Security blunder: Sprint Wireless leaks customer data

UPDATE (1PM PST, 7/10/06): Sprint has responded, and the security vulnerability outlined in this post has been addressed: Link.

BoingBoing reader Steve Parkinson has discovered a customer data security hole in the automated phone care system for Sprint Wireless.

Here's how it works. You dial a certain toll-free Sprint customer service line (doesn't matter what number you're dialing from), then punch in the cellphone number of a Sprint Wireless subscriber (not necessarily yours). The Sprint voice-bot reads back to you the full name and street address of the accountholder associated with that number. Could be you, could be someone else.

Steve discovered that under certain circumstances, at a later stage in the call process, this service will also read read back to you the names of other residents at that same address.

I just tried this with the phone numbers of a few willing participants. With the first Sprint accountholder's number, nothing worked. The voice-bot instructed me to call back and talk to a live human during weekday working hours. But with numbers two and three, bingo: it read back the accountholder's name and address, and leaked other personally sensitive information associated with the account.

If you've read this far on this blog post and you're a stalker, you're stoked. But if you're a Sprint customer — probably not.

The Sprint blunder-number is an automated identify verification service to check international calling permissions on a Sprint account. The purpose of this automated service line appears to be: customers call this number to verify that the account should be set up with the ability to make international calls, to prevent fakesters from racking up huge fraudulent phone bills on other people's accounts.

But the verification voice-bot first *gives out* personal data, then asks the caller to verify whether it's correct. Security experts have a word for this: "stupid." Here's a snip from Steve's notes from his call with the voice-bot (Note: it's not a verbatim transcript, but it's an accurate representation of the call flow I experienced, too):


SPRINT: Hi, welcome to sprint's international call identity verification service.
For english, say 'english'

SPRINT: To verify your identity, we will ask you some questions.
What is the phone number you want to set up international calls on.

ME: 408-xxx-xxxx

SPRINT: Is the person on the account "STEVE PARKINSON", of [house number and street name]?

And when Steve says "yes," the automated system proceeds to surrender more personal data, then ask him if it's his. On his blog, he sums the blunder perfectly here:

[T]he two major problems are:
– this is useless as an identity checking mechanism, because the questions they ask have obvious answers
– they leak an enormous amount of personal information

Read the blow-by-blow here. I've contacted Sprint media spokespersons for the company's response, and will post updates here as I receive them. A Sprint spokesperson says, "Thanks for raising this to our attention. We are looking into it very seriously and hope to be able to get back to you by Monday."