Flawed Sprint Security Worse Than We Thought

In the comments on our post exposing a flaw in Sprint’s online account security that would let a stranger completely take control of your cellphone account, a former Sprint rep says it’s even weaker than what we thought. How? Reader Dragonfire81 says that every question about cars has three luxury models and one typical car, making it pretty easy to guess. “None of the above” for “which properties have you owned” was correct 99% of the time. And worst of all, you only need to answer two of the questions correctly to gain access to an account. “I was shocked at the number of times I was able to access an account by simply guessing the answers,” he writes. “Fortunately I am an ethical person, but if I wasn’t I could’ve done a LOT of damage very easily.” Here’s his comment in full:

dragonfire81 writes:

I’m a former Sprint rep, I worked with this “3 questions” system numerous times.

I was shocked at the number of times I was able to access an account by simply guessing the answers. Fortunately I am an ethical person, but if I wasn’t I could’ve done a LOT of damage very easily.

In every question pertaining to cars, it was always three Luxury models plus one typical one (Peugeot, Porsche, Ferrari and Ford for example) which made them stupidly easy to guess.

In addition the “none of the above” answer for “which properties have you owned?” was correct 99% of the time.

On top of that, one thing the article does not mention is that you are only required to answer TWO of the three questions correctly to gain access to an account. The system won’t tell you which ones were right and wrong, but you need only answer TWO of three to get access.

This new process is more trouble than it’s worth if you ask me and I’d like to find the person who came up with it and give him a good punch to the head.

But don’t blame Sprint for all of this, some people truly don’t give a crap about the security on their accounts. When asking customers to setup a 6-digit pin number most just wanted to set it to 111111 or 123456. Pretty secure huh?

PREVIOUSLY: Flawed Security Lets Sprint Accounts Get Easily Hijacked

Comments

Edit Your Comment

  1. midwestkel says:

    Yea this is ridiculous. Like I said on the other post, I already created an account months ago and it let me go through it again creating a new username and it even showed me the answer to my secret question from my previous account!

  2. TechnoDestructo says:

    Those aren’t luxury brands…THEY’RE BRANDS THAT HAVE NOT BEEN SOLD IN THE US IN DECADES.

    I think their security questionnaire was outsourced to Europe.

  3. idip says:

    While I think it’s poor security on Sprint’s part, they are not the only problem.

    As dragonfire81 says, customers have no sense or care for security themselves.

    I used to work for a major bank as a call center rep and we asked security questions before allowing the caller to ask questions about the account. Simple questions; Name, Social Security, DOB and for “High Risk” transactions, we usually asked for the address and a recent deposit (location and amount or employer for direct deposit) or a recent transaction.

    About 75% of the callers I dealt with had an amazing problem with these procedures. They could not for the life of them understand why we were asking for this information, even when we told them it was to verify their identity. They would moan and complain and cuss and do just about everything to delay the process.

    We even had people call in sayiing, “I’m so and so’s wife I want to access his account”, well we had to verify with him his information before we could talk about it, and have his permission to talk to the ‘wife’, and they would get all pissed off about that.

    I just don’t understand why people in this country insist on trying to circumvent security prodecures designed to protect them and their information. Why are you mad that we are trying to protect YOUR information?

    We did get a few people who would actually thank us for the security procedures we followed, but they were few and far in between. The rest didn’t care if someone could call and pretend to be them and get their information with no security confirmation.

    *shakes head*

    No wonder Identity Theft is such a BIG problem in this country.

  4. lordkenyon says:

    @TehnoD: Probably other issues like the fact that many families or people own multiple vehicle brands and to have two common types could lead to problems. It could (should) be fixed with a bit of work.

    This is still mind boggling. I called the only person I knew on Sprint and we tried it out and sure enough simple guesses to get in.

    (PS Not sure of any new Fiat dealers around though Lamborghini and Lotus are right up the road.)

  5. Pylon83 says:

    @TechnoDestructo:
    I’m not sure what rock you live under, but Lotus and Lamborgini are STILL available in the United States. There is a Lamborgini dealer about 10 blocks from where I type this, a Lotus dealer a little north of there. While Fiat isn’t available NEW in the US, you can certainly get used ones. While it’s an unlikely candidate for a car, it’s certainly not impossible.

