Online Security: A Closer Look at a Negative Example
It may be easier than you think for someone to steal your wireless phone records. At least, that's the case if you're a Sprint wireless phone user.
Sprint makes it very easy for customers to go online to view and manage their accounts and account activity. Signing up to take advantage of that service is simple. It may be too simple.
I first read about this on Monday at The Consumerist, a blog that covers consumer gripes. As The Consumerist describes, anyone can visit the Sprint homepage and sign up as a new user. You simply enter the Sprint phone number of the account you want to register, enter the owner's first and last name, an e-mail address, and then pick a username and password. While the signup process may check to see if the first and last name matches the account on file for that number, a user can enter any e-mail address, username and password you like (within the bounds of the password guidelines explained on the Sprint site).
Check the button next to "I am the account holder (the person who set up the account)", and then click the button beside "Ask me questions that validate my identity," hit the "continue" button, and you get to the scary part. The next page asks you to select the correct answers to three multiple choice questions. When I tried this out, it asked me:
Which of the following people have resided with you at: (one of the listed people was my wife).
Which of the following streets have you never lived on or used as your address? (one option was a misspelling of a street I previously have lived at, the other was my current address, and another was my most previous address).
In which of the following cities have you never lived or used in your address? (all were cities that are nowhere near where I currently live, so the obvious answer was D: none of the above).
This means that anyone with a basic knowledge of my history could hijack my cell phone records. They could even sign up for services in my name, such as location tracking, which allows anyone with a laptop to view my location on a map any time of day or night. An attacker could also set it up so that future bills are sent paperless to an e-mail address the bad guy controls.
Sprint's sign-up methods are frightening because the answers to the questions above are, for the most part, either easy to guess or not terribly difficult to find. In fact, there are numerous Web sites that offer this type of information for a small fee.
But wait, it gets worse. The signup process works even if you have already signed up.
I was allowed to go through this registration process even though I had already signed up to view my account online. After answering a remarkably similar set of security questions, I got this message:
"We've redesigned our account management site so the info you need most is right up front. But first, we need you to make a few changes to ensure your online profile is up to date and your sign on meets our new security requirements."
Great. What are those new security requirements? I was asked to enter my name, then to pick a new username and password. Once I had done that, the site displayed my Sprint account number (a further piece of data that just might come in handy to someone who wanted to hack into my Sprint account).
Below that was this message:
Create your account PIN
Please create a PIN and pick a security question to further protect account # xxxxxxxxx If you want to continue to make changes that affect your account -- such as adding services, buying downloads, setting up automatic bill, or more -- you need to create an account PIN.
Then, it asked me to select my "notification method." The options were to have any notices text messaged to my cell phone, or once again to "ask questions to validate my identity." If you select the latter, as I did in this test case, it displays the message:
"You will be presented questions to validate you are the person who established account (SSN XXX-XX-XXX)", but it helpfully filled in the last four digits of my Social Security number.
After clicking "Next," I was presented with more questions about my previous addresses.
Then, it asked me to create a six- to 10-digit PIN, to select a security question and answer, and to pick two methods by which I could receive a reset code if I forget my PIN.
What this shows is that someone not only can gain access to my online account separate from my initial online account management setup, it gives the second signup the ability to completely own the account by walking the person through the creation of the additional security layers of a PIN and reset code.
Sprint is hardly alone in using these types of automated authentication methods. Interestingly, Verizon allows users to sign up to view their accounts online, but instead of offering the last four digits of the user's Social Security number after requesting the answers to a few lame background questions, Verizon asks the user to input those four digits before it allows the customer register their account online. A small difference, maybe, but to my mind an important one.
So what gives? Sprint spokesman Matt Sullivan said the company added the extra sign-on precautions to comply with new Customer Proprietary Network Information (CPNI) rules from the Federal Communication Commission (you can read about those rules here).
Sullivan wasn't aware, however, that a new account could be created online for users who have already registered to view their accounts online. He said the company had already made changes to its security questions following The Consumerist blog postings, and that it may still make additional changes.
"We're looking at what we can do to make sure [the Sprint site is] offering adequate protections," Sullivan said. "In the past week we've made some enhancements, and some more may be forthcoming."
My advice: Don't wait around for that. Go through this rather elaborate new process to make sure that your account is at least protected with a PIN.
April 15, 2008; 6:09 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Security Fix Pop Quiz, Spring 2008 Edition
Next: Identity Theft Smash & Grab, CEO Style
The comments to this entry are closed.