So, my friend Jason Willey sent this one to me today - wow! Here is yet another reason where Q&A based reset is a poor choice, regardless of the depth of information you can choose from.
We found you can hijack a Sprint user's account as long as you know their cellphone number, just a smidge about them, and have half a brain. Once inside, you have total access to their account. You could change their billing address, order a whole bunch of cellphones sent to a drop location, and leave the victim paying the bill. There's also the stalker's wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer. Reader Jim told Sprint about this 2 months ago but they ignored him, so I tested it out and am publishing the results in the hope of getting Sprint to fix this exploit. I'll show you we cracked into a Sprint account and just how much damage I could have done, inside...
As a Sprint customer, former employee and stockholder I can say this is pretty disappointing and unfortunately becoming typical. The law of diminishing returns prevails here - in the quest for higher security and ease of use, the result can be a less secure solution overall.
And just something to note because it's ultra-cool - Jason is the basis for one of the characters in the comic book adaptation of "24".
Identity Theft: Flawed Security Lets Sprint Accounts Get Easily Hijacked
1 comments:
I guess the people that came up with that "self service" solution didn't take into account a college kid might not drive a luxury car. Maybe they their office is in Scottsdale. Hehe
and not only am I in the 24: Cold Warriors book..I actually lived through the whole story :)
Post a Comment