They denied it, but here's proof that AT&T is exposing credit cards and shipping information during iPhone 4 pre-orders. Wrong shipping information is even being used by AT&T and Apple's websites to send units to the wrong people.
The first iPhone 4 pre-order day was a total disaster, with collapsed AT&T and Apple servers unable to take any orders, multiple incorrect purchases, reservations that didn't reserve anything, physical stores closing or having to take order with pen and paper, and, the worst of all, people entering into AT&T's account servers and seeing different customers' information on screen.
By itself, that's a major security problem. But it gets worse, according to the proof sent by readers like Christian du Lac, who was going to order an iPhone 4 with a credit card that wasn't his credit card:
From: Christian du Lac
Subject: whose credit card? not mine
Date: June 16, 2010 12:54:17 AM EDT
To: Jesus Diaz
Great coverage on the iPhone/AT&T disaster.
I was one of the lucky ones who secured an iPhone upgrade — at 2:30am west coast time, after over an hour of server failures, etc.
On a matter perhaps related to the AT&T server software update you reported on today: I have an AT&T Wi-Fi Premium account — the kind that you can use at Starbucks — that I want to cancel, since Starbucks is making wi-fi free in a couple of weeks.
When I enter my account to remove my credit card info, it describes my card as an American Express, and shows a partial account number and expiration date. Problem is, it's not my card: I haven't had an Amex account in 12 years. (Screenshot attached).
The problem is not limited to AT&T account system, however. Since the iPhone 4 upgrades require an AT&T contract, Apple has to use AT&T's systems to process the orders. The Apple Store requires the phone to be shipped to the address listed in the AT&T service contract. Nothing wrong with that, until AT&T sends Apple the address information from the wrong customer. This is what happened to reader Melissa Phillips:
From: Melissa Phillips
Date: June 16, 2010 2:20:49 AM EDT
To: Jesus Diaz
Had this happen to me twice when attempting to order through the Apple Store. Once you get to the check out, evidently they will only ship to the AT&T billing address and random addresses have come up.
The first time it happened I was in the Apple Store in Jacksonville and we were about to hit the final check out button when my husband noticed the shipping address was somewhere in Virginia to a name that wasn't ours. We backed out and were never able to get that far again so we left the store.
Got home and tried again on the Apple website.. not AT&T around 2:00 am, this time it happened again with a different address and having read your article I knew what was up. I took the attached screenshot. Shut the browser down, tried again in a completely different browser and it went through.
Scary to think how many people purchased through Apple website and were so happy that it was finally working that they never noticed the incorrect shipping addresses. On the other had many people are going to be getting some free iphones...
That's precisely the bigger problem: Not only AT&T has exposed credit card and shipping address information through their servers and the Apple Store, but it may be very possible that many people have used this wrong information to place the order. This could result in people placing an order with their credit cards, and other people receiving the iPhone 4. That seems to be the case of Gregory Sarrica:
From: Gregory Sarrica
Subject: iPhone 4 Order Security Breach Exposes Personal Information
Date: June 16, 2010 7:24:45 AM EDT
To: Jesus Diaz
I just received an order confirmation yesterday for an iPhone 4 and I did not even order one! I was googling around to see if this happened to anyone else and I found your article on Gizmodo.
This is amazing! I thought it was fake at first but after checking the order status on ATT's website I knew it was a real order. Now I just wonder if it will come to my house.
Given the level of mails about mistaken identities we are receiving, it seems that this won't be the only case. Like one of the readers pointed out, many could have been so happy to be able to make the purchase yesterday that they may have not noticed the wrong shipping address. Add to that the iPhone reservations that really didn't happen, the orders that were never placed by overloaded servers, and the orders that were placed several times, and you will have another disaster on the iPhone 4 launch day.
If you thought you made a pre-order or a reservation yesterday, make sure that everything is right before the day comes. [Gizmodo's iPhone 4 Pre-Order Disaster Coverage]