  6. Weird, with my Sprint account, I can only get access when I answer the questions incorrectly. The correct answers never work. Even after gaining access, I try to change to answers to accurate ones, but when I log in again, only the wrong answers are “correct”. In the past year, I have NEVER been able to access my Sprint account using the real correct info.

  7. Nick says:

    Well, at least it looks like Sprint has disabled the identity questions option. I am now greeted with a large red exclamation point and a “Due to a systems problem, we are unable to display questions that confirm your identity at this time” message. I hope that the option was purposefully turned off to address the true problem (that the system sucks) rather than just for some routine-type maintenance.

  8. auto_exec says:

    FYI – I tried this on an account I know to be a Sprint account (with permission, of course)… I tried to register and chose “ask my questions to validate my PIN” or whatever the option was… I got:

    “Sorry!

    Due to a systems problem, we are unable to display questions that confirm your identity at this time. You can:

    - Create or Retrieve a PIN using text messaging.
    – Return later and try again.”

    Looks like they “take it seriously”… ;-D

  9. TechnoDestructo says:

    @Pylon83:

    Fiat and Peugeot have not.

  10. TechnoDestructo says:

    @TechnoDestructo:
    Also they aren’t luxury cars.

  11. leefy06 says:

    I just went to Sprint’s site and typed in a friends cell # and was greeted by a thing saying, “are you sure you want to access account data registered by SSN# XXX-XX-0000″, except they actually showed the last 4 digits of his SSN by just typing in his cell phone #. After asking him, I went down to the Sprint kiosk and asked to terminate the account, all he asked for were the last 4 digits of the SSN, which I had previously gotten from their site no problem. I quickly had a “change of mind” after I realized he would actually do it without even checking ID, but decided to see how far it would go and asked to update account information. He then read off to me ALL my current info: address, subscription info, the works. I’m still in shock, that I could do all that by just having their freakin cell phone number.

  12. Reader Dragonfire81 says that every question about cars has three luxury models and one typical car, making it pretty easy to guess.

    I took one look at the blurb in the first story and thought that’s what the story was about. Didn’t think the article was worth commenting on because it was such a blatant case of using a flawed premise for a security question.

  13. aztalon says:

    I just tried it with my personal Sprint account, and the system is still working with bogus questions.

  14. malcs says:

    @TechnoDestructo: I don’t know where the hell you’ve been living, if Lamborghini isn’t a luxury car to you then i’d like to see what is!!

  15. TechnoDestructo says:

    PEUGEOTS AND FIATS ARE NOT LUXURY CARS.

    (And neither are Lamborghinis, really. They’re sports cars. Very expensive sports cars.)

  16. jogr1980 says:

    You would think given the concerns about identity theft that Sprint would have responded to this thread by now. I have sent several emails to customer service about their security system, all of which have remained unanswered. I am going to call today.

    I already have an account established on Sprint.com, complete with a username and password, as well as security PIN. However, even though the account already exists, all someone needs to know to make a brand new account is my phone number, the make of my car, and my past addresses. Oh — and both address questions actually have TWO right answers, so the probability of guessing correctly is DOUBLE!

  17. gibbersome says:

    Ben, I applaud you bringing this to our attention and I’m thankful that I don’t use Sprint as my cell carrier. If Sprint does not act quickly, I think we just informed internet thieves how to make a lot of money.

  18. Looks like they took down the security questions. I hope it stays that way. Wonder what the official reason will be. New to consumerist so might have been answered before but. can’t they sue you for posting stuff like this? They’ll lose but you would be out a ton of money

  19. tozmervo says:

    I DO use Sprint, and this is the first time in 6 years that I’ve really questioned that fact. This was just sheer stupidity on their part.

  20. heavylee-again says:

    I chuckled when dragonfire81 said that a Peugeot is a luxury car.

