![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-4863-100x100.png\")
well damn - that's just weak. With a little bit of social engineering, the world opens up to you in ways it just shouldn't.
You know what else is weak?
This:
I actually sent that to the consumerist earlier today, but I fear I may have gotten lost in a spam filter or something of that nature.
![\"user-pic\"](\"/css/images/default.gif\")
This does not surprise me. That new CEO of Sprint doesn't seem to be doing anything new or useful. Sprint to this day has NO security in place.
You can open up the phone book, pick a name and address, randommly creat a SSN, and get a phone/plan via a 3rd party retailer.
You pay NOTHING upfront. The person's name you used and/or the SSN number you provided (if it's real) would then get a bill in the mail some months later.
In fact, if the SSN is invalid...they will use the name provided...and apply that SSN to the bill (provided you were EVER a Sprint/Nextel customer).
Happened to me twice. TWICE. Got a bill...told 'em it was fraud. Sprint said okay...taken care of.
Month later...another bill...with a different number.
Idiots. They let someone open an account AGAIN in my name even though it was done fraudulently a month prior.
Fraud department at Sprint is aware of this, and as of last summer...still done nothing about it.
I paid nothing and nothing was put against me on my credit report...but Sprint can still burn in hell.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-331955-100x100.png\")
I have a Sprint account and they have been sending out postcards for months now requesting people to activate their online accounts. Yes, even I put it off for too long... Once you establish your account you should be safe, but the people who neglect to do this for whatever reason are the ones at risk. You'd think it might make more sense for Sprint to send a temporary PIN to the phone first so that there's less ability for random people to weasel their way into an account so easily.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-114775-100x100.png\")
Yah, y'all forgot to black out an account number where it says \"Change Billing Information.\"
Also, you might want to black out that red text at the beginning. I'm pretty sure Dan doesn't want that little bit of personal business broadcast out to the Consumerist community and beyond.
I love Sprint!
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-100888-100x100.png\")
I think that name is supposed to be \"Jerry Stefl III\" (as in, \"The Third\"), but the automatic formatting screwed it up.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-2207-100x100.png\")
Given the passwords people come up with, it might be easier to guess their current password on a site for someone you know. Once you have one password, you likely have all of their online passwords. So, while I appreciate the fact that Sprint is hardly making a huge barrier to breaking into an account, I am still convinced that the login/password system used on most sites is the first problem.
I have often wondered if some web developers try using the passwords users set up for their web site on other sites to see if they are one of the majority of people that use the same password on all web sites.
In any case, I hope Sprint improves their security, but I will not hold this against them. Their ridiculous customer service, on the other hand, is unforgivable.
@FightOnTrojans: ya know what's funny? I didn't notice it the first time I read through the post either.
Sorta funny that the consumerist accidentally gave out an acct number while trying to point out a security flaw with sprint.
I went through this this weekend with my Sprint account. This identification process is definately prone to error. Not only can someone pretend to be you, but some of the questions they asked me made me scratch my head. I got a similar question to the who's shared your address one above. But in my case it was which of the following hadn't shared an address with you. The answers were a misspelling of my name, the person I sold my old house too a couple of years ago, the person I had bought that house from 10 years ago, and some name I didn't recognize. Since the house I live in now has had several owners before me the unknown name could have been one of those, I wasn't sure what the \"correct\" answer was. None of these people had ever lived in the house with me at the same time, its just lucky I had a good enough memory to recognize names from the closing paperwork. I eventually went with the misspelling, since it wasn't one I'd seen on any mail sent to me before. And they let me in. So maybe the correct answer is always pick the misspelled name.
It might have been more useful to see what would happen if even only one question was answered incorrectly: would that trigger the account being locked? Ben made some intelligent guesses based on previous knowledge and luck. The answer for the type of vehicle, for instance, could easily have been \"None of the above.\" Would that incorrect answer lock the account?
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-196743-100x100.png\")
@FightOnTrojans: Yeah and Dan's full name appears all over those screen grabs too. No point in blacking it out on the form when it appears elsewhere on just about every screen that was shown.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-199488-100x100.png\")
I actually just tried this for my dad's Blackberry, but it didn't work.
Sprint is in the process of converting accounts over to a pin code system that is good security. But for the millions of accounts that are not converted yet, all you need is the last four of the customer's social security number and their name and address and you can pretty much do what you want including change of address and order phones.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-58943-100x100.png\")
Well, interesting. But sprint sends a text message to the phone that is being tracked, so the user would have a heads up.
