Flawed Security Lets Sprint Accounts Get Easily Hijacked

We found you can hijack a Sprint user’s account as long as you know their cellphone number, just a smidge about them, and have half a brain. Once inside, you have total access to their account. You could change their billing address, order a whole bunch of cellphones sent to a drop location, and leave the victim paying the bill. There’s also the stalker’s wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer. Reader Jim told Sprint about this 2 months ago but they ignored him, so I tested it out and am publishing the results in the hope of getting Sprint to fix this exploit. I’ll show you we cracked into a Sprint account and just how much damage I could have done, inside…

First I needed someone to volunteer their Sprint cellphone number to test for research purposes. Intern Alex Chasick put out a request on his IM Away Message and within minutes Nathan (thanks Nathan!) offered up his number.

Next I went to a part on the Sprint website where you register for online account access. I filled out some account registration and then selected for Sprint to ask me a few questions to verify my identity so I could set up my PIN code. This is where it gets fun.

Alex is in his 20’s and lives in the Washington DC area, so I figured that our mark is too. Just knowing that, I was able to answer all the questions correctly in the first shot. Here’s what they were:sprintidentity.jpg

“Which of the following vehicle makes has been registered at the following address [redacted]?: Lotus, Honda, Lamborghini, Fiat, None of the Above.”

I figure a college kid is not going to have a Lotus, Lamborghini, or a Fiat, so I went with Honda.

“Which of the following people have resided with you or used the same address as you at [redacted]? Jerry Stefl lii, Ralph Argen, Jerome Ponicki, John Pace, None of the above.”

The extra space in Jerry’s last name caught my eye. That looks like a data entry error, like the name was probably grabbed from an actual database instead of a generated fake name. So I went with that one.

“In which of the following cities have you NEVER lived or used in your address? Longmont, North Hollywood, Genoa, Butte, All of the above.”

I’ve never heard of any of those cities being near DC, so I go with “all of the above.”

And then, open sesame, I’m in.

sprnt2.jpg

From now on, for all intents and purposes, to Sprint I am Nathan. I can see Nathan’s billing address, useful for if I wanted to conduct more identity theft. I could add services, take away services. I could order GPS tracking on his account and see exactly where he is in the world from any computer with internet access.

addonmobilelocator.jpg

I could look in his call history and see all of his calls. I could change Nathan’s billing to e-billing…

changebilldelivery.jpgchange his home address to a drop location,

changethebillingz.jpg

….order a bunch of phones…

sprintphonesale.jpg

…and have them sent to my drop location, and then sell them on eBay, leaving Nathan stuck with the bill. (Sound familiar? We posted a Sprint complaint just like this, “Sprint Twiddles Thumbs While 12-Year Customers Get Scammed For $2,500.” In that case, the Sprint fraud department said it was “probably someone inside Sprint” who did the exact scam above I just described to you). Remember, all I knew about this guy was his cellphone number, that he was in his 20’s, and that he lived in DC. That’s it. That’s all it took to completely hijack his entire Sprint account.

When Jim reported it to Sprint, he says he, “called support (3 or 4 times. Surprisingly the last time I spoke with someone who realized the issue was a big deal, but she had no idea who to contact, and her supervisor only said to fill out a website feedback form. I then filled out a feedback form. Pretty sure that went nowhere. I then called the number you guys offer, 703-433-4401. I spoke with someone there who said they’d pass it on to the website team. They did mention they tested out the security question setting and found that nobody could guess anyone else’s information…”

Here’s a possible reason for why the hole exists. See, young people are less likely to have well developed credit histories and other public records from which to draw the possible answers for the identity verification, leading to what tipster Jim calls, “rather silly questions it’s easy to guess the answers to…The point of a PIN is to identify me as a person, not just that it’s someone who knows me.”

Making this system even weaker, the questions seem to be based on public records. All at thief has to do is know your name in addition to your phone number and search these publicly accessible records.

In the comments on this post, a former Sprint rep says it’s even worse than we thought. They say that every question about cars has three luxury models and one typical one. He says that “none of the above” for “which properties have you owned” was correct 99% of the time. And worst of all, you only need to answer two of the questions correctly to gain access to an account. I was shocked at the number of times I was able to access an account by simply guessing the answers,” he writes. “Fortunately I am an ethical person, but if I wasn’t I could’ve done a LOT of damage very easily.”

Before posting this material, we reported it to Sprint. After looking into it for a day, the gave this official response:

Sprint works with an established third-party vendor that handles the customer verification process noted in your email. Currently, we are not aware of any instances of fraud occurring through the question and answer scenario that you’ve described; however, we continuously seek out ways to improve customer account security and we look for information from a variety of sources. Based on the information provided by the Consumerist, we immediately escalated the issue with our vendor partner so that it can make the necessary adjustments to ensure that our customer verification process remains secure. Customer privacy is a top priority and we appreciate the Consumerist bringing this matter to our attention.

Let’s hope that’s not just lip service and Sprint does make its upgrade their identity verification process. How could anyone design a system so poorly? I speculate that internal Sprint metrics demanded a certain amount of successful signups vs unsuccessful signups. As making the process more secure would mean more legitimate Sprint customers were turned away from creating an online account, someone was able to up their numbers by making the process less secure.

Makes you think twice about giving your number out at the bar.