A Client Name Is All You Need to Hack a Sprint Account

Security flaw still unfixed

By on April 9th, 2008 08:16 GMT
Hacking an account must be a difficult job, especially when the provider of the targeted account has implemented powerful security features, complex passwords or other measures meant to defend the system. However, the folks at Sprint, which is actually a pretty famous company, proved that all you need to hack an account is just the owner's name! And imagine that getting inside a Sprint account may allow you to buy cellphones, change the billing address or apply other major changes concerning the consumer.

The people of The Consumerist have found a simple way to get inside a Sprint account, although the security flaw was reported approximately 2 months ago by a client. "We found you can hijack a Sprint user's account as long as you know their cellphone number, just a smidge about them, and have half a brain. Once inside, you have total access to their account. You could change their billing address, order a whole bunch of cellphones sent to a drop location, and leave the victim paying the bill. There's also the stalker's wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer," they wrote in the article.

The entire "hijack" was actually done using the only account registration provided by Sprint in which the company asks "a few questions to verify the user identity." What's interesting is that the answers can be easily guessed by simply knowing the owner's name or address. For instance, during the test conducted by the same source, they were asked: "In which of the following cities have you NEVER lived or used in your address? Longmont, North Hollywood, Genoa, Butte, All of the above."

Well, the owner was living in Washington DC and, since none of the locations mentioned above are near DC, the possibility of living in one of the mentioned areas is quite low. "And then, open sesame, I'm in," the author wrote.

The Sprint employees have been notified about this (apparently) security flaw but, according to The Consumerist, their response wasn't too encouraging.

"Sprint works with an established third-party vendor that handles the customer verification process noted in your email. Currently, we are not aware of any instances of fraud occurring through the question and answer scenario that you've described; however, we continuously seek out ways to improve customer account security and we look for information from a variety of sources. Based on the information provided by the Consumerist, we immediately escalated the issue with our vendor partner so that it can make the necessary adjustments to ensure that our customer verification process remains secure. Customer privacy is a top priority and we appreciate the Consumerist bringing this matter to our attention," they said.

3 Comments