Unconfigured Ad Widget

Collapse

Unconfigured Ad Widget

Collapse

Announcement

Collapse
No announcement yet.

Sprint Wireless identity leak!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Sprint Wireless identity leak!

    I found this on the web:
    Identity leak with Sprint wireless

    By dialling a certain phone number from any phone, and punching in the phone number of any sprint subscriber, the service will read the name and street address of the subscriber. It also can read back the names of people who might share the same address.

    Does anyone else see this as a problem?

    The automated service leaking this data is Sprint's international call identity verification service. I think the theory is that they want to provide extra safeguards so that people can't rack up massive fraudulent bills for international calls, so they want to really verify who you are.

    In order to do this, they fall for a classic security blunder. They give you information and ask you if its correct. Worse, it's an automated service, with no concept of what social engineering is.

    The call went like this:

    1-877-785-xxxx

    SPRINT: Hi, welcome to sprint's international call identity verification service
    For english, say 'english'

    SPRINT: To verify your identity, we will ask you some questions:
    What is the phone number you want to set up international calls on.

    ME: 408-xxx-xxxx

    SPRINT: Is the person on the account "{NAME DELETED by Oracle}", of [house number and street name]

    ME: YES (STRIKE 1)

    SPRINT: Good, let me fetch your security questions....
    First question:
    Which of the following addresses are also associated with the account holder
    1) random address one
    2) random address two
    3) [my current address, as just read to me above]
    4) none of the above

    ME: THREE

    SPRINT: Correct
    Second question:
    Which of the following people also have lived with you at the same address:
    1) random person one
    2) {NAME DELETED by Oracle}
    3) random person two
    4) none of the above

    ME: TWO [Hmm - I have a separate account with sprint, but looks like they'd be
    willing to give information on my roommate? STRIKE 2!]

    SPRINT: Yes. Which county do you live in:
    1) San Diego
    2) Santa Clara
    3) Tulane
    4) none of the above

    ME: TWO [STRIKE 3]

    SPRINT: Yes. Your account can now make international calls.


    So, the two major problems are:
    - this is useless as an identity checking mechanism, because the questions they ask have obvious answers
    - they leak an enormous amount of personal information

    At first, I figured they must be ensuring that I can only check my own phone number, but no... I verified with a co-worker that you can punch in any sprint phone number.
    Sprint wireless users beware.

  • #2
    Oh no..... I guess you could keep a trace on someone years after they move out of an area because you can "take your number with you"....not sure how I feel about this. I don't plan on doing anything wrong, however someone could assume my ID.

    Comment

    Working...
    X