Flawed Security Lets Sprint Accounts Get Easily Hijacked

We found you can hijack a Sprint user’s account as long as you know their cellphone number, just a smidge about them, and have half a brain. Once inside, you have total access to their account. You could change their billing address, order a whole bunch of cellphones sent to a drop location, and leave the victim paying the bill. There’s also the stalker’s wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer. Reader Jim told Sprint about this 2 months ago but they ignored him, so I tested it out and am publishing the results in the hope of getting Sprint to fix this exploit. I’ll show you we cracked into a Sprint account and just how much damage I could have done, inside…

First I needed someone to volunteer their Sprint cellphone number to test for research purposes. Intern Alex Chasick put out a request on his IM Away Message and within minutes Nathan (thanks Nathan!) offered up his number.

Next I went to a part on the Sprint website where you register for online account access. I filled out some account registration and then selected for Sprint to ask me a few questions to verify my identity so I could set up my PIN code. This is where it gets fun.

Alex is in his 20’s and lives in the Washington DC area, so I figured that our mark is too. Just knowing that, I was able to answer all the questions correctly in the first shot. Here’s what they were:sprintidentity.jpg

“Which of the following vehicle makes has been registered at the following address [redacted]?: Lotus, Honda, Lamborghini, Fiat, None of the Above.”

I figure a college kid is not going to have a Lotus, Lamborghini, or a Fiat, so I went with Honda.

“Which of the following people have resided with you or used the same address as you at [redacted]? Jerry Stefl lii, Ralph Argen, Jerome Ponicki, John Pace, None of the above.”

The extra space in Jerry’s last name caught my eye. That looks like a data entry error, like the name was probably grabbed from an actual database instead of a generated fake name. So I went with that one.

“In which of the following cities have you NEVER lived or used in your address? Longmont, North Hollywood, Genoa, Butte, All of the above.”

I’ve never heard of any of those cities being near DC, so I go with “all of the above.”

And then, open sesame, I’m in.

sprnt2.jpg

From now on, for all intents and purposes, to Sprint I am Nathan. I can see Nathan’s billing address, useful for if I wanted to conduct more identity theft. I could add services, take away services. I could order GPS tracking on his account and see exactly where he is in the world from any computer with internet access.

addonmobilelocator.jpg

I could look in his call history and see all of his calls. I could change Nathan’s billing to e-billing…

changebilldelivery.jpgchange his home address to a drop location,

changethebillingz.jpg

….order a bunch of phones…

sprintphonesale.jpg

…and have them sent to my drop location, and then sell them on eBay, leaving Nathan stuck with the bill. (Sound familiar? We posted a Sprint complaint just like this, “Sprint Twiddles Thumbs While 12-Year Customers Get Scammed For $2,500.” In that case, the Sprint fraud department said it was “probably someone inside Sprint” who did the exact scam above I just described to you). Remember, all I knew about this guy was his cellphone number, that he was in his 20’s, and that he lived in DC. That’s it. That’s all it took to completely hijack his entire Sprint account.

When Jim reported it to Sprint, he says he, “called support (3 or 4 times. Surprisingly the last time I spoke with someone who realized the issue was a big deal, but she had no idea who to contact, and her supervisor only said to fill out a website feedback form. I then filled out a feedback form. Pretty sure that went nowhere. I then called the number you guys offer, 703-433-4401. I spoke with someone there who said they’d pass it on to the website team. They did mention they tested out the security question setting and found that nobody could guess anyone else’s information…”

Here’s a possible reason for why the hole exists. See, young people are less likely to have well developed credit histories and other public records from which to draw the possible answers for the identity verification, leading to what tipster Jim calls, “rather silly questions it’s easy to guess the answers to…The point of a PIN is to identify me as a person, not just that it’s someone who knows me.”

Making this system even weaker, the questions seem to be based on public records. All at thief has to do is know your name in addition to your phone number and search these publicly accessible records.

In the comments on this post, a former Sprint rep says it’s even worse than we thought. They say that every question about cars has three luxury models and one typical one. He says that “none of the above” for “which properties have you owned” was correct 99% of the time. And worst of all, you only need to answer two of the questions correctly to gain access to an account. I was shocked at the number of times I was able to access an account by simply guessing the answers,” he writes. “Fortunately I am an ethical person, but if I wasn’t I could’ve done a LOT of damage very easily.”

