Steve Parkinson (cryocone) wrote,

Identity leak with Sprint wireless

By dialling a certain phone number from any phone, and punching in the phone number of any sprint subscriber, the service will read the name and street address of the subscriber. It also can read back the names of people who might share the same address.

Does anyone else see this as a problem?

The automated service leaking this data is Sprint's international call identity verification service. I think the theory is that they want to provide extra safeguards so that people can't rack up massive fraudulent bills for international calls, so they want to really verify who you are.

In order to do this, they fall for a classic security blunder. They give you information and ask you if its correct. Worse, it's an automated service, with no concept of what social engineering is.

The call went like this:

1-XXX-XXX-XXXX
SPRINT: Hi, welcome to sprint's international call identity verification service
        For english, say 'english'

SPRINT: To verify your identity, we will ask you some questions:
        What is the phone number you want to set up international calls on.

ME:     408-xxx-xxxx

SPRINT: Is the person on the account "STEVE PARKINSON", of [house number and street name]

ME:     YES    (STRIKE 1)

SPRINT: Good, let me fetch your security questions....
        First question:
        Which of the following addresses are also associated with the account holder
        1) random address one
        2) random address two
        3) [my current address, as just read to me above]
        4) none of the above

ME:     THREE

SPRINT: Correct
        Second question:
        Which of the following people also have lived with you at the same address:
        1) random person one
        2) STEVE PARKINSON
        3) random person two
        4) none of the above

ME:     TWO    [Hmm - I have a separate account with sprint, but looks like they'd be
        willing to give information on my roommate? STRIKE 2!]

SPRINT: Yes. Which county do you live in:
        1) San Diego
        2) Santa Clara
        3) Tulane
        4) none of the above

ME:     TWO  [STRIKE 3]

SPRINT: Yes. Your account can now make international calls.


So, the two major problems are:
- this is useless as an identity checking mechanism, because the questions they ask have obvious answers
- they leak an enormous amount of personal information

At first, I figured they must be ensuring that I can only check my own phone number, but no... I verified with a co-worker that you can punch in any sprint phone number.

Update: This post was linked to from boingboing!

Update: Sorry, comments disabled due to idiocy.

One piece of sensible feedback I got:

Jason may indeed be absolutely correct that HE doesn't care that Sprint will give a name and address in exchange for a telephone number to anyone who asks, but not all people will agree. One of the numbers I gave to that Sprint voicebot was the number of a friend who is in a battered woman program. It gave her name and her current 'safehouse' address, and she WAS very concerned about that.

For myself, while there are not the safety concern, the fact that the billing address for number "X" is address "Y" is NOT public knowledge, nor should Sprint be broadcasting it to anyone who asks.

Thirdly, since this phony "security check" is for the purpose of turning on an additional high-priced service option, a more rational check needs to be made than one that GIVES a name and address and asks that you confirm it's right. Ridiculous!


Update: now on digg:

A comment there, from gaijin:

When I told my wife ( a Sprint customer) about this she called them right away. She actually got hold of a supervisor, explained that she gave her cell number out to people that she might not want to have her home number or address, and then encouraged him to call the number and input HIS cell number. He was back on the phone in two minutes totally freaked out. He said his office hadn't known about it and they would change it ASAP. We'll see.

BTW, he and my wife both logged into this website and watched as the numbers of diggs steadily increased! That fact may get more reaction than anything else.


Update:

The main comment people seem to have is that this is just like a reverse phone book/whitepages service, and that there should be no expectation of privacy because some services will give your name/address away if you give them a phone number.

That's the case for land-line phones, although most providers do have the ability to opt out of their directories.
My understanding and expectation is that cell providers do not give out this information to directory providers.
For example, go to http://whitepages.com and try a reverse phone lookup on your cellphone. For me, it just says the name of the carrier.

Update:
Great! Apparently Sprint has fixed this. Well, at least according to http://boingboing.net. And the number now gives me fast-busy. So, maybe they disabled it until they come up with a long term solution. Thanks for reacting quickly, Sprint!



free counter with statistics
Comments for this post were disabled by the author