I found this on the web:
Sprint wireless users beware.
Identity leak with Sprint wireless
By dialling a certain phone number from any phone, and punching in the phone number of any sprint subscriber, the service will read the name and street address of the subscriber. It also can read back the names of people who might share the same address.
Does anyone else see this as a problem?
The automated service leaking this data is Sprint's international call identity verification service. I think the theory is that they want to provide extra safeguards so that people can't rack up massive fraudulent bills for international calls, so they want to really verify who you are.
In order to do this, they fall for a classic security blunder. They give you information and ask you if its correct. Worse, it's an automated service, with no concept of what social engineering is.
The call went like this:
1-877-785-xxxx
SPRINT: Hi, welcome to sprint's international call identity verification service
For english, say 'english'
SPRINT: To verify your identity, we will ask you some questions:
What is the phone number you want to set up international calls on.
ME: 408-xxx-xxxx
SPRINT: Is the person on the account "{NAME DELETED by Oracle}", of [house number and street name]
ME: YES (STRIKE 1)
SPRINT: Good, let me fetch your security questions....
First question:
Which of the following addresses are also associated with the account holder
1) random address one
2) random address two
3) [my current address, as just read to me above]
4) none of the above
ME: THREE
SPRINT: Correct
Second question:
Which of the following people also have lived with you at the same address:
1) random person one
2) {NAME DELETED by Oracle}
3) random person two
4) none of the above
ME: TWO [Hmm - I have a separate account with sprint, but looks like they'd be
willing to give information on my roommate? STRIKE 2!]
SPRINT: Yes. Which county do you live in:
1) San Diego
2) Santa Clara
3) Tulane
4) none of the above
ME: TWO [STRIKE 3]
SPRINT: Yes. Your account can now make international calls.
So, the two major problems are:
- this is useless as an identity checking mechanism, because the questions they ask have obvious answers
- they leak an enormous amount of personal information
At first, I figured they must be ensuring that I can only check my own phone number, but no... I verified with a co-worker that you can punch in any sprint phone number.
By dialling a certain phone number from any phone, and punching in the phone number of any sprint subscriber, the service will read the name and street address of the subscriber. It also can read back the names of people who might share the same address.
Does anyone else see this as a problem?
The automated service leaking this data is Sprint's international call identity verification service. I think the theory is that they want to provide extra safeguards so that people can't rack up massive fraudulent bills for international calls, so they want to really verify who you are.
In order to do this, they fall for a classic security blunder. They give you information and ask you if its correct. Worse, it's an automated service, with no concept of what social engineering is.
The call went like this:
1-877-785-xxxx
SPRINT: Hi, welcome to sprint's international call identity verification service
For english, say 'english'
SPRINT: To verify your identity, we will ask you some questions:
What is the phone number you want to set up international calls on.
ME: 408-xxx-xxxx
SPRINT: Is the person on the account "{NAME DELETED by Oracle}", of [house number and street name]
ME: YES (STRIKE 1)
SPRINT: Good, let me fetch your security questions....
First question:
Which of the following addresses are also associated with the account holder
1) random address one
2) random address two
3) [my current address, as just read to me above]
4) none of the above
ME: THREE
SPRINT: Correct
Second question:
Which of the following people also have lived with you at the same address:
1) random person one
2) {NAME DELETED by Oracle}
3) random person two
4) none of the above
ME: TWO [Hmm - I have a separate account with sprint, but looks like they'd be
willing to give information on my roommate? STRIKE 2!]
SPRINT: Yes. Which county do you live in:
1) San Diego
2) Santa Clara
3) Tulane
4) none of the above
ME: TWO [STRIKE 3]
SPRINT: Yes. Your account can now make international calls.
So, the two major problems are:
- this is useless as an identity checking mechanism, because the questions they ask have obvious answers
- they leak an enormous amount of personal information
At first, I figured they must be ensuring that I can only check my own phone number, but no... I verified with a co-worker that you can punch in any sprint phone number.
Comment