Before posting this material, we reported it to Sprint. After looking into it for a day, the gave this official response:

Sprint works with an established third-party vendor that handles the customer verification process noted in your email. Currently, we are not aware of any instances of fraud occurring through the question and answer scenario that you’ve described; however, we continuously seek out ways to improve customer account security and we look for information from a variety of sources. Based on the information provided by the Consumerist, we immediately escalated the issue with our vendor partner so that it can make the necessary adjustments to ensure that our customer verification process remains secure. Customer privacy is a top priority and we appreciate the Consumerist bringing this matter to our attention.

Let’s hope that’s not just lip service and Sprint does make its upgrade their identity verification process. How could anyone design a system so poorly? I speculate that internal Sprint metrics demanded a certain amount of successful signups vs unsuccessful signups. As making the process more secure would mean more legitimate Sprint customers were turned away from creating an online account, someone was able to up their numbers by making the process less secure.

Makes you think twice about giving your number out at the bar.

Comments

Edit Your Comment

  1. leprofie says:

    “Still, makes you think twice about giving your number out at the bar.”

    Then, there is a gridskipper ad below that for “DC’s Gayest Gay Bars”

    Classic!

  2. What The Geek says:

    well damn – that’s just weak. With a little bit of social engineering, the world opens up to you in ways it just shouldn’t.

    You know what else is weak?
    This:

    [www.eggxpert.com]

    I actually sent that to the consumerist earlier today, but I fear I may have gotten lost in a spam filter or something of that nature.

  3. ConsumerAdvocacy1010 says:

    This does not surprise me. That new CEO of Sprint doesn’t seem to be doing anything new or useful. Sprint to this day has NO security in place.

    You can open up the phone book, pick a name and address, randommly creat a SSN, and get a phone/plan via a 3rd party retailer.

    You pay NOTHING upfront. The person’s name you used and/or the SSN number you provided (if it’s real) would then get a bill in the mail some months later.

    In fact, if the SSN is invalid…they will use the name provided…and apply that SSN to the bill (provided you were EVER a Sprint/Nextel customer).

    Happened to me twice. TWICE. Got a bill…told ‘em it was fraud. Sprint said okay…taken care of.

    Month later…another bill…with a different number.

    Idiots. They let someone open an account AGAIN in my name even though it was done fraudulently a month prior.

    Fraud department at Sprint is aware of this, and as of last summer…still done nothing about it.

    I paid nothing and nothing was put against me on my credit report…but Sprint can still burn in hell.

  4. GiltProto says:

    I have a Sprint account and they have been sending out postcards for months now requesting people to activate their online accounts. Yes, even I put it off for too long… Once you establish your account you should be safe, but the people who neglect to do this for whatever reason are the ones at risk. You’d think it might make more sense for Sprint to send a temporary PIN to the phone first so that there’s less ability for random people to weasel their way into an account so easily.

  5. FightOnTrojans says:

    Yah, y’all forgot to black out an account number where it says “Change Billing Information.”

    Also, you might want to black out that red text at the beginning. I’m pretty sure Dan doesn’t want that little bit of personal business broadcast out to the Consumerist community and beyond.

  6. Pro-Pain says:

    I love Sprint!

  7. rmz says:

    I think that name is supposed to be “Jerry Stefl III” (as in, “The Third”), but the automatic formatting screwed it up.

  8. Monty says:

    Given the passwords people come up with, it might be easier to guess their current password on a site for someone you know. Once you have one password, you likely have all of their online passwords. So, while I appreciate the fact that Sprint is hardly making a huge barrier to breaking into an account, I am still convinced that the login/password system used on most sites is the first problem.

    I have often wondered if some web developers try using the passwords users set up for their web site on other sites to see if they are one of the majority of people that use the same password on all web sites.

    In any case, I hope Sprint improves their security, but I will not hold this against them. Their ridiculous customer service, on the other hand, is unforgivable.

