Security blunder: Sprint Wireless leaks customer data

[BJ_M]

BoingBoing reader Steve Parkinson has discovered a customer data security hole in the automated phone care system for Sprint Wireless.

Here's how it works. You dial a certain toll-free Sprint customer service line (doesn't matter what number you're dialing from), then punch in the cellphone number of a Sprint Wireless subscriber (not necessarily yours). The Sprint voice-bot reads back to you the full name and street address of the accountholder associated with that number. Could be you, could be someone else.

Steve discovered that under certain circumstances, at a later stage in the call process, this service will also read read back to you the names of other residents at that same address.

I just tried this with the phone numbers of a few willing participants. With the first Sprint accountholder's number, nothing worked. The voice-bot instructed me to call back and talk to a live human during weekday working hours. But with numbers two and three, bingo: it read back the accountholder's name and address, and leaked other personally sensitive information associated with the account.

If you've read this far on this blog post and you're a stalker, you're stoked. But if you're a Sprint customer -- probably not.

The Sprint blunder-number is an automated identify verification service to check international calling permissions on a Sprint account. The purpose of this automated service line appears to be: customers call this number to verify that the account should be set up with the ability to make international calls, to prevent fakesters from racking up huge fraudulent phone bills on other people's accounts.

But the verification voice-bot first *gives out* personally sensitive data, then asks the caller to verify whether it's correct. Security experts have a word for this: "stupid." Here's a snip from Steve's notes from his call with the voice-bot (Note: it's not a verbatim transcript, but it's an accurate representation of the call flow I experienced, too):


1-877-785-xxxx

SPRINT: Hi, welcome to sprint's international call identity verification service.
For english, say 'english'

SPRINT: To verify your identity, we will ask you some questions.
What is the phone number you want to set up international calls on.

ME: 408-xxx-xxxx

SPRINT: Is the person on the account "STEVE PARKINSON", of [house number and street name]?


And Steve sums it up perfectly here:

[T]he two major problems are:
- this is useless as an identity checking mechanism, because the questions they ask have obvious answers
- they leak an enormous amount of personal information

Read the blow-by-blow here. I've contacted Sprint media spokespersons for the company's response, and will post updates here as I receive them.

http://cryocone.livejournal.com/1131.html

[yoda313]

Sounds like ET could have used a service like this when he tried to "phone home"

[Grimey]

Sounds like ET could have used a service like this when he tried to "phone home"

[Faustus]

the automated phone system actually SAYS the name of the person? has anyone personally verified this?

meaning is the person in that post you or a repost?

[BJ_M]

it is a repost ... not me

and it has been confirmed by a lot of people (via slashdot and other sites)

[shelbyGT]

Also, if you have sprint:

dial *2
Hit 1 for english (don't know how to do this in spanish)
When the lady says "tell me what you'd like to do", say
"Dropped Call Credit".

You will then get a 50 cent credit on your account. You can do this up to 20 times a month for $10 off your bill. When I had Sprint I did this every day when I went to lunch... it works...