I hate these questions. \"What is your nephew's name.\" \"What kind of car do you drive\" (I have neither). Why can't I just type in a goddam password?
Some sites make you remember a picture of a puppy to log in, and you can't check your Chase account without registering on that computer.
hate it hate it hate it.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-28670-100x100.png\")
If only the took the issue seriously...
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-104806-100x100.png\")
@cde: Now all they need to do is take the link to the original image with the account number down too :).
just for the record... The GPS feature sends a text to the phone you're trying to locate every time you use the service.
T-Mobile sends a free text message to your phone with a PIN to activate the online access. That seems to make sense.
![\"user-pic\"](\"/mt-static/support/assets_c/userpics/userpic-1161-100x100.png\")
@scoosdad: Nope, Daniels is not part of his name at all. It's just what I inputted when I set up the online account access. But thanks for playing anyway.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-342263-100x100.png\")
I'm a Sprint customer and Gary Forsee is the president of the university I attend and work at. Do you think he still has any pull with Sprint? I'll drop by and chew him out for you.
This is why I like security tokens/key fobs or whatever you want to call them. In order to log into the website, you need your user name, password, and this key fob which generates a new random 6 digit code every 30 seconds. Adds much more security to online banking and such transactions.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-146045-100x100.png\")
Consumerist: 1 Sprint: Sero
hey he COULD have a lotus. really. i mean i totally have a hot car like that.
*drives off in civic*
I' starting to think that the paranoid nutjobs who live totally off the grid are onto something! Sheesh!
I have already set up my online account with sprint, including the pin. However, i went to sprint.com and was able to request a new pin by answering similar verification questions. I supplied only my phone number to get to this option.
1: Which of the following properties have you NEVER owned?
All of the above is an answer. Easily cracked considering I'm 25. I'd have owned 3 different properties in order to qualify for one of the other answers (you can only pick one answer).
2: In which of the following cities have you NEVER lived or used in your address?
This one gets slightly tougher, but anyone with who knows me could answer this. It also has the All of the above answer, which means in order for one of the specific cities to be correct I'd have lived in three of the others.
3: Which of the following people have resided with you or used the same address as you at [redacted]?
If someone knew me reasonably well, they'd answer this right. If they dug through my trash, they'd answer this right. If they guessed, they'd still have a 20% chance of hacking my account.
Luckily, when I try to reset the pin I get, \"Due to a systems problem, we are unable to display questions that confirm your identity at this time.\" So I guess I'm safe for now. None the less, that's one of the more retarded verification system's I've ever seen. Furthermore, why even leave this option available after I've already selected my pin? I entered a security question of my choosing, just stick to that one Sprint.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-5552-100x100.png\")
Wow. Good work, guys.
![\"user-pic\"](\"/mt-static/support/assets_c/userpics/userpic-330312-100x100.png\")
I'm a Sprint customer.
I've just Emailed the entire marketing team of sprint highlighting this post.
If you are a Sprint customer I urge you to do the same.
Let's make sure these guys address this security hole.
You can find Marketing Emails here:
[www2.sprint.com]
I suggest sending it to all of them.
I can't wait to get away from sprint
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-325254-100x100.png\")
I nearly got into someone else's account doing this, I now know their pin number and their security question.
It won't let me progress further to register their account, I guess I have to use their email and their correct last name in order to do it.
Still, it's sad that I got this far, and I totally guessed on every question.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-137520-100x100.png\")
Oooh! It was \"used by the federal government\". Oh great!
And it says something about Katrina. I'm sure this had a hand in THAT mess of fraud as well.
can we possibly hijack every sprint account in existence and cancel walkie talkie service permanently? No more \"BADEEP!\".
@Ben Popken: Ok, but you still haven't addressed something else. At the \"Welcome back to My Sprint\" screen grab, under the blacked out account number in the upper left corner, there's a bit of info there that should be blacked out as it is slightly embarrassing (IMO). Look for the red triangle with the exclamation point.
![\"user-pic\"](\"/mt-static/support/assets_c/userpics/userpic-298926-100x100.png\")
Ok, I have already registered with Sprint's online account and I just did it again doing this method. It even told me the answer to my secret question and now my other user name is gone but I have full access with the new user name. So even if someone is already registered they still can have this happen! I am shocked!!!!!
