Verified: Sprints Security EASILY HiJacked In 60 Sec

Filed Under Geek Misc

Posted: 14 April 2008
Updated: 13 September 2008

Today while reading up on Digg I came across a very interesting article, Digg: Flawed Security Lets Sprint Accounts Get Easily Hijacked.  Of course any of these exploits make for an interesting read and I followed the link to The Consumerist.  Typically such exploits I read about require some work, time, and a lot of technical know how.  This one stood out as being extremely easy and not requiring much thought at all.  In fact it seemed way to easy to be true.  So easy that I didn’t believe the article and decided to try it out for myself.  I know large companies can get evil (Microsoft), but why would any company allow such a security risk to continue.  We’re not just talking about a huge security issue, but one that any Joe Shmoe can do.  I think that’s what makes this so bad, that ANYONE can easily do it.

Here’s the basic run down.  Sprint has an online place where account holders can go to pay bills, update account info, or even purchase things.  In order to partake, account holders must register.  Its during the registration process one can easily access accounts.  Sprint has partnered with some company that “specializes in identity theft” (obviously they suck) and provides you three security questions to verify proper identity.  So far so good, right?  Not really.  By the numbers:

  1. Questions are based off of public records:  Meaning, the answers can be found very easily.  There are plenty of online websites that offer cheap public record searches on individuals.  Think about that, why would you base security questions off information that’s freely available to the public?
     
  2. Multiple Choice: Lets just narrow done the options for everyone.  Seriously, why are multiple choice tests so loved by students? Because its easier to guess an answer when you only have 4 options as opposed to open ended questions where the answers are almost limitless.
     
  3. Easy Answers:  How can you make a multiple choice question even easier?  Give ridiculously easy answers.  In the Consumerist linked article, one of the questions asks ”which of the following cars have been registered under said address – Lotus, Honda, Lamborghini, or Fiat”.  Are you f***ing kicking me!?!?  I can count the number of Lotus and Lamborghini’s I’ve seen in my life on one hand.  And Fiats? Are they even in America? There’s definitely no U.S. page for their website.
     
  4. Only Need 2 Out of 3:  Yup thats right.  Have 1 really tough question, no problem because you only need to answer 2 easily guessable multiple choice questions based off public records.  So really that third question, its just a bonus to even further improve your chances in guessing the correct answers. Yeah!
With the Consumerist article not only saying but showing this, would you believe them? I certainly didn’t.  Fortunately I’m no longer a Sprint cell phone customer and couldn’t test it on myself.  I only knew one person who had a Sprint account and decided to test it out with their number.  Remember, I went into this thinking the article was bogus.  As the article did, I went through standard registration process (which I later learned isn’t even required.  You can just scroll to the bottom of the page), until I reached a point where Sprint asks to verify I am the said person.  Basically you click, forget pin number.  For safety concerns, lets call our test subject Abbey (my dogs name).  I’ve also changed the state and car model info because Abbey did not volunteer for this experiment.  Like I said, I didn’t even think it would work.

Now oddly, Sprint gives you three choices.  You can answer the user generated security question, have the pin texted to you, or answer identity questions.  Sprint’s description for the latter:

“Answer questions from that confirm you are the person who established this account. These questions are from a Sprint partner company that specializes in identity theft protection. They will be based upon the account holder’s personal information, address and credit history.”

Sounds impressive doesn’t it.  Keyword being here is “sounds”.  The three questions I was asked were the following:

  1. Which of the following vehicle models has been registered at the following address [Said Address]?
     
  2. Which of the following people have NEVER resided with you or shared the same address as you?
     
  3. In which of the following cities have you NEVER lived or used in your address?

First thought that comes to mind, Sprint has access to this information? Oh yeah its public records stuff.  But it only took 1 second (if that) to load.  Is it that easy to search for?  Or do they pre-assemble this information upon becoming a customer?  Either way, its a pretty scary thought.

