Shostack + Friends Blog Archive


Sprint "Security"

So the other day, I called up Sprint, my illustrious cell phone provider, to make some changes to my service plan. The very nice agent asked me to identify myself with either the last 4 digits of my SSN or my password. Now, I’ve never set up a password for use over the phone and I said to myself (self I said) “they couldn’t possibly mean the password I use on their website.” so I told the agent the lat 4 digits of my SSN. He then proceeded to actually tell me the password that I had set on their website. So remember folks, if you ever want more information on a sprint customer, all you need is their cell phone number and the last four digits of their SSN. Sprint will helpfully provide your password in return. Oh and you don’t even need to forge caller-id since they don’t seem to care what number you call from.
[Edit: fixed broken link to SSN-Finder, thanks Tim]

4 comments on "Sprint "Security""

  • Roy says:

    Sprint hasn’t changed at all. Back in about 1993, I traded changing my long distance provider (on the modem line, where I never made outgoing calls… heh, heh) for a fax modem (worth about $100 on the street at the time). The friendly Sprint rep asked if I wanted a calling card (“It’s free!”) and I said “sure.” The card arrived, and it had my PIN not only printed, but embossed on it.
    I called immediately, and eventually was told that “most of our customers prefer it that way.” The rep suggested (and I am not making this up) that I memorize the PIN and leave the card at home. I said that would make it tough to use the magstripe in card-accepting phones, and was told “most of those phone card readers don’t work anyway.”
    So I followed the instructions and left the card home. Three weeks later, my apartment was burglarized. The thief took my stereo, my CDs and… my Sprint calling card.
    Again I called Sprint, to have the card cancelled (and fortunately it hadn’t been used yet). I told this representative what the previous one had suggested. The rep failed to appreciate the irony.

  • David Brodbeck says:

    Sprint uses the last four digits of your SSN as a default password, too.
    I think the real problem with SSNs isn’t so much that they’re used for identification — that was inevitable. The problem comes when they’re used for *authentication* — as a secret code to prove you’re you. These are incompatible uses, and the authentication function is the more dangerous of the two. Yet Sprint and dozens of other companies still use them this way.
    I will say this for Sprint — they default to requiring a PIN to access voice mail, even when you call from your own phone. When I was with T-Mobile, they defaulted to not requiring it, which became a bad idea when caller ID became easier to spoof.

  • Adam says:

    Hey, at least T-Mobile only defaults to not requiring a PIN. I can’t figure out how to get Cingular to let me add one to my account. Now y’all stop listening to my voice mail, or I’ll say stop again!

  • Tim says:

    Your SSL link is broken.

Comments are closed.