  9. What The Geek says:

    @FightOnTrojans: ya know what’s funny? I didn’t notice it the first time I read through the post either.

    Sorta funny that the consumerist accidentally gave out an acct number while trying to point out a security flaw with sprint.

  10. Bramble73 says:

    I went through this this weekend with my Sprint account. This identification process is definately prone to error. Not only can someone pretend to be you, but some of the questions they asked me made me scratch my head. I got a similar question to the who’s shared your address one above. But in my case it was which of the following hadn’t shared an address with you. The answers were a misspelling of my name, the person I sold my old house too a couple of years ago, the person I had bought that house from 10 years ago, and some name I didn’t recognize. Since the house I live in now has had several owners before me the unknown name could have been one of those, I wasn’t sure what the “correct” answer was. None of these people had ever lived in the house with me at the same time, its just lucky I had a good enough memory to recognize names from the closing paperwork. I eventually went with the misspelling, since it wasn’t one I’d seen on any mail sent to me before. And they let me in. So maybe the correct answer is always pick the misspelled name.

  11. FooKoo says:

    It might have been more useful to see what would happen if even only one question was answered incorrectly: would that trigger the account being locked? Ben made some intelligent guesses based on previous knowledge and luck. The answer for the type of vehicle, for instance, could easily have been “None of the above.” Would that incorrect answer lock the account?

  12. scoosdad says:

    @FightOnTrojans: Yeah and Dan’s full name appears all over those screen grabs too. No point in blacking it out on the form when it appears elsewhere on just about every screen that was shown.

  13. shorty63136 says:

    I actually just tried this for my dad’s Blackberry, but it didn’t work.

  14. deepsprint says:

    Sprint is in the process of converting accounts over to a pin code system that is good security. But for the millions of accounts that are not converted yet, all you need is the last four of the customer’s social security number and their name and address and you can pretty much do what you want including change of address and order phones.

  15. Ben Popken says:

    @scoosdad: Guess what, his name is Nathan, not Dan.

  16. mikesfree says:

    Well, interesting. But sprint sends a text message to the phone that is being tracked, so the user would have a heads up.

  17. scoosdad says:

    @Ben Popken: Ah, Nathan Daniels! LOL

  18. jamesdenver says:

    I hate these questions. “What is your nephew’s name.” “What kind of car do you drive” (I have neither). Why can’t I just type in a goddam password?

    Some sites make you remember a picture of a puppy to log in, and you can’t check your Chase account without registering on that computer.

    hate it hate it hate it.

  19. rbf2000 says:

    If only the took the issue seriously…

  20. Vroomtrap says:

    @cde: Now all they need to do is take the link to the original image with the account number down too :).

  21. bugout99 says:

    just for the record… The GPS feature sends a text to the phone you’re trying to locate every time you use the service.

  22. amejr999 says:

    T-Mobile sends a free text message to your phone with a PIN to activate the online access. That seems to make sense.

  23. Ben Popken says:

    @scoosdad: Nope, Daniels is not part of his name at all. It’s just what I inputted when I set up the online account access. But thanks for playing anyway.

  24. mgy says:

    I’m a Sprint customer and Gary Forsee is the president of the university I attend and work at. Do you think he still has any pull with Sprint? I’ll drop by and chew him out for you.

  25. Anks329 says:

    This is why I like security tokens/key fobs or whatever you want to call them. In order to log into the website, you need your user name, password, and this key fob which generates a new random 6 digit code every 30 seconds. Adds much more security to online banking and such transactions.

  26. Imaginary_Friend says:

    Consumerist: 1 Sprint: Sero

  27. katylostherart says:

    hey he COULD have a lotus. really. i mean i totally have a hot car like that.

    *drives off in civic*

  28. MissTic says:

    I’ starting to think that the paranoid nutjobs who live totally off the grid are onto something! Sheesh!

  29. imsupermattt says:

    I have already set up my online account with sprint, including the pin. However, i went to sprint.com and was able to request a new pin by answering similar verification questions. I supplied only my phone number to get to this option.

    1: Which of the following properties have you NEVER owned?

    All of the above is an answer. Easily cracked considering I’m 25. I’d have owned 3 different properties in order to qualify for one of the other answers (you can only pick one answer).

