We found you can hijack a Sprint user’s account as long as you know their cellphone number, just a smidge about them, and have half a brain. Once inside, you have total access to their account. You could change their billing address, order a whole bunch of cellphones sent to a drop location, and leave the victim paying the bill. There’s also the stalker’s wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer. Reader Jim told Sprint about this 2 months ago but they ignored him, so I tested it out and am publishing the results in the hope of getting Sprint to fix this exploit. I’ll show you we cracked into a Sprint account and just how much damage I could have done, inside…
First I needed someone to volunteer their Sprint cellphone number to test for research purposes. Intern Alex Chasick put out a request on his IM Away Message and within minutes Nathan (thanks Nathan!) offered up his number.
Next I went to a part on the Sprint website where you register for online account access. I filled out some account registration and then selected for Sprint to ask me a few questions to verify my identity so I could set up my PIN code. This is where it gets fun.
Alex is in his 20′s and lives in the Washington DC area, so I figured that our mark is too. Just knowing that, I was able to answer all the questions correctly in the first shot. Here’s what they were:
“Which of the following vehicle makes has been registered at the following address [redacted]?: Lotus, Honda, Lamborghini, Fiat, None of the Above.”
I figure a college kid is not going to have a Lotus, Lamborghini, or a Fiat, so I went with Honda.
“Which of the following people have resided with you or used the same address as you at [redacted]? Jerry Stefl lii, Ralph Argen, Jerome Ponicki, John Pace, None of the above.”
The extra space in Jerry’s last name caught my eye. That looks like a data entry error, like the name was probably grabbed from an actual database instead of a generated fake name. So I went with that one.
“In which of the following cities have you NEVER lived or used in your address? Longmont, North Hollywood, Genoa, Butte, All of the above.”
I’ve never heard of any of those cities being near DC, so I go with “all of the above.”
And then, open sesame, I’m in.
From now on, for all intents and purposes, to Sprint I am Nathan. I can see Nathan’s billing address, useful for if I wanted to conduct more identity theft. I could add services, take away services. I could order GPS tracking on his account and see exactly where he is in the world from any computer with internet access.
I could look in his call history and see all of his calls. I could change Nathan’s billing to e-billing…
change his home address to a drop location,
….order a bunch of phones…
…and have them sent to my drop location, and then sell them on eBay, leaving Nathan stuck with the bill. (Sound familiar? We posted a Sprint complaint just like this, “Sprint Twiddles Thumbs While 12-Year Customers Get Scammed For $2,500.” In that case, the Sprint fraud department said it was “probably someone inside Sprint” who did the exact scam above I just described to you). Remember, all I knew about this guy was his cellphone number, that he was in his 20′s, and that he lived in DC. That’s it. That’s all it took to completely hijack his entire Sprint account.
When Jim reported it to Sprint, he says he, “called support (3 or 4 times. Surprisingly the last time I spoke with someone who realized the issue was a big deal, but she had no idea who to contact, and her supervisor only said to fill out a website feedback form. I then filled out a feedback form. Pretty sure that went nowhere. I then called the number you guys offer, 703-433-4401. I spoke with someone there who said they’d pass it on to the website team. They did mention they tested out the security question setting and found that nobody could guess anyone else’s information…”
Here’s a possible reason for why the hole exists. See, young people are less likely to have well developed credit histories and other public records from which to draw the possible answers for the identity verification, leading to what tipster Jim calls, “rather silly questions it’s easy to guess the answers to…The point of a PIN is to identify me as a person, not just that it’s someone who knows me.”
Making this system even weaker, the questions seem to be based on public records. All at thief has to do is know your name in addition to your phone number and search these publicly accessible records.
In the comments on this post, a former Sprint rep says it’s even worse than we thought. They say that every question about cars has three luxury models and one typical one. He says that “none of the above” for “which properties have you owned” was correct 99% of the time. And worst of all, you only need to answer two of the questions correctly to gain access to an account. I was shocked at the number of times I was able to access an account by simply guessing the answers,” he writes. “Fortunately I am an ethical person, but if I wasn’t I could’ve done a LOT of damage very easily.”
Before posting this material, we reported it to Sprint. After looking into it for a day, the gave this official response:
Sprint works with an established third-party vendor that handles the customer verification process noted in your email. Currently, we are not aware of any instances of fraud occurring through the question and answer scenario that you’ve described; however, we continuously seek out ways to improve customer account security and we look for information from a variety of sources. Based on the information provided by the Consumerist, we immediately escalated the issue with our vendor partner so that it can make the necessary adjustments to ensure that our customer verification process remains secure. Customer privacy is a top priority and we appreciate the Consumerist bringing this matter to our attention.
Let’s hope that’s not just lip service and Sprint does make its upgrade their identity verification process. How could anyone design a system so poorly? I speculate that internal Sprint metrics demanded a certain amount of successful signups vs unsuccessful signups. As making the process more secure would mean more legitimate Sprint customers were turned away from creating an online account, someone was able to up their numbers by making the process less secure.
Makes you think twice about giving your number out at the bar.
More From Consumerist
-
Sprint Fires Customer For Excessive Roaming, Won't Unlock His iPhone
-
SEC Investigates Sprint Over Allegations It Failed To Properly Collect Sales Tax
-
Sprint Says Virgin Mobile Site Isn't Completely Insecure; Blogger Disagrees
-
Sprint Authorized Retailer Promises No Activation Fees, Guess What Happens Next
-
For Hours Of Frustration And Weeks Without iPhone 5 Mobile Data, Sprint Offers $10
Adding insult to injury, Sprint has a typo in their GPS pitch:: …provide superiro customer service” … I’ll say.
