We found you can hijack a Sprint user’s account as long as you know their cellphone number, just a smidge about them, and have half a brain. Once inside, you have total access to their account. You could change their billing address, order a whole bunch of cellphones sent to a drop location, and leave the victim paying the bill. There’s also the stalker’s wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer. Reader Jim told Sprint about this 2 months ago but they ignored him, so I tested it out and am publishing the results in the hope of getting Sprint to fix this exploit. I’ll show you we cracked into a Sprint account and just how much damage I could have done, inside…
First I needed someone to volunteer their Sprint cellphone number to test for research purposes. Intern Alex Chasick put out a request on his IM Away Message and within minutes Nathan (thanks Nathan!) offered up his number.
Next I went to a part on the Sprint website where you register for online account access. I filled out some account registration and then selected for Sprint to ask me a few questions to verify my identity so I could set up my PIN code. This is where it gets fun.
Alex is in his 20′s and lives in the Washington DC area, so I figured that our mark is too. Just knowing that, I was able to answer all the questions correctly in the first shot. Here’s what they were:
“Which of the following vehicle makes has been registered at the following address [redacted]?: Lotus, Honda, Lamborghini, Fiat, None of the Above.”
I figure a college kid is not going to have a Lotus, Lamborghini, or a Fiat, so I went with Honda.
“Which of the following people have resided with you or used the same address as you at [redacted]? Jerry Stefl lii, Ralph Argen, Jerome Ponicki, John Pace, None of the above.”
The extra space in Jerry’s last name caught my eye. That looks like a data entry error, like the name was probably grabbed from an actual database instead of a generated fake name. So I went with that one.
“In which of the following cities have you NEVER lived or used in your address? Longmont, North Hollywood, Genoa, Butte, All of the above.”
I’ve never heard of any of those cities being near DC, so I go with “all of the above.”
And then, open sesame, I’m in.
From now on, for all intents and purposes, to Sprint I am Nathan. I can see Nathan’s billing address, useful for if I wanted to conduct more identity theft. I could add services, take away services. I could order GPS tracking on his account and see exactly where he is in the world from any computer with internet access.
I could look in his call history and see all of his calls. I could change Nathan’s billing to e-billing…
change his home address to a drop location,
….order a bunch of phones…
…and have them sent to my drop location, and then sell them on eBay, leaving Nathan stuck with the bill. (Sound familiar? We posted a Sprint complaint just like this, “Sprint Twiddles Thumbs While 12-Year Customers Get Scammed For $2,500.” In that case, the Sprint fraud department said it was “probably someone inside Sprint” who did the exact scam above I just described to you). Remember, all I knew about this guy was his cellphone number, that he was in his 20′s, and that he lived in DC. That’s it. That’s all it took to completely hijack his entire Sprint account.
When Jim reported it to Sprint, he says he, “called support (3 or 4 times. Surprisingly the last time I spoke with someone who realized the issue was a big deal, but she had no idea who to contact, and her supervisor only said to fill out a website feedback form. I then filled out a feedback form. Pretty sure that went nowhere. I then called the number you guys offer, 703-433-4401. I spoke with someone there who said they’d pass it on to the website team. They did mention they tested out the security question setting and found that nobody could guess anyone else’s information…”
Here’s a possible reason for why the hole exists. See, young people are less likely to have well developed credit histories and other public records from which to draw the possible answers for the identity verification, leading to what tipster Jim calls, “rather silly questions it’s easy to guess the answers to…The point of a PIN is to identify me as a person, not just that it’s someone who knows me.”
Making this system even weaker, the questions seem to be based on public records. All at thief has to do is know your name in addition to your phone number and search these publicly accessible records.
In the comments on this post, a former Sprint rep says it’s even worse than we thought. They say that every question about cars has three luxury models and one typical one. He says that “none of the above” for “which properties have you owned” was correct 99% of the time. And worst of all, you only need to answer two of the questions correctly to gain access to an account. I was shocked at the number of times I was able to access an account by simply guessing the answers,” he writes. “Fortunately I am an ethical person, but if I wasn’t I could’ve done a LOT of damage very easily.”
