UPDATE (1PM PST, 7/10/06): Sprint has responded, and the security vulnerability outlined in this post has been addressed: Link.
On Friday, I posted word from BoingBoing reader Steve Parkinson that an automated Sprint Wireless phone system leaks customer data in the course of a poorly-designed process to authorize international calling (Link to BB post).
Here's what happens: You call a toll-free Sprint Wireless customer service number, then punch in a cell number (maybe yours, maybe a battered wife you're stalking). The voice-bot asks if you're [first name/last name] associated with the account. If you say "yes," the voice-bot then surrenders more of the accountholder's personal data including home address, and asks you to say "yes" or "no" to each piece of data. As Steve said,
[T]he two major problems are:
– this is useless as an identity checking mechanism, because the questions they ask have obvious answers
– they leak an enormous amount of personal information.
I contacted spokespersons for Sprint/Nextel, and they replied:
Thanks for raising this to our attention. We are looking into it very seriously and hope to be able to get back to you by Monday.
Some might argue this is no big deal: no different than a reverse phone directory service, and Sprint's wireless customers shouldn't expect the address associated with their cellphone to remain undisclosed. Well, three things:
(1) Landline providers allow you to opt out of those directories.
(2) Cell customers don't expect their cellphone numbers and associated home addresses to show up in public directories.
(2) While the Sprint security issue doesn't leak SSNs or credit card numbers, it appears that in certain circumstances, the system surrenders other sensitive data like the names of other people who live with you. And a digg user commenting on this story wrote:
After I passed the test, second time, it said I am now authorized for international calling. It gave another number to call if it wasn't in effect within two hours. (888 [redacted]) When I called THAT NUMBER, and entered my cell phone number (it could have been ANYBODY'S number)….it first told me how much is currently owed on my account…SO they ARE giving away THAT information, for ANY number you put in.
The commenter is correct. I just tried that with several volunteer's numbers, and I now know exactly how much they owe Sprint on their cellphone bills. The system did not ask me for any identifying information at all before saying, "Just so you know, your account balance is $XX.XX," and informing me of the due status. All I had to punch in was the cell number. And a commenter on Steve's blog says:
[Name of another commenter] may indeed be absolutely correct that HE doesn't care that Sprint will give a name and address in exchange for a telephone number to anyone who asks, but not all people will agree. One of the numbers I gave to that Sprint voicebot was the number of a friend who is in a battered woman program. It gave her name and her current 'safehouse' address, and she WAS very concerned about that.
For myself, while there are not the safety concern, the fact that the billing address for number "X" is address "Y" is NOT public knowledge, nor should Sprint be broadcasting it to anyone who asks.
Thirdly, since this phony "security check" is for the purpose of turning on an additional high-priced service option, a more rational check needs to be made than one that GIVES a name and address and asks that you confirm it's right. Ridiculous!