    2: In which of the following cities have you NEVER lived or used in your address?

    This one gets slightly tougher, but anyone with who knows me could answer this. It also has the All of the above answer, which means in order for one of the specific cities to be correct I’d have lived in three of the others.

    3: Which of the following people have resided with you or used the same address as you at [redacted]?

    If someone knew me reasonably well, they’d answer this right. If they dug through my trash, they’d answer this right. If they guessed, they’d still have a 20% chance of hacking my account.

    Luckily, when I try to reset the pin I get, “Due to a systems problem, we are unable to display questions that confirm your identity at this time.” So I guess I’m safe for now. None the less, that’s one of the more retarded verification system’s I’ve ever seen. Furthermore, why even leave this option available after I’ve already selected my pin? I entered a security question of my choosing, just stick to that one Sprint.

  30. cde says:

    @Joseph: They did remove it :P

  31. pengie says:

    Wow. Good work, guys.

  32. opticnrv says:

    I’m a Sprint customer.

    I’ve just Emailed the entire marketing team of sprint highlighting this post.

    If you are a Sprint customer I urge you to do the same.

    Let’s make sure these guys address this security hole.

    You can find Marketing Emails here:
    [www2.sprint.com]

    I suggest sending it to all of them.

  33. KD17 says:

    I can’t wait to get away from sprint

  34. I nearly got into someone else’s account doing this, I now know their pin number and their security question.
    It won’t let me progress further to register their account, I guess I have to use their email and their correct last name in order to do it.

    Still, it’s sad that I got this far, and I totally guessed on every question.

  35. unklegwar says:

    Oooh! It was “used by the federal government”. Oh great!

    And it says something about Katrina. I’m sure this had a hand in THAT mess of fraud as well.

  36. unklegwar says:

    can we possibly hijack every sprint account in existence and cancel walkie talkie service permanently? No more “BADEEP!”.

  37. FightOnTrojans says:

    @Ben Popken: Ok, but you still haven’t addressed something else. At the “Welcome back to My Sprint” screen grab, under the blacked out account number in the upper left corner, there’s a bit of info there that should be blacked out as it is slightly embarrassing (IMO). Look for the red triangle with the exclamation point.

  38. midwestkel says:

    Ok, I have already registered with Sprint’s online account and I just did it again doing this method. It even told me the answer to my secret question and now my other user name is gone but I have full access with the new user name. So even if someone is already registered they still can have this happen! I am shocked!!!!!

  39. IphtashuFitz says:

    I actually like one of the security features that Bank of America recently added to their website. When you want to log in you not only provide your account number & PIN but you have to click on a button that will send a text message containing a random 6 digit number to your cell phone. You also have to enter that number into the website to log in. The number only works once and is active for only 10 minutes. The chances of a scammer grabbing my account number, PIN, AND that text message sent to my cell phone, and logging into the site before I do is virtually non-existant.

  40. unklegwar says:

    even if you are a determined idiot, you can get in via brute force in 125 tries or less (5*5*5).

    But the offered answers make it very easy to narrow down.

  41. pillow_fight_girl says:

    @FightOnTrojans:

    Oh, so what – the account is PAST DUE. Who cares?

  42. midwestkel says:

    This was the email I got once I re-registered my phone

    ————————————-
    Phone Number: **********
    IMEI or SIM ID: **********

    The Phone Number and IMEI/SIM ID (listed above) that you provided to us during My Sprint registration process has been registered by another Nextel subscriber.If you have not changed cell phones recently or believe you have received this message in error, please contact Customer Care at 1-800-639-6111.

    Thank you.

    This email has been automatically generated. Please do not reply to this message.
    ————————————-

  43. K-Bo says:

    @pillow_fight_girl: New around here? Many commenters will hang you from the rafters for admitting something like an overdue account. I wouldn’t want the fact I have an overdue account published here.

  44. FightOnTrojans says:

    @K-Bo: EXACTLY! I didn’t want to put it in the comments either, but there it is. Thanks for the back-up, K-Bo!

  45. Caprica Six says:

    hey wait, they did not take the matter seriously! They only said it was a “top priority.”