Before posting this material, we reported it to Sprint. After looking into it for a day, the gave this official response:
Sprint works with an established third-party vendor that handles the customer verification process noted in your email. Currently, we are not aware of any instances of fraud occurring through the question and answer scenario that you’ve described; however, we continuously seek out ways to improve customer account security and we look for information from a variety of sources. Based on the information provided by the Consumerist, we immediately escalated the issue with our vendor partner so that it can make the necessary adjustments to ensure that our customer verification process remains secure. Customer privacy is a top priority and we appreciate the Consumerist bringing this matter to our attention.
Let’s hope that’s not just lip service and Sprint does make its upgrade their identity verification process. How could anyone design a system so poorly? I speculate that internal Sprint metrics demanded a certain amount of successful signups vs unsuccessful signups. As making the process more secure would mean more legitimate Sprint customers were turned away from creating an online account, someone was able to up their numbers by making the process less secure.
Makes you think twice about giving your number out at the bar.
More From Consumerist
-
Sprint Fires Customer For Excessive Roaming, Won't Unlock His iPhone
-
SEC Investigates Sprint Over Allegations It Failed To Properly Collect Sales Tax
-
Sprint Says Virgin Mobile Site Isn't Completely Insecure; Blogger Disagrees
-
Sprint Authorized Retailer Promises No Activation Fees, Guess What Happens Next
-
For Hours Of Frustration And Weeks Without iPhone 5 Mobile Data, Sprint Offers $10
“Still, makes you think twice about giving your number out at the bar.”
Then, there is a gridskipper ad below that for “DC’s Gayest Gay Bars”
Classic!
well damn – that’s just weak. With a little bit of social engineering, the world opens up to you in ways it just shouldn’t.
You know what else is weak?
This:
[www.eggxpert.com]
I actually sent that to the consumerist earlier today, but I fear I may have gotten lost in a spam filter or something of that nature.
This does not surprise me. That new CEO of Sprint doesn’t seem to be doing anything new or useful. Sprint to this day has NO security in place.
You can open up the phone book, pick a name and address, randommly creat a SSN, and get a phone/plan via a 3rd party retailer.
You pay NOTHING upfront. The person’s name you used and/or the SSN number you provided (if it’s real) would then get a bill in the mail some months later.
In fact, if the SSN is invalid…they will use the name provided…and apply that SSN to the bill (provided you were EVER a Sprint/Nextel customer).
Happened to me twice. TWICE. Got a bill…told ‘em it was fraud. Sprint said okay…taken care of.
Month later…another bill…with a different number.
Idiots. They let someone open an account AGAIN in my name even though it was done fraudulently a month prior.
Fraud department at Sprint is aware of this, and as of last summer…still done nothing about it.
I paid nothing and nothing was put against me on my credit report…but Sprint can still burn in hell.
I have a Sprint account and they have been sending out postcards for months now requesting people to activate their online accounts. Yes, even I put it off for too long… Once you establish your account you should be safe, but the people who neglect to do this for whatever reason are the ones at risk. You’d think it might make more sense for Sprint to send a temporary PIN to the phone first so that there’s less ability for random people to weasel their way into an account so easily.
Yah, y’all forgot to black out an account number where it says “Change Billing Information.”
Also, you might want to black out that red text at the beginning. I’m pretty sure Dan doesn’t want that little bit of personal business broadcast out to the Consumerist community and beyond.
I love Sprint!
I think that name is supposed to be “Jerry Stefl III” (as in, “The Third”), but the automatic formatting screwed it up.
Given the passwords people come up with, it might be easier to guess their current password on a site for someone you know. Once you have one password, you likely have all of their online passwords. So, while I appreciate the fact that Sprint is hardly making a huge barrier to breaking into an account, I am still convinced that the login/password system used on most sites is the first problem.
I have often wondered if some web developers try using the passwords users set up for their web site on other sites to see if they are one of the majority of people that use the same password on all web sites.
In any case, I hope Sprint improves their security, but I will not hold this against them. Their ridiculous customer service, on the other hand, is unforgivable.
@FightOnTrojans: ya know what’s funny? I didn’t notice it the first time I read through the post either.
Sorta funny that the consumerist accidentally gave out an acct number while trying to point out a security flaw with sprint.