  21. zerj says:

    Heh,
    This problem showed up on a BoingBoing post 2+ years ago. Supposedly this Steve Parkinson

    [www.boingboing.net]

    What is really amusing is if you follow the link to Steve Parkinson’s Blog, he says they were made aware of the problem and temporarily at least took down the identification service until they could fix thier security. I guess that Sprint group didn’t talk to the sprint group from above.

  22. Seth_Went_to_the_Bank says:

    I predict in a few weeks you will see exactly the same security system with a very laughable “band-aid” attached. The vendor system they’re using is used by thousands of companies – the vendor isn’t going to rebuild it because Sprint customers realize it doesn’t work.

    So they’ll add something on top of it – something not particularly strong security wise – and then you’ll see the exact same questions that you have now. This is how corporations work.

    They’ll initially try the vendor’s solution of “stronger security” but that won’t work. They’ll start getting massive amount of customer complaints that they can’t get into their accounts, even with the correct data. They’ll try to ignore it at first, but then it will become an avalanche of complaints. The reason is that the vendor system is based on credit bureau data that is notoriously inaccurate and many customers have their data mixed up with other people.

    So after awhile, the vendor will be told to dial down that security just so people can get into their accounts. In fact, this probably has already occurred once or twice with the vendor product already.

  23. mgy says:

    At the university that I work at, we use only 4 pieces of information – DOB, Address, Phone # and Last 4 of the SSN, which are almost easier to get ahold of nowadays for anyone wanting access to a student/faculty member’s account :/

  24. coopjust says:

    I know one of the credit bureaus uses this when you get free credit reports (the legit federal government site, not the annoying scam site with TV commercials). I think Experian does this.

    However, these verification questions are 1 out of 3 verification steps (5 options). I had to supplement those questions with previous credit account numbers, other more personal info, etc.

    It’s a good supplement to make it tougher for people to fraudulently make accounts. It’s not good as the only step.

    BTW, I got the same exact questions on Experian. Very easy to answer for myself or anyone that knows me. But the other verification steps would have stopped anyone else.

  25. jenl1625 says:

    Also bad – if you try to call Sprint to talk about your account, they verify your identity by asking for your ACCOUNT PASSWORD.

  26. RINO-Marty says:

    I just did a quick search on Autotrader.com for ALL Fiats and Peugeots for sale anywhere in the country, at any price, of any age, new or used (obviously, they would all be used). The search yielded a total of 1: a 1982 Fiat 124 for sale 700 miles from where I live.

    There might be a few others listed for sale on other sites, but the point clearly stands that the number of Sprint customers that own Peugeots or Fiats is vanishingly small, quite possibly zero.

    What an amazing display of incompetence. Great work, Consumerist.

  27. katekate says:

    I don’t know on what planet Fiats are luxury cars. Fix it again, Tony!

  28. katekate says:

    @jenl1625: Yeah, and even if you don’t know if, they’ll let you have access to your account with other info.

  29. econobiker says:

    @idip:

    “About 75% of the callers I dealt with had an amazing problem with these procedures. They could not for the life of them understand why we were asking for this information, even when we told them it was to verify their identity. They would moan and complain and cuss and do just about everything to delay the process.”

    idip, the problem was that most systems automated phone menues require the person to speak this info into the system prior to being connected to a live operator who then asks the same exact questions. That is why many people were tweeked about giving the information AGAIN.

    I had heard that this repetitive asking was often for voice stress analysis (truth checking) but can’t confirm that.

  30. milk says:

    @mgy: At UT you’ll get reamed so fast for even mentioning someone’s “nine-digit tax ID number.” They’ve created an ID system where you choose your own, usually a combination of letters and numbers. Over the past couple of years they started to strictly enforce it after someone got into the Business School’s records and accessed tens of thousands of SSNs. Now, once you’ve applied , it’s pretty much never spoken of again. Some people (including myself) can still see them in our accounting mainframe, though.

  31. Echodork says:

    Really? You’re going to post on the internet that essentially any person can steal any Sprint account?

    And you think this is a good idea, and will serve the customer? What’s to stop me from hacking your informant’s account right now?

