Flawed Security Lets Sprint Accounts Get Easily Hijacked - Consumerist Comments

Flawed Security Lets Sprint Accounts Get Easily Hijacked

cdmarulz — Tue, 15 Apr 2008 23:30:32 EDT

Sprint is not the only company using the security process like the above. I called into fidelity investments and said I forgot my pin and the same questions were asked to confim my identity. Cells phones are one thing investment $ is another.

cdmarulz

Flawed Security Lets Sprint Accounts Get Easily Hijacked

lokofun — Tue, 15 Apr 2008 03:58:45 EDT

Okay .. just logged into my STBX account. DA has got a new phone but has no penny to give as spousal support. Sprint still has done nothing about this breach. I could've done some changes to DA's account but didn't feel right.

lokofun

Flawed Security Lets Sprint Accounts Get Easily Hijacked

aaronw1 — Mon, 14 Apr 2008 18:28:35 EDT

Just wanted to point out that these sorts of 'security' measures (while not perfect) aren't meant to protect you from people who are 'stalking' you or are good friends who you already know a lot of information about them... It's supposed to protect you from the person who knows nothing about you and has a stack of numbers to go through. Granted, it sounds like the implementation could use some help (more questions, better 'fake' answers), but the idea at least is an attempt.

aaronw1

Flawed Security Lets Sprint Accounts Get Easily Hijacked

prescott — Thu, 10 Apr 2008 17:48:03 EDT

For 2 days, Sprint has been upgrading their systems and sprint.com website works 50% of the time. CSR still hang up on you and are rude. Managers yell at customers and agents.

prescott

Flawed Security Lets Sprint Accounts Get Easily Hijacked

jesuismoi — Thu, 10 Apr 2008 17:17:14 EDT

You didn't redact the name on the "Welcome Back to My Sprint" screen -- signed in as "name should have been blacked out"

jesuismoi

Flawed Security Lets Sprint Accounts Get Easily Hijacked

scooterge558 — Thu, 10 Apr 2008 09:18:22 EDT

So from reading the article, if you're already registered your account online, which I (we, our family)did several years ago then it can't happen to you.

I guess the real question is, how many users haven't registered their account online? There certainly can't be too many that have no online access to their account.

scooterge558

Flawed Security Lets Sprint Accounts Get Easily Hijacked

Ton80 — Thu, 10 Apr 2008 02:06:01 EDT

""There's also the stalker's wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer.""

There is an easy fix on most modern cellphones for this!!!

In your phone setup menu, probably buried, but be thorough through all your menu options. You will find a setting that closely matches that above quote with two settings: either global or Emergency 911 only (for USA). Set it to Emergency 911 only.
And pray and hope and check out to see if that 911 system in your area is very modern that can grab that GPS signal from your phone and if not: Raise bloody hell to your local government officials for new 911 system. It maybe your sister or brother or mother or father or friend who might need that location detection just to get the needed personnel there quickly as possible.

Ton80

Flawed Security Lets Sprint Accounts Get Easily Hijacked

Jeff the Riffer — Wed, 09 Apr 2008 20:04:20 EDT

This is rather odd, but probably a result of the Nextel merger. I remember when i signed-up for my Sprint on-line account years ago. As part of the process, they sent me a one-time password to my cellphone. Very simple way to make sure that the person signing-on is the person in posession of the phone.

So all I can gues is when they got all excited about switching to the new platform for consumer access to their Sprint accounts, they yanked out stuff like OTP which couldn' be made to work yet....

Jeff the Riffer

Flawed Security Lets Sprint Accounts Get Easily Hijacked

NWSPMP — Wed, 09 Apr 2008 14:33:10 EDT

Scarily enough, in addition to this, fully registered accounts that are already setup in their Online System are vulnerable via "I Forgot my PIN" which asks the same damned questions.

Mine - Gave me the "which car has been registered" blah blah with the answers being "Fiat, Lancia, Ferrari, and Toyota" An then with the "Which property do you own?" and "Which cities have you lived in?" almost always being "None of the above" and only needing TWO correct answers.