    “Customer privacy is a top priority and we appreciate the Consumerist bringing this matter to our attention.”

  46. dragonfire81 says:

    I’m a former Sprint rep, I worked with this “3 questions” system numerous times.

    I was shocked at the number of times I was able to access an account by simply guessing the answers. Fortunately I am an ethical person, but if I wasn’t I could’ve done a LOT of damage very easily.

    In every question pertaining to cars, it was always three Luxury models plus one typical one (Peugeot, Porsche, Ferrari and Ford for example) which made them stupidly easy to guess.

    In addition the “none of the above” answer for “which properties have you owned?” was correct 99% of the time.

    On top of that, one thing the article does not mention is that you are only required to answer TWO of the three questions correctly to gain access to an account. The system won’t tell you which ones were right and wrong, but you need only answer TWO of three to get access.

    This new process is more trouble than it’s worth if you ask me and I’d like to find the person who came up with it and give him a good punch to the head.

    But don’t blame Sprint for all of this, some people truly don’t give a crap about the security on their accounts. When asking customers to setup a 6-digit pin number most just wanted to set it to 1111111 or 123456. Pretty secure huh?

  47. dragonfire81 says:

    Oops, that should say 111111…

  48. TechnoDestructo says:

    @big keytee:

    They’ve caught on. How long until that’s the new industry-standard catchphrase?

  49. NotATool says:

    This anti-fraud tool has been used by numerous industries, as well as the Federal Government…to successfully prevent identity theft and fraud.

    Well, that just about explains everything, now doesn’t it?

  50. think4urself says:

    Oh, and you can get someone’s email address easy too. Not sure how helpful it can be, but you just need to have the person’s cell number and type that into the online account sign on and click, forgot password. It then shows the email address the person used to activate the account..haha

  51. mach1andy says:

    Adding insult to injury, Sprint has a typo in their GPS pitch:: …provide superiro customer service” … I’ll say.

  52. cde says:

    @K-Bo: She is new. Only 4 posts since February.

  53. stephenjames716 says:

    this does not make me feel safe….thanks sprint

  54. Seth_Went_to_the_Bank says:

    “Currently, we are not aware of any instances of fraud occurring through the question and answer scenario that you’ve described…”

    Yeah, I’m sure that’s true. It’s called “plausible deniability.” You don’t put a system in place to track something you don’t want to know about, so you can say you were never aware of it.

    Great job, Sprint!

  55. topeka says:

    http://www.sprint.com website is unavailable at least 50% of the time. When you call customer service, you get bad customer service or get hung up on/disconnected, or placed on hold forever. No one will take the time to listen to you, resolve your issues completely and correctly. Billing adjustments are temporary for one day only, then you have to call in every month to adjust the same bill. There are many managers and supervisors who will talk to you, however, they do not resolve the issues. The bad customer service agents and bad managers outnumber the good agents and supervisors. Agents are rushed to get through their phone calls and do not resolve customer’s problems. Sprint customer service and management are the worst in the telecom industry.

  56. newfenoix says:

    @topeka: Forbes has Sprint listed in there “Hall of Shame.” I had a Sprint account from Jan of 02 until July of 07. The company went to crap after they joined with Nextel. As far as the online services; well, that was an absolute nightmare. I had several phone hardware problems, which they would not address. I had service issues which never got resolved but the final insult was when I was billed for their “media package.” It was offered and I told the CSR at least 10 times that I did not want it. But I got billed for it anyway. When I dropped Sprint last year the supervisor that the CSR connected me with did everything but beg me to stay. I will never, ever use Sprint again.

  57. cascascas says:

    Aren’t these questions based on public records? So if they’re public, even if you can’t guess the answers, I’m sure you can look them up…

  58. coopjust says:

    This is inane. I’m glad I’m no longer a Nextel customer (everything sucked after the merger), but this system is inanely bad. Heads should roll over this.

  59. tkerugger says:

    All of the above, plus…what a pain in the ass to actually sign up for account access. Now I have a username, password and a PIN to use, plus they’ll send me a bunch of emails? And, frankly, what a shitty looking page once I (finally) got in…

    The countdown to May 25th (Sprint contract expiration) is on…

    Oh, fun. Since they’ve upgraded me to the new billing system, I can’t pay my bill online until after my next billing cycle. So, pay a late fee then or pay a fee to pay my bill at a Sprint store? Sons of bitches!