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-64687-100x100.png\")
I actually like one of the security features that Bank of America recently added to their website. When you want to log in you not only provide your account number & PIN but you have to click on a button that will send a text message containing a random 6 digit number to your cell phone. You also have to enter that number into the website to log in. The number only works once and is active for only 10 minutes. The chances of a scammer grabbing my account number, PIN, AND that text message sent to my cell phone, and logging into the site before I do is virtually non-existant.
even if you are a determined idiot, you can get in via brute force in 125 tries or less (5*5*5).
But the offered answers make it very easy to narrow down.
This was the email I got once I re-registered my phone
-------------------------------------
Phone Number: **********
IMEI or SIM ID: **********
The Phone Number and IMEI/SIM ID (listed above) that you provided to us during My Sprint registration process has been registered by another Nextel subscriber.If you have not changed cell phones recently or believe you have received this message in error, please contact Customer Care at 1-800-639-6111.
Thank you.
This email has been automatically generated. Please do not reply to this message.
-------------------------------------
![\"user-pic\"](\"/mt-static/support/assets_c/userpics/userpic-93308-100x100.png\")
@pillow_fight_girl: New around here? Many commenters will hang you from the rafters for admitting something like an overdue account. I wouldn't want the fact I have an overdue account published here.
@K-Bo: EXACTLY! I didn't want to put it in the comments either, but there it is. Thanks for the back-up, K-Bo!
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-116137-100x100.png\")
hey wait, they did not take the matter seriously! They only said it was a \"top priority.\"
\"Customer privacy is a top priority and we appreciate the Consumerist bringing this matter to our attention.\"
![\"user-pic\"](\"/mt-static/support/assets_c/userpics/userpic-350350-100x100.png\")
I'm a former Sprint rep, I worked with this \"3 questions\" system numerous times.
I was shocked at the number of times I was able to access an account by simply guessing the answers. Fortunately I am an ethical person, but if I wasn't I could've done a LOT of damage very easily.
In every question pertaining to cars, it was always three Luxury models plus one typical one (Peugeot, Porsche, Ferrari and Ford for example) which made them stupidly easy to guess.
In addition the \"none of the above\" answer for \"which properties have you owned?\" was correct 99% of the time.
On top of that, one thing the article does not mention is that you are only required to answer TWO of the three questions correctly to gain access to an account. The system won't tell you which ones were right and wrong, but you need only answer TWO of three to get access.
This new process is more trouble than it's worth if you ask me and I'd like to find the person who came up with it and give him a good punch to the head.
But don't blame Sprint for all of this, some people truly don't give a crap about the security on their accounts. When asking customers to setup a 6-digit pin number most just wanted to set it to 1111111 or 123456. Pretty secure huh?
Oops, that should say 111111...
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-298363-100x100.png\")
This anti-fraud tool has been used by numerous industries, as well as the Federal Government...to successfully prevent identity theft and fraud.
Well, that just about explains everything, now doesn't it?
Oh, and you can get someone's email address easy too. Not sure how helpful it can be, but you just need to have the person's cell number and type that into the online account sign on and click, forgot password. It then shows the email address the person used to activate the account..haha
Adding insult to injury, Sprint has a typo in their GPS pitch:: ...provide superiro customer service\" ... I'll say.
this does not make me feel safe....thanks sprint
\"Currently, we are not aware of any instances of fraud occurring through the question and answer scenario that you've described...\"
Yeah, I'm sure that's true. It's called \"plausible deniability.\" You don't put a system in place to track something you don't want to know about, so you can say you were never aware of it.
Great job, Sprint!
www.sprint.com website is unavailable at least 50% of the time. When you call customer service, you get bad customer service or get hung up on/disconnected, or placed on hold forever. No one will take the time to listen to you, resolve your issues completely and correctly. Billing adjustments are temporary for one day only, then you have to call in every month to adjust the same bill. There are many managers and supervisors who will talk to you, however, they do not resolve the issues. The bad customer service agents and bad managers outnumber the good agents and supervisors. Agents are rushed to get through their phone calls and do not resolve customer's problems. Sprint customer service and management are the worst in the telecom industry.
@topeka: Forbes has Sprint listed in there \"Hall of Shame.\" I had a Sprint account from Jan of 02 until July of 07. The company went to crap after they joined with Nextel. As far as the online services; well, that was an absolute nightmare. I had several phone hardware problems, which they would not address. I had service issues which never got resolved but the final insult was when I was billed for their \"media package.\" It was offered and I told the CSR at least 10 times that I did not want it. But I got billed for it anyway. When I dropped Sprint last year the supervisor that the CSR connected me with did everything but beg me to stay. I will never, ever use Sprint again.