I went through this this weekend with my Sprint account. This identification process is definately prone to error. Not only can someone pretend to be you, but some of the questions they asked me made me scratch my head. I got a similar question to the who’s shared your address one above. But in my case it was which of the following hadn’t shared an address with you. The answers were a misspelling of my name, the person I sold my old house too a couple of years ago, the person I had bought that house from 10 years ago, and some name I didn’t recognize. Since the house I live in now has had several owners before me the unknown name could have been one of those, I wasn’t sure what the “correct” answer was. None of these people had ever lived in the house with me at the same time, its just lucky I had a good enough memory to recognize names from the closing paperwork. I eventually went with the misspelling, since it wasn’t one I’d seen on any mail sent to me before. And they let me in. So maybe the correct answer is always pick the misspelled name.
It might have been more useful to see what would happen if even only one question was answered incorrectly: would that trigger the account being locked? Ben made some intelligent guesses based on previous knowledge and luck. The answer for the type of vehicle, for instance, could easily have been “None of the above.” Would that incorrect answer lock the account?
@FightOnTrojans: Yeah and Dan’s full name appears all over those screen grabs too. No point in blacking it out on the form when it appears elsewhere on just about every screen that was shown.
I actually just tried this for my dad’s Blackberry, but it didn’t work.
Sprint is in the process of converting accounts over to a pin code system that is good security. But for the millions of accounts that are not converted yet, all you need is the last four of the customer’s social security number and their name and address and you can pretty much do what you want including change of address and order phones.
@scoosdad: Guess what, his name is Nathan, not Dan.
Well, interesting. But sprint sends a text message to the phone that is being tracked, so the user would have a heads up.
@Ben Popken: Ah, Nathan Daniels! LOL
I hate these questions. “What is your nephew’s name.” “What kind of car do you drive” (I have neither). Why can’t I just type in a goddam password?
Some sites make you remember a picture of a puppy to log in, and you can’t check your Chase account without registering on that computer.
hate it hate it hate it.
If only the took the issue seriously…
@cde: Now all they need to do is take the link to the original image with the account number down too
.
just for the record… The GPS feature sends a text to the phone you’re trying to locate every time you use the service.
T-Mobile sends a free text message to your phone with a PIN to activate the online access. That seems to make sense.
@scoosdad: Nope, Daniels is not part of his name at all. It’s just what I inputted when I set up the online account access. But thanks for playing anyway.
I’m a Sprint customer and Gary Forsee is the president of the university I attend and work at. Do you think he still has any pull with Sprint? I’ll drop by and chew him out for you.
This is why I like security tokens/key fobs or whatever you want to call them. In order to log into the website, you need your user name, password, and this key fob which generates a new random 6 digit code every 30 seconds. Adds much more security to online banking and such transactions.
Consumerist: 1 Sprint: Sero
hey he COULD have a lotus. really. i mean i totally have a hot car like that.
*drives off in civic*
I’ starting to think that the paranoid nutjobs who live totally off the grid are onto something! Sheesh!
I have already set up my online account with sprint, including the pin. However, i went to sprint.com and was able to request a new pin by answering similar verification questions. I supplied only my phone number to get to this option.
1: Which of the following properties have you NEVER owned?
All of the above is an answer. Easily cracked considering I’m 25. I’d have owned 3 different properties in order to qualify for one of the other answers (you can only pick one answer).
2: In which of the following cities have you NEVER lived or used in your address?
This one gets slightly tougher, but anyone with who knows me could answer this. It also has the All of the above answer, which means in order for one of the specific cities to be correct I’d have lived in three of the others.
3: Which of the following people have resided with you or used the same address as you at [redacted]?
If someone knew me reasonably well, they’d answer this right. If they dug through my trash, they’d answer this right. If they guessed, they’d still have a 20% chance of hacking my account.
Luckily, when I try to reset the pin I get, “Due to a systems problem, we are unable to display questions that confirm your identity at this time.” So I guess I’m safe for now. None the less, that’s one of the more retarded verification system’s I’ve ever seen. Furthermore, why even leave this option available after I’ve already selected my pin? I entered a security question of my choosing, just stick to that one Sprint.
@Joseph: They did remove it
Wow. Good work, guys.