  32. RINO-Marty says:

    Of course it’s a good idea – it got Sprint’s immediate attention and they shut this means of access down. You don’t think that response was in the consumer’s interest? What, it would have been better to ignore the problem and let it fest for another 6 months or a year until Sprint got sued by somebody?

  33. eirrom says:

    Glad I don’t have Sprint! Oh wait I do :(

  34. NoWin says:

    @econobiker:

    Not always the case. At my bank you call a real person in the call-center, who asks those same questions. We dont have a voice-activated phone system. And I work in the call-center, and I agree with @idip that “most” people (be they Joe 6-pack, Jane Soap opera, Damon Doctor or Mary Executive) just do not want to share the onus of responsibility for security of their accounts.

    Yup, they bitch and moan, and when you say “hey, we don’t want you to have to call us because WE did a TJX on you, then they often say “well, I guess its for my own good…”…

    *Shakes head also*

  35. TheDude06 says:

    Gutsy! Y’all could be on the hook for damages to sprint spreading information like that. nice work!

    How long did you give sprint to respond before publishing?

  36. MeOhMy says:

    Thanks to everyone who pointed out that you can get Fiats, Lambos and Peugots in the US and that they are not actually luxury cars. Clearly this means that the verification system is secure and cannot be gamed and we can all go back to our regularly-scheduled hating Wal-Mart and Starbucks and blaming the victim.

  37. dreamcatcher2 says:

    @TheDude06: If you read the articles and comments, Sprint has been made aware of the problem multiple times and chosen to ignore it…

  38. ricopants says:

    Great. Everyone knows I have Sprint!

  39. dragonfire81 says:

    I am very flattered my comment spawned an entire post, it makes me feel good to have this info get out there so people know what Sprint is really up to.

    Here’s some more info: I noticed some of you were getting errors when trying to bring up the validation questions on Sprint.com

    I don’t think that has anything to do with the recent revelations here on Consumerist as when I still worked as a CSR, I ran into that same error multiple times when working with the website. Sprint.com is often very hit and miss that way so I highly doubt the errors you folks got were evidence that Sprint is making changes to the system.

  40. idip says:

    @econobiker:

    I suppose I can understand that at some financial institutions. However, the only thing our phone system asked for was the account number and pin number.

    About half of the time they would just hit zero to get to an operator so of course we didn’t have any information and would have to ask.

    IF, they did provide the account information and pin number then we would only ask for Name and DOB to make sure we got the correct account holder.

    Even then people would complain.

    Now automated systems is a totally different problem. We’d have people hit “zero” because they didn’t want to listen to the automated system and hit the correct numbers. I once had a guy who hit zero, there was a wait time of 10 minutes to get to me (extremely busy day, another call center wasn’t getting any phone calls from a tech issue). I answered, he wanted to talk about a business account, I had to transfer him because I only worked with personal accounts.

    He bitched and moaned about having to wait again, *shrugs* I responded “Well sir, had you listened to the voice prompts in the Interactive Voice Response system you would have known to press 2 for Business accounts”, of course he responded with a few choice words and I transferred him,….. for another 10 minute wait.

    Those options are there for a reason, you can choose to bypass them but you make double your waiting time. Your choice.

  41. NWSPMP says:

    My response in the other thread. It’s not just setting up the online account, it works in “retrieving the PIN” for existing accounts, and as of two minutes ago, was still working.

    Scarily enough, in addition to this, fully registered accounts that are already setup in their Online System are vulnerable via “I Forgot my PIN” which asks the same damned questions.

    Mine – Gave me the “which car has been registered” blah blah with the answers being “Fiat, Lancia, Ferrari, and Toyota” An then with the “Which property do you own?” and “Which cities have you lived in?” almost always being “None of the above” and only needing TWO correct answers.

    Yep. This sealed it. Getting rid of Sprint, even though they’re the only provider with half a decent data network speed in the area.

  42. Buran says:

    @Pylon83: Fiat and Peugeot used to be available here, too, but yes, Lamborghini and Porsche definitely are still available. Porsches are fairly common in my area, especially since the coupe version of the Boxster, the Cayman, was released.