Yep. This sealed it. Getting rid of Sprint, even though they're the only provider with half a decent data network speed in the area.

NWSPMP

Flawed Security Lets Sprint Accounts Get Easily Hijacked

ViperBorg — Wed, 09 Apr 2008 10:12:51 EDT

Yeah, I had this issue with them. Considering they are still doing this, I canceled my account with them. I like my money to stay with me, thank you.

Moved to another carrier, and have had no problems.

ViperBorg

Flawed Security Lets Sprint Accounts Get Easily Hijacked

yargrnhoj — Wed, 09 Apr 2008 07:43:24 EDT

Sprint isn't the only one using systems like this. I recently had a call from 'fraud prevention' from one of my credit card companies and they asked similar questions. One was which car did I have a car loan on (easy to figure out if you snooped around my house, since I only have one car). Also a list of previous addresses I lived at (again, if you know my car, you might figure this out since I have a sticker on the back from the dealer which is in another state, which was one of the choices).

yargrnhoj

Flawed Security Lets Sprint Accounts Get Easily Hijacked

bossco — Wed, 09 Apr 2008 00:48:13 EDT

I am spring customer. I noticed that this week when I logged on they reqquired me to add an authorization number that they sent to my phone, in order to complete my log on.

bossco

Flawed Security Lets Sprint Accounts Get Easily Hijacked

tkerugger — Tue, 08 Apr 2008 23:50:41 EDT

All of the above, plus...what a pain in the ass to actually sign up for account access. Now I have a username, password and a PIN to use, plus they'll send me a bunch of emails? And, frankly, what a shitty looking page once I (finally) got in...

The countdown to May 25th (Sprint contract expiration) is on...

Oh, fun. Since they've upgraded me to the new billing system, I can't pay my bill online until after my next billing cycle. So, pay a late fee then or pay a fee to pay my bill at a Sprint store? Sons of bitches!

tkerugger

Flawed Security Lets Sprint Accounts Get Easily Hijacked

coopjust — Tue, 08 Apr 2008 22:13:19 EDT

This is inane. I'm glad I'm no longer a Nextel customer (everything sucked after the merger), but this system is inanely bad. Heads should roll over this.

coopjust

Flawed Security Lets Sprint Accounts Get Easily Hijacked

cascascas — Tue, 08 Apr 2008 21:09:07 EDT

Aren't these questions based on public records? So if they're public, even if you can't guess the answers, I'm sure you can look them up...

cascascas

Flawed Security Lets Sprint Accounts Get Easily Hijacked

newfenoix — Tue, 08 Apr 2008 20:17:52 EDT

@topeka: Forbes has Sprint listed in there "Hall of Shame." I had a Sprint account from Jan of 02 until July of 07. The company went to crap after they joined with Nextel. As far as the online services; well, that was an absolute nightmare. I had several phone hardware problems, which they would not address. I had service issues which never got resolved but the final insult was when I was billed for their "media package." It was offered and I told the CSR at least 10 times that I did not want it. But I got billed for it anyway. When I dropped Sprint last year the supervisor that the CSR connected me with did everything but beg me to stay. I will never, ever use Sprint again.

newfenoix

Flawed Security Lets Sprint Accounts Get Easily Hijacked

topeka — Tue, 08 Apr 2008 19:28:50 EDT

www.sprint.com website is unavailable at least 50% of the time. When you call customer service, you get bad customer service or get hung up on/disconnected, or placed on hold forever. No one will take the time to listen to you, resolve your issues completely and correctly. Billing adjustments are temporary for one day only, then you have to call in every month to adjust the same bill. There are many managers and supervisors who will talk to you, however, they do not resolve the issues. The bad customer service agents and bad managers outnumber the good agents and supervisors. Agents are rushed to get through their phone calls and do not resolve customer's problems. Sprint customer service and management are the worst in the telecom industry.

topeka

Flawed Security Lets Sprint Accounts Get Easily Hijacked

Seth_Went_to_the_Bank — Tue, 08 Apr 2008 19:08:39 EDT

"Currently, we are not aware of any instances of fraud occurring through the question and answer scenario that you've described..."

