digg

Join DiggAbout

Discover and share the best of the web!
Learn more about Digg by taking the tour.

See the original image at consumerist.com

Flawed Security Lets Sprint Accounts Get Easily Hijacked

consumerist.com — All I knew about this guy was his number, that he was in his 20's, and he lived in DC. That's all it took to completely take over his Sprint account. I could have changed his billing address and ordered a bunch of cellphones and sold them on eBay. Or, the stalker's wet dream: adding GPS tracking to his account and monitoring his every move.

Bury
show profanity settings
expand all
  • krische, on 04/09/2008, -0/+10Pretty scary stuff
  • ScienceDoc, on 04/09/2008, -2/+27Does anyone still use Sprint? If so, why?
    • johngute, on 04/09/2008, -1/+16because of 2 year contracts
      and sero is way to good of a deal to pass up
    • bigdoof, on 04/09/2008, -2/+22For me, it's because of their plan. $30 for 500 minutes with 7pm nights, unlimited data and text. Unless you work for a cellular provider, there's really nothing that comes close to that.
      • JasonMaloney101, on 04/09/2008, -1/+2Share how you got that please.
        • iofthestorm, on 04/09/2008, -0/+5Google SERO, it's awesome. It's essentially what you would get if you did work for a cellular provider. I'm contemplating getting a SERO plan if/when they get their first Android phones.
      • bigdoof, on 04/09/2008, -1/+3www.sprint.com/sero

        They have a never -ending promotion going on, enter savings@sprintemi.com. I'm surprised they don't advertise this more, but I suppose it's some sort of not-so-secret sale.
      • masterofshadows, on 04/09/2008, -0/+1nothing comes close to that?
        How about my unlimited everything plan (voice, text, data) with no contract for $35/mo
        MetroPCS here does a great job, their coverage net isn't the greatest but if you live in one of their covered cities and don't do a lot of travel they are awesome.
        http://www.metropcs.com
    • Jb611, on 04/09/2008, -2/+22 year contracts suck. I have been having calls that originate in my own phone and go to it. How is that possible? I was overbilled and repeatedly scammed so I filed a complaint with the Better Business Bureau. Sprint responded back and took off 1 month of overages. ....I can't wait till 13 months from now.
    • djclay, on 04/09/2008, -0/+1I use Sprint because it has the best coverage for my area (Texas Pandhandle, middle of nowhere) and they have the fastest network: http://www.pcmag.com/article2/0,2704,2072191,00.as ... . Been with them for 8 years, and yes there has been account mischarges and such, but they work with us on late payments and such very generously. They are probably average for any other cellular companies quality and service, but I have nothing against Sprint for problems.
      That's my honest two ยข, whatever thats worth in today's dollar.
    • FluentinSarcasm, on 04/09/2008, -0/+4I was unfortunate enough to work at a Best Buy in the cellular/mobile section, after a month I got signed up for the employee incentives program where you get literally everything on the Sprint network for free, plus a phone of your choice....only $20.00 per month. I quit after about 6 months working there and being the big company Best Buy is, they never update their employee records...so for two years I have hnd completely unlimited service with sprint for roughly $27.00 per month after taxes and insurance.

      If it wasn't for that, I would never use sprint after going through all the horrific ***** that I was subjected to. Sprint doesn't even treat the people who sell their phones well. I have had repeated problems with them in the past being an employee, they don't respect their customers, their customer service is abysmal and their rates are outrageous.
    • krische, on 04/09/2008, -0/+2The have reasonable prices and the best data network. That wins me over.
    • TheSpook, on 04/09/2008, -0/+3Why not? I've been with sprint for ~6 years, and I've been extremely happy. 7pm N&W, VERY clear calls, reasonably priced plans... My only beef was that their phones weren't as good as the competition (Verizon, SBC), but they've gotten a lot better.

      Over the years when my 2 years came up, I always shopped around to see if there was a better solution. Verizon is expensive (here) and has 9pm N&W. SBC's plan was also unimpressive in comparison. I always come back to Sprint.

      Note: The last two employers I've worked for offered Sprint discounts for employees, which helped a lot in the decision. I think Sprint has that one right.
    • RomeyRome, on 04/09/2008, -0/+1Their data network.
    • kenplaysviola, on 04/09/2008, -0/+2$40/month = 300 minutes + GPS (Sprint TeleNav) + unlimited data (internet/e-mail) + good reception and service in my area.
  • opticnrv, on 04/09/2008, -1/+9I've Email Sprint's entire marketing team, and I urge any current customers to do the same.
  • potterboy, on 04/09/2008, -1/+7Wow, almost sounds like something that would happen with Verizon.
  • elosorusso, on 04/09/2008, -14/+4Which of the following would you rather breathe?
    A. Oxygen
    B. Hydrogen
    C. Uranium
    D. Jello
    E. Breathe?
    • Pete0430, on 04/09/2008, -1/+4D, C and B sound like amazing choices
    • EwMo, on 04/09/2008, -1/+12F. What the ***** does this have to do with anything?
      • elosorusso, on 04/09/2008, -0/+2The ridiculously easy to answer personal questions. Perhaps I should have prefaced with "other questions include:"
      • titlesaysitall, on 04/09/2008, -0/+1IS that your final question?