Aren't these questions based on public records? So if they're public, even if you can't guess the answers, I'm sure you can look them up...
This is inane. I'm glad I'm no longer a Nextel customer (everything sucked after the merger), but this system is inanely bad. Heads should roll over this.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-73443-100x100.png\")
All of the above, plus...what a pain in the ass to actually sign up for account access. Now I have a username, password and a PIN to use, plus they'll send me a bunch of emails? And, frankly, what a shitty looking page once I (finally) got in...
The countdown to May 25th (Sprint contract expiration) is on...
Oh, fun. Since they've upgraded me to the new billing system, I can't pay my bill online until after my next billing cycle. So, pay a late fee then or pay a fee to pay my bill at a Sprint store? Sons of bitches!
I am spring customer. I noticed that this week when I logged on they reqquired me to add an authorization number that they sent to my phone, in order to complete my log on.
Sprint isn't the only one using systems like this. I recently had a call from 'fraud prevention' from one of my credit card companies and they asked similar questions. One was which car did I have a car loan on (easy to figure out if you snooped around my house, since I only have one car). Also a list of previous addresses I lived at (again, if you know my car, you might figure this out since I have a sticker on the back from the dealer which is in another state, which was one of the choices).
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-355288-100x100.png\")
Yeah, I had this issue with them. Considering they are still doing this, I canceled my account with them. I like my money to stay with me, thank you.
Moved to another carrier, and have had no problems.
Scarily enough, in addition to this, fully registered accounts that are already setup in their Online System are vulnerable via \"I Forgot my PIN\" which asks the same damned questions.
Mine - Gave me the \"which car has been registered\" blah blah with the answers being \"Fiat, Lancia, Ferrari, and Toyota\" An then with the \"Which property do you own?\" and \"Which cities have you lived in?\" almost always being \"None of the above\" and only needing TWO correct answers.
Yep. This sealed it. Getting rid of Sprint, even though they're the only provider with half a decent data network speed in the area.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-22828-100x100.png\")
This is rather odd, but probably a result of the Nextel merger. I remember when i signed-up for my Sprint on-line account years ago. As part of the process, they sent me a one-time password to my cellphone. Very simple way to make sure that the person signing-on is the person in posession of the phone.
So all I can gues is when they got all excited about switching to the new platform for consumer access to their Sprint accounts, they yanked out stuff like OTP which couldn' be made to work yet....
\"\"There's also the stalker's wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer.\"\"
There is an easy fix on most modern cellphones for this!!!
In your phone setup menu, probably buried, but be thorough through all your menu options. You will find a setting that closely matches that above quote with two settings: either global or Emergency 911 only (for USA). Set it to Emergency 911 only.
And pray and hope and check out to see if that 911 system in your area is very modern that can grab that GPS signal from your phone and if not: Raise bloody hell to your local government officials for new 911 system. It maybe your sister or brother or mother or father or friend who might need that location detection just to get the needed personnel there quickly as possible.
So from reading the article, if you're already registered your account online, which I (we, our family)did several years ago then it can't happen to you.
I guess the real question is, how many users haven't registered their account online? There certainly can't be too many that have no online access to their account.
You didn't redact the name on the \"Welcome Back to My Sprint\" screen -- signed in as \"name should have been blacked out\"
For 2 days, Sprint has been upgrading their systems and sprint.com website works 50% of the time. CSR still hang up on you and are rude. Managers yell at customers and agents.
Just wanted to point out that these sorts of 'security' measures (while not perfect) aren't meant to protect you from people who are 'stalking' you or are good friends who you already know a lot of information about them... It's supposed to protect you from the person who knows nothing about you and has a stack of numbers to go through. Granted, it sounds like the implementation could use some help (more questions, better 'fake' answers), but the idea at least is an attempt.
Okay .. just logged into my STBX account. DA has got a new phone but has no penny to give as spousal support. Sprint still has done nothing about this breach. I could've done some changes to DA's account but didn't feel right.
Sprint is not the only company using the security process like the above. I called into fidelity investments and said I forgot my pin and the same questions were asked to confim my identity. Cells phones are one thing investment $ is another.
Wow, this is scary info!
perhaps the Sprint Corporation needs to have their own kids cell phones targeted to wake them up a bit.
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-86677-100x100.png\")
![\"user-pic\"](\"http://consumerist.com/assets_c/userpics/userpic-37033-100x100.png\")
\"Still, makes you think twice about giving your number out at the bar.\"
Then, there is a gridskipper ad below that for \"DC's Gayest Gay Bars\"
Classic!