Yeah, I'm sure that's true. It's called "plausible deniability." You don't put a system in place to track something you don't want to know about, so you can say you were never aware of it.

Great job, Sprint!

Seth_Went_to_the_Bank

Flawed Security Lets Sprint Accounts Get Easily Hijacked

stephenjames716 — Tue, 08 Apr 2008 19:00:06 EDT

this does not make me feel safe....thanks sprint

stephenjames716

Flawed Security Lets Sprint Accounts Get Easily Hijacked

cde — Tue, 08 Apr 2008 18:41:31 EDT

@K-Bo: She is new. Only 4 posts since February.

cde

Flawed Security Lets Sprint Accounts Get Easily Hijacked

mach1andy — Tue, 08 Apr 2008 18:08:28 EDT

Adding insult to injury, Sprint has a typo in their GPS pitch:: ...provide superiro customer service" ... I'll say.

mach1andy

Flawed Security Lets Sprint Accounts Get Easily Hijacked

think4urself — Tue, 08 Apr 2008 17:59:32 EDT

Oh, and you can get someone's email address easy too. Not sure how helpful it can be, but you just need to have the person's cell number and type that into the online account sign on and click, forgot password. It then shows the email address the person used to activate the account..haha

think4urself

Flawed Security Lets Sprint Accounts Get Easily Hijacked

NotATool — Tue, 08 Apr 2008 17:57:21 EDT

This anti-fraud tool has been used by numerous industries, as well as the Federal Government...to successfully prevent identity theft and fraud.

Well, that just about explains everything, now doesn't it?

NotATool

Flawed Security Lets Sprint Accounts Get Easily Hijacked

TechnoDestructo — Tue, 08 Apr 2008 17:57:00 EDT

@big keytee:

They've caught on. How long until that's the new industry-standard catchphrase?

TechnoDestructo

Flawed Security Lets Sprint Accounts Get Easily Hijacked

dragonfire81 — Tue, 08 Apr 2008 17:52:32 EDT

Oops, that should say 111111...

dragonfire81

Flawed Security Lets Sprint Accounts Get Easily Hijacked

dragonfire81 — Tue, 08 Apr 2008 17:51:04 EDT

I'm a former Sprint rep, I worked with this "3 questions" system numerous times.

I was shocked at the number of times I was able to access an account by simply guessing the answers. Fortunately I am an ethical person, but if I wasn't I could've done a LOT of damage very easily.

In every question pertaining to cars, it was always three Luxury models plus one typical one (Peugeot, Porsche, Ferrari and Ford for example) which made them stupidly easy to guess.

In addition the "none of the above" answer for "which properties have you owned?" was correct 99% of the time.

On top of that, one thing the article does not mention is that you are only required to answer TWO of the three questions correctly to gain access to an account. The system won't tell you which ones were right and wrong, but you need only answer TWO of three to get access.

This new process is more trouble than it's worth if you ask me and I'd like to find the person who came up with it and give him a good punch to the head.

But don't blame Sprint for all of this, some people truly don't give a crap about the security on their accounts. When asking customers to setup a 6-digit pin number most just wanted to set it to 1111111 or 123456. Pretty secure huh?

dragonfire81

Flawed Security Lets Sprint Accounts Get Easily Hijacked

big keytee — Tue, 08 Apr 2008 17:35:22 EDT

hey wait, they did not take the matter seriously! They only said it was a "top priority."

"Customer privacy is a top priority and we appreciate the Consumerist bringing this matter to our attention."

big keytee

Flawed Security Lets Sprint Accounts Get Easily Hijacked

FightOnTrojans — Tue, 08 Apr 2008 17:12:40 EDT

@K-Bo: EXACTLY! I didn't want to put it in the comments either, but there it is. Thanks for the back-up, K-Bo!

