Gawker (no fan of Apple since the iPhone 4 prototype incident and Apple's push for criminal investigation of a Gawker editor) broke the story:

AT&T closed the security hole in recent days, but the victims have been unaware, until now. For a device that has been shipping for barely two months, and in its cellular configuration for barely one, the compromise is a rattling development. The slip up appears to be AT&T's fault at the moment, and it will complicate the company's already fraught relationship with Apple.

Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads. This is particularly the case given that U.S. iPad 3G customers have no choice in mobile carriers -- AT&T has an exclusive lock, at least for now. Given the lock-in and the tight coupling of the iPad with AT&T's cellular data network, Apple has a pronounced responsibility to patrol the network vendors it chooses to align and share customer data with.

The games -- 3D Anti-Terrorist and PDA Poker Art -- are available on sites that provide legitimate software for mobile devices, according to John Hering, CEO of San Francisco-based security firm Lookout. The games are bundled with malicious software that automatically dials premium-rate telephone services in Somalia, Italy and other countries, sometimes ringing up hundreds of dollars in charges in a single month.

The services are run by the programmers who built the tainted software, Hering said on Friday.

But placing phone calls is only the beginning. Several industries are practically wetting themselves in excitement over the potential of mobile commerce. There's already an app to turn an iPhone into a Visa card, and Mastercard is in hot pursuit.

The potentially big problem is that carriers and online payment companies will all want a piece of the commerce pie, but they may not be covered by the consumer fraud protection laws that apply to credit card processors or banks. I spoke with Mari J. Frank, an expert on identity theft and fraud. (Disclosure: I edited her book, The Complete Idiot's Guide to Recovering from Identity Theft.) Here's her take:

If you charge it to your carrier, you don't have anything protecting you. If you charge to your credit card, that's different.

Carriers should seriously consider lobbying Congress to extend consumer protections to transactions that take place over mobile networks. Would they lose some money? Absolutely. However, better write off some losses on your taxes than to write off the entire growth area because consumers fear being stuck as victims.

Gun image: RGBStock.com user gabriel77, site standard license.