    (This isn’t a great area for convertibles since it gets too cold/hot in winter/summer so they’re not usable for much of the year — so many people passed up on the Boxster. Also, there’s no folding hardtop version and a soft-top is less secure and competitors (e.g. VW Eos) offer hard-top at soft-top price, so that may be a factor too).

    Whether they’re “luxury” or “sports car” brands is a personal opinion; I personally point more to “sports car” myself…

    Random fact: Porsche has worked very closely with VW over the years; the 928 was built by VW, and the Cayenne is a variant of the VW Touareg, as is the Audi Q7 (VW’s upmarket brand). I also think Porsche bought up much of VW’s stock; not sure if that deal has been completed or not.

  43. NWSPMP says:

    As a test, I just tried again and didn’t even look at the questions, and just answered the “All of the Above” or “None of the Above” for each, and the one time that didn’t reveal the PIN, it showed three more questions, for which that method WORKED.

  44. jogr1980 says:

    I sent Sprint an email expressing my concern about the apparent security flaw, and they just aren’t seeing the problem. I was able to access two of my coworkers accounts (with permission) by guessing on the questions. I’m suprised, too, that it just displays the pin AND the answer to the security question.

    Other companies that use the same format of ID verification, i.e. the 3 questions, use it as one of many steps in the process. For Sprint, the correct answer to three easy questions gives you FULL ACCESS.

    Very scary.

  45. spinachdip says:

    @Seth_Went_to_the_Bank: If all-caps = shouting, is all-bold the equivalent of continuously pounding the table?

  46. prescott says:

    Sprint treats customers rudely and unprofessionally. Customers are canceling every day with penalties and going to competitors. Employees and managers do not take the time to resolve customer problems, lie to customers about billing and credit adjustments, deceive customers regarding 2 year commitment dates …

  47. fluffinbunni says:

    Sadly I am a sprint customer and a few months ago to my surprise I received three new phones in the mail, frightened that I would be charged for them I checked my account online and someone had added three additional phone lines to it all with a different states area codes.

    I called sprint and talked to many people and waited on hold forever. They made to talk to their fraud department and finally removed the new charges and said they would send me a package to send back the phones. I never got a package to send them back so they are still sitting here, but they did remove the charges. I had no idea how horrible their online security was, why do I have a feeling ill be receiving more phones soon.

  48. tme2nsb says:

    WOW – this is very easy. But now they have this:


    To enhance account protection, Sprint requires you to secure your account with a 6- to 10-digit personal identification number (PIN).
    You’ll need your PIN or the answer to your security question to access your account when calling us or visiting a Sprint retail store. This will better ensure that no one else can access your account without your authorization.
    You’ll also need your PIN the first time you register your account online at Sprint.com – although you won’t need it to sign on to your account once you’ve registered. Instead, you will use your Sprint.com username and password.
    You can easily view and modify your PIN by signing on to sprint.com and going to Settings and Passwords.
    If you forget your PIN, you can retrieve it in several ways:
    When you establish your PIN, you must select a security question and provide your own answer to it. If you forget your PIN, you can answer your security question to retrieve it.
    You can have your PIN or a PIN retrieval code sent to you via email, text message or regular mail. These preferences can be established in the Settings and Passwords area of sprint.com, or by contacting Sprint Customer Care.
    Remember to keep your PIN private. If you feel someone has gained access to your PIN without your authorization, change it immediately.

  49. Seth_Went_to_the_Bank says:

    @tme2nsb: I wish Sprint luck, but as I predicted above, it won’t last. Sprint will cave to customer complaints when people can’t remember their pins or when CSRs rebel because all they do is take calls from customers locked out of accounts.

    Stay strong, Sprint!

  50. Seth_Went_to_the_Bank says:

    @spinachdip: It just means that if you make a mistake with HTML formatting on here, you can’t edit your post to fix it. :)

  51. NWSPMP says:

    Welp, after checking on mine today and calling them and walking an agent through the process of getting my PIN without even knowing me and answering the questions right, they locked my account. After that, I couldn’t view the questions.

    And guess what, already it’s back, and I verified it. Tried it on a co-worker’s account. Worked too…

  52. prescott says:

    Sprint is called “the big, yellow mess”.