FightOnTrojans

Flawed Security Lets Sprint Accounts Get Easily Hijacked

K-Bo — Tue, 08 Apr 2008 16:42:42 EDT

@pillow_fight_girl: New around here? Many commenters will hang you from the rafters for admitting something like an overdue account. I wouldn't want the fact I have an overdue account published here.

K-Bo

Flawed Security Lets Sprint Accounts Get Easily Hijacked

midwestkel — Tue, 08 Apr 2008 16:40:12 EDT

This was the email I got once I re-registered my phone

------------------------------------...-
Phone Number: **********
IMEI or SIM ID: **********

The Phone Number and IMEI/SIM ID (listed above) that you provided to us during My Sprint registration process has been registered by another Nextel subscriber.If you have not changed cell phones recently or believe you have received this message in error, please contact Customer Care at 1-800-639-6111.

Thank you.

This email has been automatically generated. Please do not reply to this message.
------------------------------------...-

midwestkel

Flawed Security Lets Sprint Accounts Get Easily Hijacked

pillow_fight_girl — Tue, 08 Apr 2008 16:27:53 EDT

@FightOnTrojans:

Oh, so what - the account is PAST DUE. Who cares?

pillow_fight_girl

Flawed Security Lets Sprint Accounts Get Easily Hijacked

unklegwar — Tue, 08 Apr 2008 16:22:26 EDT

even if you are a determined idiot, you can get in via brute force in 125 tries or less (5*5*5).

But the offered answers make it very easy to narrow down.

unklegwar

Flawed Security Lets Sprint Accounts Get Easily Hijacked

IphtashuFitz — Tue, 08 Apr 2008 16:21:06 EDT

I actually like one of the security features that Bank of America recently added to their website. When you want to log in you not only provide your account number & PIN but you have to click on a button that will send a text message containing a random 6 digit number to your cell phone. You also have to enter that number into the website to log in. The number only works once and is active for only 10 minutes. The chances of a scammer grabbing my account number, PIN, AND that text message sent to my cell phone, and logging into the site before I do is virtually non-existant.

IphtashuFitz

Flawed Security Lets Sprint Accounts Get Easily Hijacked

midwestkel — Tue, 08 Apr 2008 16:19:55 EDT

Ok, I have already registered with Sprint's online account and I just did it again doing this method. It even told me the answer to my secret question and now my other user name is gone but I have full access with the new user name. So even if someone is already registered they still can have this happen! I am shocked!!!!!

midwestkel

Flawed Security Lets Sprint Accounts Get Easily Hijacked

FightOnTrojans — Tue, 08 Apr 2008 16:13:58 EDT

@Ben Popken: Ok, but you still haven't addressed something else. At the "Welcome back to My Sprint" screen grab, under the blacked out account number in the upper left corner, there's a bit of info there that should be blacked out as it is slightly embarrassing (IMO). Look for the red triangle with the exclamation point.

FightOnTrojans

Flawed Security Lets Sprint Accounts Get Easily Hijacked

unklegwar — Tue, 08 Apr 2008 16:12:45 EDT

can we possibly hijack every sprint account in existence and cancel walkie talkie service permanently? No more "BADEEP!".

unklegwar

Flawed Security Lets Sprint Accounts Get Easily Hijacked

unklegwar — Tue, 08 Apr 2008 16:11:26 EDT

Oooh! It was "used by the federal government". Oh great!

And it says something about Katrina. I'm sure this had a hand in THAT mess of fraud as well.

unklegwar

Flawed Security Lets Sprint Accounts Get Easily Hijacked

NigerianScammer — Tue, 08 Apr 2008 15:45:41 EDT

I nearly got into someone else's account doing this, I now know their pin number and their security question.
It won't let me progress further to register their account, I guess I have to use their email and their correct last name in order to do it.

Still, it's sad that I got this far, and I totally guessed on every question.

NigerianScammer

Flawed Security Lets Sprint Accounts Get Easily Hijacked

KD17 — Tue, 08 Apr 2008 15:40:03 EDT

I can't wait to get away from sprint

KD17

Flawed Security Lets Sprint Accounts Get Easily Hijacked

opticnrv — Tue, 08 Apr 2008 15:32:53 EDT

I'm a Sprint customer.