Second thought that comes to mind, the “Said Address” was supplied freely.  Up until this point, I didn’t have to guess any answers or go through any security check points.  So I established with only a phone number, I can get a current address.  Worse, when I plugged the “Said Address” into Google Maps, it dropped me right on top of Abbey’s house.  I tested this out with other addresses and apparently Google can land you with great accuracy to the intended addressee even if you leave out the city and state.

The only question I knew for sure was #1.  Abbey only drove a Saturn and only one of the answers was a Saturn model number.  Had I not known, they already provided the correct address so I could go to her house and find out. #3 was another obvious question.  Abbey lives in PA and all the addresses given were from PA except one.  That one exception was some bumble fuck town on the other side of the country.  How many people come from towns of 200?  Exactly, my obvious answer.  #2 was my non-obvious question and gave a random answer.

I clicked submit and BOOM!  Full access.  It literally had only taken me 60 seconds.  The first screen shown gave Abbey’s account number, plus reminded me what the answer to her security question was.  How thoughtful. Once in, I could have totally made Abbey’s life a living nightmare.  Track history of calls, full access to billing information, make some store purchases online, and even enable GPS tracking.  What’s worse, what proof is there that I even got in?  What proof will show that anything I charge or change was done by anyone other then Abbey?

I was so freaked out I immediately told Abbey.  Of course Abbey was upset with me (who wouldn’t) and I tried to explain.  I’m a computer guru and I’m sure Abbey initially thought I did some computer mastery hack to break Sprint’s security system.  Far from the truth.  A quote direct from the Consumerist article:

“The point of a PIN is to identify me as a person, not just that it’s someone who knows me.”

I couldn’t have said it better.  A pin number is even better then the user generated security.  Though both are still better then this new form of identification.  Simply knowing a little about someone is all it takes.  At least the user generated question requires a case sensitive typed answer.  No multiple choice.  Apparently Sprint knows about this little security failure.  The consumerist has repetitively told them about but it and seems Sprint doesn’t want to do anything.  Even claiming the system is not easy to break.  I’m sure Sprint channeled a lot of money into getting that system up and going.  Last thing they want to do is terminate it.  The consumerist posted to help raise awareness and get Sprint to action.  I’m reposting to help with that effort.  Ironically Abbey’s account was hacked a year ago and several thousands dollars was charged to it.  I wouldn’t be surprised if the method they used was this one.




This post currently has 2 Comments

Tags: , , , , ,

The Nerd Test

Filed Under Geek Misc

Posted: 26 January 2008
Updated: 13 September 2008


NerdTests.com says I'm a Kinda Dorky High Nerd. What are you? Click here!

Was a little bored and thought I’d try this test I saw on Jess’s blog.  Interestingly, I have a nice decline as you move down the chart.  Was hoping my Computer/Tech would be highest.  Oh well.




This post currently has 8 Comments

Tags: , ,

Installing XP on a Mac

Filed Under Geek Misc

Posted: 21 January 2008
Updated: 14 September 2008

Despite how much I love my new MacBook Pro, I am forced to install XP. Why? Because I’ve spent over a decade of my life hiding away from the world playing video games. One can’t possibly throw away all the games I’ve collected. Initially I thought dual booting XP with OS X was gonna be a daunting process, however I soon discovered that Apple freely gives you the software necessary to do it. Amazing! And just like everything Apple does, the entire processes was incredibly easy.

You run Boot Camp, follow a few instructions, boot off the XP CD and install as one normally does windows. Upon completion, install Boot Camp on XP, it installs some additional drivers and BOOM! Your done…Kinda (as far as Apple’s part). Because I still wanted to access my window’s partition, I choose to stick with FAT32. As such, I was restricted to a maximum size of 32 gigs. Originally, I thought it would be enough, but after installing some of my larger games I soon realized it wasn’t. That aside, the whole processes was painless from Apple’s perspective.