@K-Bo: She is new. Only 4 posts since February.
this does not make me feel safe….thanks sprint
“Currently, we are not aware of any instances of fraud occurring through the question and answer scenario that you’ve described…”
Yeah, I’m sure that’s true. It’s called “plausible deniability.” You don’t put a system in place to track something you don’t want to know about, so you can say you were never aware of it.
Great job, Sprint!
http://www.sprint.com website is unavailable at least 50% of the time. When you call customer service, you get bad customer service or get hung up on/disconnected, or placed on hold forever. No one will take the time to listen to you, resolve your issues completely and correctly. Billing adjustments are temporary for one day only, then you have to call in every month to adjust the same bill. There are many managers and supervisors who will talk to you, however, they do not resolve the issues. The bad customer service agents and bad managers outnumber the good agents and supervisors. Agents are rushed to get through their phone calls and do not resolve customer’s problems. Sprint customer service and management are the worst in the telecom industry.
@topeka: Forbes has Sprint listed in there “Hall of Shame.” I had a Sprint account from Jan of 02 until July of 07. The company went to crap after they joined with Nextel. As far as the online services; well, that was an absolute nightmare. I had several phone hardware problems, which they would not address. I had service issues which never got resolved but the final insult was when I was billed for their “media package.” It was offered and I told the CSR at least 10 times that I did not want it. But I got billed for it anyway. When I dropped Sprint last year the supervisor that the CSR connected me with did everything but beg me to stay. I will never, ever use Sprint again.
Aren’t these questions based on public records? So if they’re public, even if you can’t guess the answers, I’m sure you can look them up…
This is inane. I’m glad I’m no longer a Nextel customer (everything sucked after the merger), but this system is inanely bad. Heads should roll over this.
All of the above, plus…what a pain in the ass to actually sign up for account access. Now I have a username, password and a PIN to use, plus they’ll send me a bunch of emails? And, frankly, what a shitty looking page once I (finally) got in…
The countdown to May 25th (Sprint contract expiration) is on…
Oh, fun. Since they’ve upgraded me to the new billing system, I can’t pay my bill online until after my next billing cycle. So, pay a late fee then or pay a fee to pay my bill at a Sprint store? Sons of bitches!
I am spring customer. I noticed that this week when I logged on they reqquired me to add an authorization number that they sent to my phone, in order to complete my log on.
Sprint isn’t the only one using systems like this. I recently had a call from ‘fraud prevention’ from one of my credit card companies and they asked similar questions. One was which car did I have a car loan on (easy to figure out if you snooped around my house, since I only have one car). Also a list of previous addresses I lived at (again, if you know my car, you might figure this out since I have a sticker on the back from the dealer which is in another state, which was one of the choices).
Yeah, I had this issue with them. Considering they are still doing this, I canceled my account with them. I like my money to stay with me, thank you.
Moved to another carrier, and have had no problems.
Scarily enough, in addition to this, fully registered accounts that are already setup in their Online System are vulnerable via “I Forgot my PIN” which asks the same damned questions.
Mine – Gave me the “which car has been registered” blah blah with the answers being “Fiat, Lancia, Ferrari, and Toyota” An then with the “Which property do you own?” and “Which cities have you lived in?” almost always being “None of the above” and only needing TWO correct answers.
Yep. This sealed it. Getting rid of Sprint, even though they’re the only provider with half a decent data network speed in the area.
This is rather odd, but probably a result of the Nextel merger. I remember when i signed-up for my Sprint on-line account years ago. As part of the process, they sent me a one-time password to my cellphone. Very simple way to make sure that the person signing-on is the person in posession of the phone.
So all I can gues is when they got all excited about switching to the new platform for consumer access to their Sprint accounts, they yanked out stuff like OTP which couldn’ be made to work yet….
“”There’s also the stalker’s wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer.”"
There is an easy fix on most modern cellphones for this!!!
In your phone setup menu, probably buried, but be thorough through all your menu options. You will find a setting that closely matches that above quote with two settings: either global or Emergency 911 only (for USA). Set it to Emergency 911 only.
And pray and hope and check out to see if that 911 system in your area is very modern that can grab that GPS signal from your phone and if not: Raise bloody hell to your local government officials for new 911 system. It maybe your sister or brother or mother or father or friend who might need that location detection just to get the needed personnel there quickly as possible.
So from reading the article, if you’re already registered your account online, which I (we, our family)did several years ago then it can’t happen to you.
I guess the real question is, how many users haven’t registered their account online? There certainly can’t be too many that have no online access to their account.
You didn’t redact the name on the “Welcome Back to My Sprint” screen — signed in as “name should have been blacked out”
For 2 days, Sprint has been upgrading their systems and sprint.com website works 50% of the time. CSR still hang up on you and are rude. Managers yell at customers and agents.
Just wanted to point out that these sorts of ‘security’ measures (while not perfect) aren’t meant to protect you from people who are ‘stalking’ you or are good friends who you already know a lot of information about them… It’s supposed to protect you from the person who knows nothing about you and has a stack of numbers to go through. Granted, it sounds like the implementation could use some help (more questions, better ‘fake’ answers), but the idea at least is an attempt.
Okay .. just logged into my STBX account. DA has got a new phone but has no penny to give as spousal support. Sprint still has done nothing about this breach. I could’ve done some changes to DA’s account but didn’t feel right.
Sprint is not the only company using the security process like the above. I called into fidelity investments and said I forgot my pin and the same questions were asked to confim my identity. Cells phones are one thing investment $ is another.
Wow, this is scary info!
perhaps the Sprint Corporation needs to have their own kids cell phones targeted to wake them up a bit.