I've just Emailed the entire marketing team of sprint highlighting this post.

If you are a Sprint customer I urge you to do the same.

Let's make sure these guys address this security hole.

You can find Marketing Emails here:
[www2.sprint.com]

I suggest sending it to all of them.

opticnrv

Flawed Security Lets Sprint Accounts Get Easily Hijacked

pengie — Tue, 08 Apr 2008 15:23:38 EDT

Wow. Good work, guys.

pengie

Flawed Security Lets Sprint Accounts Get Easily Hijacked

cde — Tue, 08 Apr 2008 15:21:01 EDT

@Joseph: They did remove it :P

cde

Flawed Security Lets Sprint Accounts Get Easily Hijacked

imsupermattt — Tue, 08 Apr 2008 15:18:55 EDT

I have already set up my online account with sprint, including the pin. However, i went to sprint.com and was able to request a new pin by answering similar verification questions. I supplied only my phone number to get to this option.

1: Which of the following properties have you NEVER owned?

All of the above is an answer. Easily cracked considering I'm 25. I'd have owned 3 different properties in order to qualify for one of the other answers (you can only pick one answer).

2: In which of the following cities have you NEVER lived or used in your address?

This one gets slightly tougher, but anyone with who knows me could answer this. It also has the All of the above answer, which means in order for one of the specific cities to be correct I'd have lived in three of the others.

3: Which of the following people have resided with you or used the same address as you at [redacted]?

If someone knew me reasonably well, they'd answer this right. If they dug through my trash, they'd answer this right. If they guessed, they'd still have a 20% chance of hacking my account.

Luckily, when I try to reset the pin I get, "Due to a systems problem, we are unable to display questions that confirm your identity at this time." So I guess I'm safe for now. None the less, that's one of the more retarded verification system's I've ever seen. Furthermore, why even leave this option available after I've already selected my pin? I entered a security question of my choosing, just stick to that one Sprint.

imsupermattt

Flawed Security Lets Sprint Accounts Get Easily Hijacked

MissTic — Tue, 08 Apr 2008 15:03:32 EDT

I' starting to think that the paranoid nutjobs who live totally off the grid are onto something! Sheesh!

MissTic

Flawed Security Lets Sprint Accounts Get Easily Hijacked

katylostherart — Tue, 08 Apr 2008 14:54:03 EDT

hey he COULD have a lotus. really. i mean i totally have a hot car like that.

*drives off in civic*

katylostherart

Flawed Security Lets Sprint Accounts Get Easily Hijacked

Imaginary_Friend — Tue, 08 Apr 2008 14:52:24 EDT

Consumerist: 1 Sprint: Sero

Imaginary_Friend

Flawed Security Lets Sprint Accounts Get Easily Hijacked

Anks329 — Tue, 08 Apr 2008 14:50:40 EDT

This is why I like security tokens/key fobs or whatever you want to call them. In order to log into the website, you need your user name, password, and this key fob which generates a new random 6 digit code every 30 seconds. Adds much more security to online banking and such transactions.

Anks329

Flawed Security Lets Sprint Accounts Get Easily Hijacked

mgy — Tue, 08 Apr 2008 14:37:00 EDT

I'm a Sprint customer and Gary Forsee is the president of the university I attend and work at. Do you think he still has any pull with Sprint? I'll drop by and chew him out for you.

mgy

Flawed Security Lets Sprint Accounts Get Easily Hijacked

Ben Popken — Tue, 08 Apr 2008 14:35:19 EDT

@scoosdad: Nope, Daniels is not part of his name at all. It's just what I inputted when I set up the online account access. But thanks for playing anyway.