  60. bossco says:

    I am spring customer. I noticed that this week when I logged on they reqquired me to add an authorization number that they sent to my phone, in order to complete my log on.

  61. yargrnhoj says:

    Sprint isn’t the only one using systems like this. I recently had a call from ‘fraud prevention’ from one of my credit card companies and they asked similar questions. One was which car did I have a car loan on (easy to figure out if you snooped around my house, since I only have one car). Also a list of previous addresses I lived at (again, if you know my car, you might figure this out since I have a sticker on the back from the dealer which is in another state, which was one of the choices).

  62. ViperBorg says:

    Yeah, I had this issue with them. Considering they are still doing this, I canceled my account with them. I like my money to stay with me, thank you.

    Moved to another carrier, and have had no problems.

  63. NWSPMP says:

    Scarily enough, in addition to this, fully registered accounts that are already setup in their Online System are vulnerable via “I Forgot my PIN” which asks the same damned questions.

    Mine – Gave me the “which car has been registered” blah blah with the answers being “Fiat, Lancia, Ferrari, and Toyota” An then with the “Which property do you own?” and “Which cities have you lived in?” almost always being “None of the above” and only needing TWO correct answers.

    Yep. This sealed it. Getting rid of Sprint, even though they’re the only provider with half a decent data network speed in the area.

  64. This is rather odd, but probably a result of the Nextel merger. I remember when i signed-up for my Sprint on-line account years ago. As part of the process, they sent me a one-time password to my cellphone. Very simple way to make sure that the person signing-on is the person in posession of the phone.

    So all I can gues is when they got all excited about switching to the new platform for consumer access to their Sprint accounts, they yanked out stuff like OTP which couldn’ be made to work yet….

  65. Ton80 says:

    “”There’s also the stalker’s wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer.””

    There is an easy fix on most modern cellphones for this!!!

    In your phone setup menu, probably buried, but be thorough through all your menu options. You will find a setting that closely matches that above quote with two settings: either global or Emergency 911 only (for USA). Set it to Emergency 911 only.
    And pray and hope and check out to see if that 911 system in your area is very modern that can grab that GPS signal from your phone and if not: Raise bloody hell to your local government officials for new 911 system. It maybe your sister or brother or mother or father or friend who might need that location detection just to get the needed personnel there quickly as possible.

  66. scooterge558 says:

    So from reading the article, if you’re already registered your account online, which I (we, our family)did several years ago then it can’t happen to you.

    I guess the real question is, how many users haven’t registered their account online? There certainly can’t be too many that have no online access to their account.

  67. jesuismoi says:

    You didn’t redact the name on the “Welcome Back to My Sprint” screen — signed in as “name should have been blacked out”

  68. prescott says:

    For 2 days, Sprint has been upgrading their systems and sprint.com website works 50% of the time. CSR still hang up on you and are rude. Managers yell at customers and agents.

  69. aaronw1 says:

    Just wanted to point out that these sorts of ‘security’ measures (while not perfect) aren’t meant to protect you from people who are ‘stalking’ you or are good friends who you already know a lot of information about them… It’s supposed to protect you from the person who knows nothing about you and has a stack of numbers to go through. Granted, it sounds like the implementation could use some help (more questions, better ‘fake’ answers), but the idea at least is an attempt.

  70. lokofun says:

    Okay .. just logged into my STBX account. DA has got a new phone but has no penny to give as spousal support. Sprint still has done nothing about this breach. I could’ve done some changes to DA’s account but didn’t feel right.

  71. cdmarulz says:

    Sprint is not the only company using the security process like the above. I called into fidelity investments and said I forgot my pin and the same questions were asked to confim my identity. Cells phones are one thing investment $ is another.

  72. Debra Oehlberg says:

    Wow, this is scary info!

  73. Randy Ferrantino says:

    perhaps the Sprint Corporation needs to have their own kids cell phones targeted to wake them up a bit.