Search this site:


Categories:

Previous: Bed model image | Main | Next: Truck sign

July 7, 2006 10:52 PM

Broken: Identity leak with Sprint Wireless

Steve Parkinson describes an identity leak with Sprint Wireless:

[Sprint commits] a classic security blunder. They give you information and ask you if it's correct. Worse, it's an automated service, with no concept of what social engineering is.

Funny - automated telephone customer service is usually so accurate, helpful, and intelligent.

Comments:

that's bad

Posted by: abcdario at July 7, 2006 11:08 PM

Sprint stinks. Switch to Cingular or Verizon.

Posted by: Donkeykong at July 8, 2006 12:17 AM

Pathetic... (makes face motion of disgust).

Donkeykong is right, but I recommend T-Mobile. No problems yet (started 2 1/2 years ago)

Posted by: Ilya Smirnov at July 8, 2006 12:20 AM

I dont think I have had any problems with identity theft, but my monthly bills are outrageous. Just last May my Sprint bill was for $985.15. And I only used it for emergencies. (well, lots of emergencies, like the time I got lost downtown and had to call my best freind for directions. She was nice enough to stay on the line for almost 2 hours while I got home. But on the way I had to stop off in this shoe store because there was a sale, and then Donna, thats my freind, she says that these sketchers are sooo cool.) Where was I, Oh and Margie was texting me to ask me something, but she does that all the time. So then I am driving on and still talking to Donna, and this a-hole behind me keeps flashing me. How rude, just because he was in this cool beemer he thinks he owns the road. Hey bud, I'm lost, so I hafta slow down! So where do they get off on these high phone bills, I mean whatever. Am I there yet?

Posted by: Annoying chick on a cell phone driving in front of you at July 8, 2006 02:00 AM

To: Donkeykong, Ilya Smirnov

Sprint happens to be the best cell phone provider in our area (they have the best service at least). It's not what company YOU think is best, it's what company has the most towers around you.

Sincerely,

(my name here)

Posted by: joe at July 8, 2006 01:28 PM

And I thought it was bad that employees would give you info. When a computer does it, it is phreak heaven.

Posted by: EricJ2190 at July 8, 2006 01:37 PM

I've been with T-Mobile since 2001 and have been pretty happy with them. Even they have a potential security breach like this, too, though; if someone finds your phone they can easily figure out the phone number (by dialing *686 if the phone doesn't just display it in an easy-to-find menu), then on the T-Mobile website you just click "forgot password?" and it'll send the login password in plaintext as an SMS to the phone. From there people can find out pretty much EVERYTHING about you, or at least enough to do some pretty major damage (billing address, last four digits of the credit card number, the last 3 months of calls you've placed and received, if you have a Hiptop/Sidekick they can read and edit your email and calendar, look at/send/delete your photos, and basically everything else that you can do with the device itself). They can also change your rate plan and billing address, order a brand new shiny phone (charged to your account of course), and sign you up for all sorts of crap you never wanted.

It's pretty scary how one break in the chain of trust can completely mess everything else up. This is why I always set a PIN on my SIM (so that if someone finds my phone they can't just turn it on and get my password) though of course that doesn't help at all if they find it when it still has a charge.

And of course, if you use the same password on T-Mobile as anywhere else and that other person knows your username for the other places, you're completely screwed.

A better mechanism would be to add a challenge/response to the password retrieval, and instead of sending (and storing!) the password in plaintext, have the password retrieval function force you to make a new one.

Posted by: fluffy at July 8, 2006 01:49 PM

I decided to write a better weblog entry about my comment.

http://beesbuzz.biz/blog/e/2006/07/08-t_mobile_security_flaw.php

Posted by: fluffy at July 8, 2006 02:27 PM

Fluffy:

I read the blog post, and I too have T-mobile. About the SIM password, you said: "though of course that doesn't help at all if they find it when it still has a charge." What does that mean? Are you saying the password only protects when you turn the phone on for the first time? If so, can't you set a PIN for every time they want to make a call? Just wondering...

Posted by: just wondering at July 8, 2006 11:00 PM

I gave up on Sprint after my phone was "cloned" the second time. Both times, it appears, someone used a scanner to grab the relevant information, cloned my account, and then ran up hundreds of dollars worth of charges on calls to the Dominican Republic.

Sprint wasn't particularly helpful in resolving the situation either time, and their only suggestion for prevention was "this really very rarely happens."

I've been with Verizon since. Don't really like them either, but I get a discount through my company.

Posted by: mulletvampire at July 9, 2006 09:14 AM

Yeah, don't exactly depend on any company for phone service. It's overpriced, anyways.

Posted by: Another guy named Alex B at July 9, 2006 02:07 PM

P.S. BROKEN!

Posted by: Another guy named Alex B at July 9, 2006 02:10 PM

Just Wondering:

The phone only asks for a PIN to unlock the SIM at first startup. If it asked for a PIN every time a call was made it'd get pretty annoying!

The password is sent as an unencrypted text message. It does this even without asking any of the security questions you ask on the website; just put the phone number into the "forgot password?" form on t-mobile.com and it sends the account password directly to the phone.

Posted by: fluffy at July 9, 2006 06:20 PM

Holy crap that's scary. I thought that cellphones would be a better choice for reamining anonomyous (can't spell!) than a landline. Guess I was wrong. O_o

Posted by: Fayth at July 10, 2006 10:50 AM

What is the #?

It's not listed and thats broken!!!

Posted by: Itismemc@aol.com at July 10, 2006 12:13 PM

My dad's with T-Mobile,and the jammed his phone up becouse his services had ran out.We had to send it to England and the hackers there fixed it.P.S:Broken!

Posted by: Danny at July 14, 2006 04:53 AM

Comments on this entry are closed



Previous: Bed model image | Main | Next: Truck sign

Previous Posts: