Dumb Sprint 'Security' Questions Make It Easier To Hijack Accounts
from the with-security-like-that... dept
In the last year or so, there's been a disturbing trend of companies to start adding absolutely ridiculous and counterproductive "security" questions on various sites. Most of these do absolutely nothing good in terms of security. In fact, it seems the more ridiculous these features are, the less secure a site actually is. I've been collecting some examples of the more bizarre "security" features I've been seeing lately, with the really ridiculous "security questions" being quite popular. This is when the site gives you a bunch of questions to choose from -- but often those questions are not the sort that have a single answer, or an answer that's easily memorable. For example, I just saw one that asked "What's a place you'd like to visit someday?" Well, there are a few, but I doubt I could remember the one I picked. And what happens if I do visit that place before the next time I need to answer that question?I was recently discussing this with a colleague who told me that if I wanted to see the most ridiculous example, I should look at Sprint's system, as it had a bunch of security questions where it tried to pull information on you. Before I had a chance to check it out, it looks like the folks over at Consumerist decided to take on Sprint, and discovered not just how ridiculous the questions are but noticed some patterns that make it quite easy to get control of any Sprint user's account.
The way it works is Sprint asks you a series of "security" questions that it thinks only you would know the answer to. Things like "what type of car has been registered at your address?" and "which of the following people has lived at your address?" It sounds like some data collection company probably convinced Sprint to purchase access to their data to set up these questions in the name of "security." The problem is that if you know just a little about certain people, you can easily guess the answers. Even worse, a former Sprint employee notes that, mostly to avoid "accidentally" having two right answers, it's usually quite easy to figure out the actual answers. For example, on the automobile question, the incorrect answers are usually expensive luxury vehicles.
This isn't "security." It's barely security theater. It's a huge security hole. Hopefully with a little attention Sprint gets rid of it and puts something more reasonable in place. I just hope it doesn't involve asking me where I hope to travel some day.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bad security, questions, security
Companies: sprint
Reader Comments
Subscribe: RSS
View by: Time | Thread
Not even security theater.
[ link to this | view in chronology ]
So it IS a problem!
It's interesting to see these questions continue to pop up. My bank recently did this "upgrade" (as well as including an image I select as "security") and was very pissed when my answers were hard coded.
Any programmer will tell you that limited responses can easily be broken, especially when the site doesn't lock out incorrect attempts.
Even more interesting are these so-called "password strength" indicators which give feedback based on the password typed. I find it interesting nearly all give a "Strong" return when the simplest of choice is made: Capitalizing the first letter.
I recommend to each of you to notify web administrators using predetermined drop down lists are not security and request (er, demand) they restore free text responses or remove the feature altogether.
If they don't, request an immediate removal of online access to your account. Yes, I know it's a pain in the ass to deal with these companies the old fashioned way, but trust me when I say this: You don't want your identity stolen and these websites are making it easier for thieves.
Hmm... I think I'll answer that internet poll to the right now.
[ link to this | view in chronology ]
Security Questions
What they should do - if they want to do this at all - is let ME enter the question AND the answer. If I want something easily guessable then it's MY liability.
[ link to this | view in chronology ]
To access your account please answer the following:
1) Who is your mobile provider?
a) Honda
b) Fiat
c) Sprint
2) What is your first name?
a) Trogdor
b) John
c) L337
3) When is your birthday?
a) Tuesday
b) Banana
c) April 19, 1985
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
NOT
[ link to this | view in chronology ]
Yea...
Sprint: Hi this is Sprint calling you about new upgrades, are you interested?
Me: No.
Sprint: What is your username and password so I can see what plan you have.
Me: Should't you know my plan already before you called me for an upgrade?
Sprint: Mam why aren't you interested? (blah blah blah)
Me: (click)
I then decided to call back this mysterious number that called me for an upgrade and sure enough it directed to the Sprint customer service line.
w-t-f
[ link to this | view in chronology ]
Re: Yea...
They have called me about 6 or 7 times with that crap. You would think that they would note that I am not interested after the first time I told them no.
@ Thane
Sallie Mae also has five security questions which suck. "What is the street of your favorite residence" and "What is your Grandmothers maiden name" are my favorites. I thought they were purposely trying to lock me out since I had one more payment to finish paying my student loan!
[ link to this | view in chronology ]
Re: Re: Yea...
[ link to this | view in chronology ]
That a spoof. They 'steal a phone number belonging to a major company and call you with it, even your caller ID sees this a major company name, The number does work if you call back only for a short time, as you said, you dialed the number and it re-directs the call to the spoofer for a short time. DONT EVER EVER EVER ! give your user name and password to ANYONE over the phone ...... EVER!
[ link to this | view in chronology ]
Sprint Bad
Bad customer service, bad security.
[ link to this | view in chronology ]
Re: Sprint Bad
[ link to this | view in chronology ]
Re: Sprint Bad
[ link to this | view in chronology ]
r u serious
*qwak* America
[ link to this | view in chronology ]
The whole concept is ridiculous
There are tons of sites that ask you to choose from a list like this that is generated from credit bureau reports. One problem with this is that if you're trying to log in to CORRECT a problem with your report, it may well be those answers are incorrect, and you won't be able to get in. The other problem is of course highlighted by the Consumerist article. If you knwo even a little bit about someone you can answer those questions easily.
Same thing applies to the security questions you make up yourself or select from a drop-down list. They are typically things like:
- your mother's maiden name
- your favorite pet's name
- the street you grew up on
- your first car
Again, all of these are something a family member or friend would know. Certainly something you could find out with some basical sleuthing and social engineering.
"Oh, you're from Akron? I grew up there, too. I was on Capital street. What about you?"
These "insecurity" questions are almost never optional. At least when they ask you to write out answers, you can put in a PIN-like number you can remember. But when the answers are multiple-choice and pulled from credit databases, it's worse than not having them at all.
[ link to this | view in chronology ]
Re: The whole concept is ridiculous
I tried to get it taken off but citi says I need the card number to cancel it and I can't get the card number because I never got the card.
[ link to this | view in chronology ]
Re: The whole concept is ridiculous
[ link to this | view in chronology ]
Re: The whole concept is ridiculous
That's my favorite one. I got that question on one of my accounts and I typed in "7:9" (I believe the numerical representation for "seven of nine") but it won't take a : so I had to type something else. Heaven help me if I need to answer that again.
[ link to this | view in chronology ]
Re: The whole concept is ridiculous
Instead of keying your password - you entered it using an on screen keyboard. This used ajax to send the entered keystrokes to the server, thus defeating keystroke loggers.
There were some other features but this one I thought was quite useful.
[ link to this | view in chronology ]
Re: The whole concept is ridiculous
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Security Questions
So what do I do? I have the Q&A stored in an encrypted text file on the only computer I use to access the websites.
I guess you could consider the whole Q&A thing to be 'Security Through Frustration'. If the "bad guys" get too frustrated, it won't be worth their time.
[ link to this | view in chronology ]
I think I'll patent that.
[ link to this | view in chronology ]
Fake Out
And of course, the name above is an alias.
[ link to this | view in chronology ]
OMG, Yahoo has an asshat system...
The main account controls our webhosting and merchant services (pretty important) and you can't make any big changes without the security code, which we didn't have. You can't change the security code without a ton of other info, which we didn't have. The woman who originally set up the accounts couldn't remember what answers she'd put. She didn't know if she'd used her birthday and street she grew up on hometown and first pet, or the owner's or the store's 'birthdate' (date of opening), etc.
Yahoo was zero help. They can't tell you any of the answers, because they just type them in and it says correcort or incorrect. They can't reset an account, switch your services to a new account, or anything at all even remotely helpful.
The hilarious part is, even if someone did guess your security answers, there's not really any damage they can do, because no useful billing or personal information appears anywhere. Unless someone can start charging your card with just the last four digits... So all of that is for nothing.
[ link to this | view in chronology ]
even worse system
"What was your grandmothers maiden name?"
"What did you want to be growing up?"
"What is your mothers maiden name?"
"What is your fathers middle name?"
etc....
A month later I was locked out of my account because *surprise* I had forgotten the exact answers to the questions. After a call to customer service I was horrified to find out that the operator ... could read to me, in plain text, what my answers were!! I had, wrongly, assumed that they would be treated like secure passwords and would simply be reset and I'd have to log in and choose new answers. Nope, they are stored in plain text and easily readable by anyone. Now, thanks to that company, all of those 'personal, secure' answers are now very much insecure and open.
I promptly changed them to rubbish.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
you're missing the point. the system is stupid and insecure.
[ link to this | view in chronology ]
Sprint
It explains why they lost a gazillion customers last year.
One phone call to Sprint to add a new phone could take up to 6 hours on the phone to India. They would call you back and require you to give out your account information to foreigners. I refused. But after about 8 hours and 3 days - a phone would finally arrive - talk about disgruntled - I was.
Sprint sucks. They have made alot of changes this year to get back their business - but I'm still pissed. The point is that they are more concerned about bilking their customers first, and the customer again comes second.
This is the New America. I guess I should get used to it - but it just makes me want to crap in their Cheerios.
Security. HA! Beligerance.
[ link to this | view in chronology ]
Re: Sprint
[ link to this | view in chronology ]
Security questions and Latinos
But for Latinos its even more obvious. In most Latin cultures, women don't take their husband's last name, so there is no such thing as a "maiden name" for us. And we usually write our names down with two last names, our father's and our mother's. So, for example, if your name is Juan Diaz Olmedo, Olmedo is your mother's maiden name. Not a huge secret.
[ link to this | view in chronology ]
Re: Security questions and Latinos
[ link to this | view in chronology ]
....and
Have you also noticed that the lost username feature maps your cell phone number to your email address? So if you have a sprint user's phone number, you also have their email address.
Using the username retrieval feature yields "We have sent your username to your email address (your_address@email.com)." That is another clever idea!
[ link to this | view in chronology ]
these always bothered me
The solution I used was using three additional "passwords" for answers.
I have not encountered the use of publicly available info verify ID, but a simple US Search query would have given you the answer to the "hardest" question and a paid US Search would have you the answer to all.
[ link to this | view in chronology ]
lore sjoberg was here
Test Your Brain With Trivial Security Questions
[ link to this | view in chronology ]
Choice Point
Don't get me wrong, not that I am saying this is alright but the odd choices that have been made in the wake of the HP pre-texting case are now being suffered by the customers it is meant to protect.
What is most interesting is that most of the changes ushered in with the new FCC regs in December of 2007 where already in place but when they get over thought it all falls apart.
It is impossible to legislate away social engineering. When will we face that you can't fix stupid.
[ link to this | view in chronology ]
Don't they test these ideas on actual security experts?
When the questions are fixed, but the answers are free-form text, I do something like
+ Mother's maiden name: [ aSecretwoRd ]
+ Street where you grew up: [ Trogdor ]
In other words, lie about the answer so that someone who knows something about me will definitely get it wrong. For me, those field labels are just misspellings of the word "Password".
[ link to this | view in chronology ]
Re: Don't they test these ideas on actual security experts?
AWESOME!!!
That video is etched in my mind forever!
[ link to this | view in chronology ]
Finally someone is taking on these stupid security "experts"
My concern is purely because it makes me LESS secure! Anyone who knows me, knows my mother's maiden name. Why? Because in my culture(Egyptian), women don't adopt their husbands last name, only the kids!
So my mom (along with anyone of Middle eastern descent) is known by her maiden name to everyone else!
Most of the other Default questions they ask you are ever changing:
-Who is your favorite teacher? (what if I don't have a favorite teacher? Is this question biased towards teacher's pets only?)
-What make is your first car? Why is this a security question in the first place?? My roommate and all my neighbors, along with my friends and family know the answer to that one!
-What is the name of your favorite pet: Again, family, neighbors, friends, ex-girlfriends, etc!
-What is your city of birth? Ok, here is MY Question: How many people you know stay in the same city they were born well into their 20's? Most of the people I know never leave their birthplace!
What is wrong with a simple reset password email?? Huh? Someone please tell me!
[ link to this | view in chronology ]
Re: Finally someone is taking on these stupid security "experts"
I like my verisign key from Paypal. It generates a random looking six digit number that I append to my my password. Too bad they made it possible to talk around that.
[ link to this | view in chronology ]
So that's where you've been hiding...
[ link to this | view in chronology ]
Yes, that is true.
And the best-case demo they showed off in the very first presentation was overtly a problem for all the reasons outlined.
But don't worry, when the in-house guys wrote questions before this clever solution, they were just as bad.
[ link to this | view in chronology ]
What happens if you are married?
"What high school did you graduate from?" - Me or my wife?
"Mother's maiden name?" In-law's or mine?
"What's your favorite sports team?" - neither one of us watch sports.
The list goes on:
"What's your brother's name?" - sorry only sisters for each of us.
"What is your favorite TV show?" -- Shock! I don't have a TV. I have a life.
I remember one account -- none of the questions were at all relevant. But it was also clear that the list was invented by 20-something, single programmers because the questions all made assumptions about what we would be interested in and would remember -- that was completely irrelevant to my family.
Stupid, stupid...
[ link to this | view in chronology ]
The reason security questions are required is because of all the nasty crap that people have done to steal secure info. You as the person expecting to be protected need to own up to your half of the responsiblity. You can't expect the company to completely protect you when you leave your door wide open. Granted, the Sprint questions could definitely be improved, they do serve the purpose. The problem is they aren't questions that people can securely remember. Oh and btw, its not a series of dumnb questions, it's only one. And the ones listed earlier in this thread aren't ones that Sprint uses. The way it works is you must have a 6-10 digit PIN. if you get it right, you are in... if you get it wrong you have to answer the Q/A. if you get that wrong you get a text message so that you can provide a temporary PIN.
Oh and I love the comment about calling Customer Care and wanting the last several numbers called from your phone... let me tell you why that will never happen. Sprint (and all carriers) must follow FCC rules which directly state they can't provide that info to you without a subpoena. It's called CPNI. Let me give you an example.... Your wife calls Sprint and wants to know the last 10 calls made from your phone yesterday. Should Sprint give that info up... and your wife finds out that you have a gay lover and files for divorce and takes everything you have including your 2.5 kids you could come after Sprint for providing that info... and let me guess you would also be pissed because she got through because you didn't want to put any security on your account.
you think big companies do this stuff just piss of the people who send them tons of money every month? think outside the bun, man. You should be greatful that companies are doing their part to protect you.
[ link to this | view in chronology ]