Frustrations arrived with XP. Its incredible how much extra shit one must do to get XP running at full speed. The following transpired after Apple finished its tidbit with Microsoft:

  1. Installed and updated drivers for my Sprint Mobile Broadband.
  2. Downloaded, installed, and updated Zone Alarm -> Firewall.
  3. Downloaded, installed, and updated AVG Anti-Virus.
  4. Downloaded and installed over 100 updates for XP itself! This required 5 restarts and involved one crash. A FUCKING CRASH!?!?!?!
  5. Un-installed all the useless advertising programs bundled with.
  6. Downloaded, installed, and updated Ad-Aware -> Anti-Spyware.
  7. Downloaded and installed Adobe Reader -> For PDFs.
  8. Downloaded and installed Adobe Shockwave Player -> Flash player
  9. Downloaded and installed Java. -> For playing Java, not programming.
  10. Downloaded and installed Crap Cleaner -> Cleans up…”crap”.

By far, Windows Update was the worse. The shear amount of updates took forever. I’d run Windows Update, then find, download, and install everything.  I would then be required to restart.  Afterwards, I’d go back to Windows Update again and repeat the whole process. WTF? I couldn’t get all the updates at once? I had to download updates for updates? And in the middle of that whole process a crash occurred. I mean…come on! Its a fresh install!

There’s only one thing up there that I had to do with OS X and that was run the update software. Of course OS X had what…5 updates? That’s nothing compared to the 100 some. Sure you could say I had an outdated version of XP. Granted its a year old, however why couldn’t I have gotten all the updates in one go? The only other thing up there which I should probably do is get an equivalent “Crap Cleaner” program for OS X. BTW, Crap Cleaner is the real name of that program. Very handy tool.

I’ve had to re-install Windows so many times, that the above scenario is pretty much second nature to me. I’ve always accepted it as shit that needs to be done. Oh how this MacBook will spoil me. Well, enough said about that. All in all, my XP partition is running great. I haven’t had a chance to play a game on it yet seeing that I spent all day completing the install. Since I’ve never owned a computer with such great specs, I’m know I’m gonna be blown away by the graphics.




This post currently has 4 Comments

Tags: , , , , , ,

My New Laptop…errr…MacBook

Filed Under Geek Misc

Posted: 18 January 2008
Updated: 13 September 2008

My lack of computer and lack of internet access has really weighed down on me. I found myself spending days just a click away from buying an EEE PC. Ultimately my sense came to me. I will buy one but not until the new models come in April. Anyhow, the more I was without a computer, the more I realized how much I hated that fracking Tablet of mine.

Yesterday in class, Ryan was pointing out all the great features of his MacBook Pro and in effect making me very jealous. I began wishing I had a MacBook. I’ve always wanted one but could never afford one, but then the strangest thing occurred. One, I remembered I had just received a 2500 credit limit increase. Then two, at the end of class Brian asked if anyone wanted to go to the Apple Store with him. That was all it took. Within 3 hours, Brian bought himself an iPhone and I a MacBook Pro.

There was a slight fiasco where Apple registered my card as being denied despite the charge actually going through. It took an hour for Apple to figure out the whole mess. Since then, I have been BLOWN AWAY by this MacBook Pro. I could go own for pages about all the great, cool things this thing does right. Most of all, its all the little things that make the difference.

Its ultra quiet with no fan exhausts on the bottom. In fact, I can’t even tell if it has any fans (though I’m sure it does). I’m also able to keep it on my lap without worry of burning my legs or restricting airflow. The touchpad is amazing. Double tap two fingers and you do a right click. Drag two fingers and you scroll up/down or left/right. As the sun light changes with the cloudy sky, my screen brightness automatically adjusts as well as the keyboard lighting. Boot up is about 30 to 60 seconds. Blazing fast compared to my 10 minutes on the Tablet. Probably helps that I don’t have to install all the security software needed in XP.

In all, I should have switched to a Mac ages ago. I plan to get XP setup on the MacBook though. I believe my AllTunes will only work in windows environment. Also, many of the games I have will only work in XP as well. Since I have a dual core, I’ve been told I can either run XP in parallel or just dual boot. Will need research the differences and which I plan on using. So what’s the fate of my old Tablet? Sell it of course, and help offset the MacBook purchase.




This post currently has 1 Comment

Tags: , , , , , , , , , ,

Not Active