Ben Popken

Flawed Security Lets Sprint Accounts Get Easily Hijacked

amejr999 — Tue, 08 Apr 2008 14:30:08 EDT

T-Mobile sends a free text message to your phone with a PIN to activate the online access. That seems to make sense.

amejr999

Flawed Security Lets Sprint Accounts Get Easily Hijacked

bugout99 — Tue, 08 Apr 2008 14:24:24 EDT

just for the record... The GPS feature sends a text to the phone you're trying to locate every time you use the service.

bugout99

Flawed Security Lets Sprint Accounts Get Easily Hijacked

Vroomtrap — Tue, 08 Apr 2008 14:22:08 EDT

@cde: Now all they need to do is take the link to the original image with the account number down too :).

Vroomtrap

Flawed Security Lets Sprint Accounts Get Easily Hijacked

rbf2000 — Tue, 08 Apr 2008 14:17:06 EDT

If only the took the issue seriously...

rbf2000

Flawed Security Lets Sprint Accounts Get Easily Hijacked

jamesdenver — Tue, 08 Apr 2008 14:13:58 EDT

I hate these questions. "What is your nephew's name." "What kind of car do you drive" (I have neither). Why can't I just type in a goddam password?

Some sites make you remember a picture of a puppy to log in, and you can't check your Chase account without registering on that computer.

hate it hate it hate it.

jamesdenver

Flawed Security Lets Sprint Accounts Get Easily Hijacked

scoosdad — Tue, 08 Apr 2008 14:13:51 EDT

@Ben Popken: Ah, Nathan Daniels! LOL

scoosdad

Flawed Security Lets Sprint Accounts Get Easily Hijacked

mikesfree — Tue, 08 Apr 2008 14:10:50 EDT

Well, interesting. But sprint sends a text message to the phone that is being tracked, so the user would have a heads up.

mikesfree

Flawed Security Lets Sprint Accounts Get Easily Hijacked

Ben Popken — Tue, 08 Apr 2008 14:05:35 EDT

@scoosdad: Guess what, his name is Nathan, not Dan.

Ben Popken

Flawed Security Lets Sprint Accounts Get Easily Hijacked

deepsprint — Tue, 08 Apr 2008 14:05:01 EDT

Sprint is in the process of converting accounts over to a pin code system that is good security. But for the millions of accounts that are not converted yet, all you need is the last four of the customer's social security number and their name and address and you can pretty much do what you want including change of address and order phones.

deepsprint

Flawed Security Lets Sprint Accounts Get Easily Hijacked

shorty63136 — Tue, 08 Apr 2008 14:04:21 EDT

I actually just tried this for my dad's Blackberry, but it didn't work.

shorty63136

Flawed Security Lets Sprint Accounts Get Easily Hijacked

scoosdad — Tue, 08 Apr 2008 14:02:13 EDT

@FightOnTrojans: Yeah and Dan's full name appears all over those screen grabs too. No point in blacking it out on the form when it appears elsewhere on just about every screen that was shown.

scoosdad

Flawed Security Lets Sprint Accounts Get Easily Hijacked

FooKoo — Tue, 08 Apr 2008 13:59:27 EDT

It might have been more useful to see what would happen if even only one question was answered incorrectly: would that trigger the account being locked? Ben made some intelligent guesses based on previous knowledge and luck. The answer for the type of vehicle, for instance, could easily have been "None of the above." Would that incorrect answer lock the account?

FooKoo

Flawed Security Lets Sprint Accounts Get Easily Hijacked

Bramble73 — Tue, 08 Apr 2008 13:53:13 EDT

I went through this this weekend with my Sprint account. This identification process is definately prone to error. Not only can someone pretend to be you, but some of the questions they asked me made me scratch my head. I got a similar question to the who's shared your address one above. But in my case it was which of the following hadn't shared an address with you. The answers were a misspelling of my name, the person I sold my old house too a couple of years ago, the person I had bought that house from 10 years ago, and some name I didn't recognize. Since the house I live in now has had several owners before me the unknown name could have been one of those, I wasn't sure what the "correct" answer was. None of these people had ever lived in the house with me at the same time, its just lucky I had a good enough memory to recognize names from the closing paperwork. I eventually went with the misspelling, since it wasn't one I'd seen on any mail sent to me before. And they let me in. So maybe the correct answer is always pick the misspelled name.