I’m a Sprint customer.
I’ve just Emailed the entire marketing team of sprint highlighting this post.
If you are a Sprint customer I urge you to do the same.
Let’s make sure these guys address this security hole.
You can find Marketing Emails here:
[www2.sprint.com]
I suggest sending it to all of them.
I can’t wait to get away from sprint
I nearly got into someone else’s account doing this, I now know their pin number and their security question.
It won’t let me progress further to register their account, I guess I have to use their email and their correct last name in order to do it.
Still, it’s sad that I got this far, and I totally guessed on every question.
Oooh! It was “used by the federal government”. Oh great!
And it says something about Katrina. I’m sure this had a hand in THAT mess of fraud as well.
can we possibly hijack every sprint account in existence and cancel walkie talkie service permanently? No more “BADEEP!”.
@Ben Popken: Ok, but you still haven’t addressed something else. At the “Welcome back to My Sprint” screen grab, under the blacked out account number in the upper left corner, there’s a bit of info there that should be blacked out as it is slightly embarrassing (IMO). Look for the red triangle with the exclamation point.
Ok, I have already registered with Sprint’s online account and I just did it again doing this method. It even told me the answer to my secret question and now my other user name is gone but I have full access with the new user name. So even if someone is already registered they still can have this happen! I am shocked!!!!!
I actually like one of the security features that Bank of America recently added to their website. When you want to log in you not only provide your account number & PIN but you have to click on a button that will send a text message containing a random 6 digit number to your cell phone. You also have to enter that number into the website to log in. The number only works once and is active for only 10 minutes. The chances of a scammer grabbing my account number, PIN, AND that text message sent to my cell phone, and logging into the site before I do is virtually non-existant.
even if you are a determined idiot, you can get in via brute force in 125 tries or less (5*5*5).
But the offered answers make it very easy to narrow down.
@FightOnTrojans:
Oh, so what – the account is PAST DUE. Who cares?
This was the email I got once I re-registered my phone
————————————-
Phone Number: **********
IMEI or SIM ID: **********
The Phone Number and IMEI/SIM ID (listed above) that you provided to us during My Sprint registration process has been registered by another Nextel subscriber.If you have not changed cell phones recently or believe you have received this message in error, please contact Customer Care at 1-800-639-6111.
Thank you.
This email has been automatically generated. Please do not reply to this message.
————————————-
@pillow_fight_girl: New around here? Many commenters will hang you from the rafters for admitting something like an overdue account. I wouldn’t want the fact I have an overdue account published here.
@K-Bo: EXACTLY! I didn’t want to put it in the comments either, but there it is. Thanks for the back-up, K-Bo!
hey wait, they did not take the matter seriously! They only said it was a “top priority.”
“Customer privacy is a top priority and we appreciate the Consumerist bringing this matter to our attention.”
I’m a former Sprint rep, I worked with this “3 questions” system numerous times.
I was shocked at the number of times I was able to access an account by simply guessing the answers. Fortunately I am an ethical person, but if I wasn’t I could’ve done a LOT of damage very easily.
In every question pertaining to cars, it was always three Luxury models plus one typical one (Peugeot, Porsche, Ferrari and Ford for example) which made them stupidly easy to guess.
In addition the “none of the above” answer for “which properties have you owned?” was correct 99% of the time.
On top of that, one thing the article does not mention is that you are only required to answer TWO of the three questions correctly to gain access to an account. The system won’t tell you which ones were right and wrong, but you need only answer TWO of three to get access.
This new process is more trouble than it’s worth if you ask me and I’d like to find the person who came up with it and give him a good punch to the head.
But don’t blame Sprint for all of this, some people truly don’t give a crap about the security on their accounts. When asking customers to setup a 6-digit pin number most just wanted to set it to 1111111 or 123456. Pretty secure huh?
Oops, that should say 111111…
@big keytee:
They’ve caught on. How long until that’s the new industry-standard catchphrase?
Well, that just about explains everything, now doesn’t it?
Oh, and you can get someone’s email address easy too. Not sure how helpful it can be, but you just need to have the person’s cell number and type that into the online account sign on and click, forgot password. It then shows the email address the person used to activate the account..haha