    • IllBeBack, on 04/09/2008, -2/+2What is meant by choice E, and why is it a question?
  • Pete0430, on 04/09/2008, -0/+1I would have expected something more like the usual "What is the name of your first pet"... So who wants to mail be a new phone?
  • EwMo, on 04/09/2008, -9/+1Go with The Network.
  • Sunscreen, on 04/09/2008, -4/+2h4x
  • eyepatch100, on 04/09/2008, -0/+9Way to expose my plans for stalking Sprint customers, *****.
  • djdingo, on 04/09/2008, -0/+5Is it just me or do I remember hearing about this like a year or two ago?

    If so, is it still not fixed?
  • Nocturnal, on 04/09/2008, -0/+1I'm ready to cancel Sprint and go back to T-Mobile.
    • badqat, on 04/09/2008, -2/+1Just because of this? I can't believe a T-Mobile customer would leave for Sprint, unless it was for SERO. How's that legendary Sprint "customer service" working out for you?
  • 24imac, on 04/09/2008, -4/+1I went from Sprint, to T-Mobile, then gave up and moved to Metro PCS.
    $50.00 a month, unlimited calls and text. No more BS from either Sprint (they wanted to charge me 900.00 to leave their service when I was out of contract) or from T-Mobile (who tried to charge me for service plans we did not have, and charge me for replacement phones that were damaged)
    Metro PCS, best carrier I have ever had. No BS, No surcharges, just 50.00 a month and I never have to worry about minutes or text again.
    • TheSpook, on 04/09/2008, -0/+6> "they wanted to charge me 900.00 to leave their service when I was out of contract"

      What fantasy world do you live in?
      • 24imac, on 04/09/2008, -1/+1What do you mean what fantasy, I got the ***** bill right here *****.
        900.00 bill when I terminated my services with Sprint. When I finally got through all the sand ***** and got to a human, they told me it was for canceling my services with them, and they did not care that i was 4 months past my contract date.

        Don't sit there and assume you know whats going on you little *****, you probably work at one of those mall cell phone kiosks don't you, ***** little ***** sucker.
  • omercyme33, on 04/09/2008, -4/+6As a Sprint customer (for far too long), I can tell you that their internet ordering/payment system is plain awful.

    The reason why they make it so easy to get in is because it is impossible to remember your password - not that I'm an idiot who always forgets my password - but they usually give you a random string of letters and numbers for a password which is case sensitive. So even if you write it down, you risk messing something up when you go to pay your bill a month later.

    Then when you request your password, they just send you a new password (another random string of letters and numbers). Even if you remember it, they force you to change it every once in awhile So, even if you have your pass written down somewhere, there is a good chance that you have the WRONG password written down.

    Really, the only way to remember it is if you are one of those weird people who are SUPER organized... which I am not.
    • Jb611, on 04/09/2008, -1/+4I chose my own password on the site. You might want to try again.

      p.s. mozilla can store passwords for you if its your own computer.
      • toomuchpete, on 04/09/2008, -1/+1Be careful, of course... Sprint employees have access to your password in plain-text. Use a different password for your sprint stuff.
  • theimacguy, on 04/09/2008, -0/+10Guess we should tell dan@sprint.com about this one...
  • thailand1972, on 04/09/2008, -0/+2So to get into someone's account and spend their money, all I need to do is know their mobile number, then answer 3 multiple choice question correctly? Glad to see companies take security so seriously /sarcasm
  • marshaiiness, on 04/09/2008, -0/+1I totally just did this with my account
  • crunshii, on 04/09/2008, -4/+1Ya sprint is doing horrible. And just keep getting worse and worse. They are doing cool ads, I will admit, but those cool ads don't make up for the HORRIBLE phone service or even customer service, and their Phone lineup sucks nuts. Their iPhone-Killer is a joke compared to the iphone.

    I used to use Metro PCS, wished I could go back, but their phones suck, I wished they had a nice phone with the goodies.
    • Andrewmatt, on 04/09/2008, -0/+5The above post = "I couldn't pass their credit check so I use MetroPCS"
      • TheSpook, on 04/09/2008, -0/+4Hah, precisely what I was thinking.
  • Clitumnus, on 04/09/2008, -0/+2Did they just disable that option? Tried with my account and it was there, now it isn't
    • zeusthemoose, on 04/09/2008, -0/+1Its not compatible with firefox, try ie instead ;)
  • ModernChem, on 04/09/2008, -1/+7just an fyi to sprint customers that know how much their customer service department sucks:
    ask for the cancellation department everytime you call about a billing dicrepancy or something they messed up, and say that you will cancel service and not pay the cancellation fee because they are not holding up their end of the deal.
    this tactic has my family paying 150 a month for 2100 anytime mins, unlimited data and text, and unlimited sprint to sprint.
    plus now I have the email address of a manager of customer service at the cancellation dept in Sacramento. comes in handy having documentation of what they say they will bill you.
  • phybere, on 04/09/2008, -1/+1I'm not sure if I believe this. The article is rather vague on how one begins this process...