Bramble73

Flawed Security Lets Sprint Accounts Get Easily Hijacked

What The Geek — Tue, 08 Apr 2008 13:50:20 EDT

@FightOnTrojans: ya know what's funny? I didn't notice it the first time I read through the post either.

Sorta funny that the consumerist accidentally gave out an acct number while trying to point out a security flaw with sprint.

What The Geek

Flawed Security Lets Sprint Accounts Get Easily Hijacked

Monty — Tue, 08 Apr 2008 13:50:11 EDT

Given the passwords people come up with, it might be easier to guess their current password on a site for someone you know. Once you have one password, you likely have all of their online passwords. So, while I appreciate the fact that Sprint is hardly making a huge barrier to breaking into an account, I am still convinced that the login/password system used on most sites is the first problem.

I have often wondered if some web developers try using the passwords users set up for their web site on other sites to see if they are one of the majority of people that use the same password on all web sites.

In any case, I hope Sprint improves their security, but I will not hold this against them. Their ridiculous customer service, on the other hand, is unforgivable.

Monty

Flawed Security Lets Sprint Accounts Get Easily Hijacked

rmz — Tue, 08 Apr 2008 13:48:06 EDT

I think that name is supposed to be "Jerry Stefl III" (as in, "The Third"), but the automatic formatting screwed it up.

rmz

Flawed Security Lets Sprint Accounts Get Easily Hijacked

Pro-Pain — Tue, 08 Apr 2008 13:46:00 EDT

I love Sprint!

Pro-Pain

Flawed Security Lets Sprint Accounts Get Easily Hijacked

FightOnTrojans — Tue, 08 Apr 2008 13:43:39 EDT

Yah, y'all forgot to black out an account number where it says "Change Billing Information."

Also, you might want to black out that red text at the beginning. I'm pretty sure Dan doesn't want that little bit of personal business broadcast out to the Consumerist community and beyond.

FightOnTrojans

Flawed Security Lets Sprint Accounts Get Easily Hijacked

GiltProto — Tue, 08 Apr 2008 13:41:15 EDT

I have a Sprint account and they have been sending out postcards for months now requesting people to activate their online accounts. Yes, even I put it off for too long... Once you establish your account you should be safe, but the people who neglect to do this for whatever reason are the ones at risk. You'd think it might make more sense for Sprint to send a temporary PIN to the phone first so that there's less ability for random people to weasel their way into an account so easily.

GiltProto

Flawed Security Lets Sprint Accounts Get Easily Hijacked

ConsumerAdvocacy1010 — Tue, 08 Apr 2008 13:38:32 EDT

This does not surprise me. That new CEO of Sprint doesn't seem to be doing anything new or useful. Sprint to this day has NO security in place.

You can open up the phone book, pick a name and address, randommly creat a SSN, and get a phone/plan via a 3rd party retailer.

You pay NOTHING upfront. The person's name you used and/or the SSN number you provided (if it's real) would then get a bill in the mail some months later.

In fact, if the SSN is invalid...they will use the name provided...and apply that SSN to the bill (provided you were EVER a Sprint/Nextel customer).

Happened to me twice. TWICE. Got a bill...told 'em it was fraud. Sprint said okay...taken care of.

Month later...another bill...with a different number.

Idiots. They let someone open an account AGAIN in my name even though it was done fraudulently a month prior.

Fraud department at Sprint is aware of this, and as of last summer...still done nothing about it.

I paid nothing and nothing was put against me on my credit report...but Sprint can still burn in hell.

ConsumerAdvocacy1010

Flawed Security Lets Sprint Accounts Get Easily Hijacked

What The Geek — Tue, 08 Apr 2008 13:25:58 EDT

well damn - that's just weak. With a little bit of social engineering, the world opens up to you in ways it just shouldn't.

You know what else is weak?
This:

[www.eggxpert.com]

I actually sent that to the consumerist earlier today, but I fear I may have gotten lost in a spam filter or something of that nature.

What The Geek