    I have sprint, and any forgotten username/password/etc goes through email, or is text messaged to the cell phone, like any other phone company.
  • phantom_mullet, on 04/09/2008, -0/+8i wouldn't touch Sprint with a 10-foot pole, but bigdoof is on the same plan as me: SERO

    1.) go to http://www.sprint.com/sero
    2.) enter kevin.jones@mail.sprint.com (i made it up and just checked it, it works)
    3.) ????
    4.) Pay $30 a month for 500 minutes, unlimited web and text, 7PM N&W

    I don't work for Sprint...I do know a good deal when I see one though...
    • phybere, on 04/09/2008, -0/+3I didn't realize SERO was this popular... I wonder what percentage of sprint accounts are with SERO? They must know everyone's getting it by now.
    • ModernChem, on 04/09/2008, -0/+1its not like they dont want people to sign up under it, they are still making money
    • TheSpook, on 04/09/2008, -0/+1Try it. It asks for your phone number and then confirms that it is part of the SERO offer.
  • D3koy, on 04/09/2008, -0/+1Time to try and guess all my friends passwords!
  • logicalnoise, on 04/09/2008, -0/+3just contacted sprint. I've been a member for 6 years and yes customer support is likely not even in this country but I asked for someone to please look into this. Thye said they'd escalate it so maybe their manager in india will see it. ANyways If I don't hear anything about sprint shutting down this option for logging in I'm going to have to switch providers(though sprint has been pretty good to me).
  • bradsjm, on 04/09/2008, -0/+1What happened to the basic idea of sending a code to the cell phone that you have to type into the web site? At least that means you have physical possession of the device.
    • phybere, on 04/09/2008, -0/+1Sprint does this, I'm not really sure how the author claims this is possible...
  • e2superman, on 04/09/2008, -0/+4Contact their board of Directors and let them know how obviously flawed this this (and needs to be fixed):

    Here are working email addresses for the Sprint board of directors. Should the special phone line Sprint set up for Consumerist readers (703-433-4401) somehow fail to work out or someday cease working, these represent yet a higher level to which you could escalate a long-standing complaint. We hear you can also use these addresses to submit hostile takeover bids.

    Daniel.R.Hesse@sprint.com, William.G.Arendt@sprint.com, Keith.Cowan@sprint.com, Paget.L.Alves@sprint.com, John.A.Garcia@sprint.com, Chris.A.Hill@sprint.com, Len.Kennedy@sprint.com, Richard.T.C.LeFave@sprint.com, Sandra.J.Price@sprint.com, Kathryn.Walker@sprint.com, barry.west@sprint.com, bill.white@sprint.com
  • zeusthemoose, on 04/09/2008, -0/+3Tried this out on a FAMILY MEMBERS PHONE with permission. I am amazed at how easy it was. For the questions, they will ask stuff like "which of these street addresses have you not lived at" and there will be answers to select from all over the US, obviously the answer would be none of the above. Then they will ask questions like "which of these cities have you not lived in", 3 of the four answers would be from one state while the fourth is from another state; again this is simple to figure out. The third was another street question, 3 of the streets were from one state the other was from a different state. Doing this without permission would obviously be illegal, but its really easy to do! Sprint better get on this asap.
  • Khast, on 04/09/2008, -0/+1Now that the cat's out of the bag, and it is getting the digg effect... I would assume Sprint will be forced to do something quickly.

    *next year same time we get a similar article on the front page, with the same security issues.
  • Jay730, on 04/09/2008, -0/+1Dan Daniels?
  • RomeyRome, on 04/09/2008, -0/+2Sprint's GPS tracking service sends periodic text messages to tracked phones, reminding them it's being tracked.
    No wet dreams for Mr. Stalker.
  • bjhanifin, on 04/09/2008, -1/+1This is a silly article. This is far better security than most websites I've seen. Just because this guy made some lucky guesses, doesn't make me worry about my account security.
  • randylf, on 04/09/2008, -0/+1Forget about trying this on a family member - I just got into a buddies account knowing nothing but his phone number. I guessed randomly at 3 sets of questions and got right in. I even sent him an SMS from his own number for good measure. You could easily do this with almost anyone.
  • cl0n3x, on 04/09/2008, -0/+2Introducing the NEW Sprint Everything Plan. Comes with all the features you need like unlimited data, push-to-talk, voice, easy public access to your online account, and more!
  • indymb, on 04/09/2008, -1/+2Very fine article -- will have to blog this myself! I've got AT&T and love the friends/family features and the rollover minutes. Haven't found good cellular competition yet...and my wife is always looking for the best deal...
  • MorfiusX, on 04/09/2008, -0/+1This is typical unfortunatly. My company does technology support. We often have to call third parties on the customer's behalf. Most of the time, the security is very lax. I called a web hosting company to get DNS records changed for one of my customers a few weeks ago. They didn't ask any question, nor did they call the customer to verify. They just willingly made the change...
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.