Dumb Sprint 'Security' Questions Make It Easier To Hijack Accounts

from the with-security-like-that... dept

Thu, Apr 10th 2008 2:18am — Mike Masnick

In the last year or so, there's been a disturbing trend of companies to start adding absolutely ridiculous and counterproductive "security" questions on various sites. Most of these do absolutely nothing good in terms of security. In fact, it seems the more ridiculous these features are, the less secure a site actually is. I've been collecting some examples of the more bizarre "security" features I've been seeing lately, with the really ridiculous "security questions" being quite popular. This is when the site gives you a bunch of questions to choose from -- but often those questions are not the sort that have a single answer, or an answer that's easily memorable. For example, I just saw one that asked "What's a place you'd like to visit someday?" Well, there are a few, but I doubt I could remember the one I picked. And what happens if I do visit that place before the next time I need to answer that question?

I was recently discussing this with a colleague who told me that if I wanted to see the most ridiculous example, I should look at Sprint's system, as it had a bunch of security questions where it tried to pull information on you. Before I had a chance to check it out, it looks like the folks over at Consumerist decided to take on Sprint, and discovered not just how ridiculous the questions are but noticed some patterns that make it quite easy to get control of any Sprint user's account.

The way it works is Sprint asks you a series of "security" questions that it thinks only you would know the answer to. Things like "what type of car has been registered at your address?" and "which of the following people has lived at your address?" It sounds like some data collection company probably convinced Sprint to purchase access to their data to set up these questions in the name of "security." The problem is that if you know just a little about certain people, you can easily guess the answers. Even worse, a former Sprint employee notes that, mostly to avoid "accidentally" having two right answers, it's usually quite easy to figure out the actual answers. For example, on the automobile question, the incorrect answers are usually expensive luxury vehicles.

This isn't "security." It's barely security theater. It's a huge security hole. Hopefully with a little attention Sprint gets rid of it and puts something more reasonable in place. I just hope it doesn't involve asking me where I hope to travel some day.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bad security, questions, security
Companies: sprint

44 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Scote, 10 Apr 2008 @ 3:39am

Not even security theater.
As you note, Sprints system opens a gaping hole that allows people to guess--even without knowing a person--the right answers much of the time, especially since you only need to get 2 out 3 right. So, isn't really security theater, more like Security Burlesque.
[ link to this | view in thread ]
Twinrova, 10 Apr 2008 @ 3:52am

So it IS a problem!
Now, if only this blog would spread to corporations around the world within the next 30 minutes, change can happen?

It's interesting to see these questions continue to pop up. My bank recently did this "upgrade" (as well as including an image I select as "security") and was very pissed when my answers were hard coded.

Any programmer will tell you that limited responses can easily be broken, especially when the site doesn't lock out incorrect attempts.

Even more interesting are these so-called "password strength" indicators which give feedback based on the password typed. I find it interesting nearly all give a "Strong" return when the simplest of choice is made: Capitalizing the first letter.

I recommend to each of you to notify web administrators using predetermined drop down lists are not security and request (er, demand) they restore free text responses or remove the feature altogether.

If they don't, request an immediate removal of online access to your account. Yes, I know it's a pain in the ass to deal with these companies the old fashioned way, but trust me when I say this: You don't want your identity stolen and these websites are making it easier for thieves.

Hmm... I think I'll answer that internet poll to the right now.
[ link to this | view in thread ]
thane, 10 Apr 2008 @ 4:30am

Security Questions
One site I access has FIVE security questions. While the choices are text enterable - not drop downs - I have been locked out twice for not entering all 5 answers exactly correctly.

What they should do - if they want to do this at all - is let ME enter the question AND the answer. If I want something easily guessable then it's MY liability.
[ link to this | view in thread ]
linuxamp, 10 Apr 2008 @ 4:47am

I got them beat.

To access your account please answer the following:

1) Who is your mobile provider?
a) Honda
b) Fiat
c) Sprint

2) What is your first name?
a) Trogdor
b) John
c) L337

3) When is your birthday?
a) Tuesday
b) Banana
c) April 19, 1985
[ link to this | view in thread ]
Bleh, 10 Apr 2008 @ 4:55am

Yea...
Whenever I call customer service they always ask for my username and password. You'd assume they'd know already. Moreover, they have their employees call customers for "new upgrades"

Sprint: Hi this is Sprint calling you about new upgrades, are you interested?

Me: No.

Sprint: What is your username and password so I can see what plan you have.

Me: Should't you know my plan already before you called me for an upgrade?

Sprint: Mam why aren't you interested? (blah blah blah)

Me: (click)

I then decided to call back this mysterious number that called me for an upgrade and sure enough it directed to the Sprint customer service line.

w-t-f
[ link to this | view in thread ]
Ur Drunk Uncle, 10 Apr 2008 @ 5:07am

Re: Yea...
@ Bleh

They have called me about 6 or 7 times with that crap. You would think that they would note that I am not interested after the first time I told them no.

@ Thane

Sallie Mae also has five security questions which suck. "What is the street of your favorite residence" and "What is your Grandmothers maiden name" are my favorites. I thought they were purposely trying to lock me out since I had one more payment to finish paying my student loan!
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2008 @ 5:07am

Yea... by Bleh

That a spoof. They 'steal a phone number belonging to a major company and call you with it, even your caller ID sees this a major company name, The number does work if you call back only for a short time, as you said, you dialed the number and it re-directs the call to the spoofer for a short time. DONT EVER EVER EVER ! give your user name and password to ANYONE over the phone ...... EVER!
[ link to this | view in thread ]
boost, 10 Apr 2008 @ 5:12am

Re:
Oooh, the burninator!
[ link to this | view in thread ]
Boost, 10 Apr 2008 @ 5:14am

Re: Re: Yea...
Oh, man, don't even get me started on Sallie Mae's website. Sallie Mae buying my loans ranks up there with the top 5 worst things that have happened to me within the last year.
[ link to this | view in thread ]
Steve R. (profile), 10 Apr 2008 @ 5:19am

Sprint Bad
Several years ago when we were still Sprint customers, I lost our phone. I called the phone to see if the person who picked it up would answer. No Answer. I called Sprint and asked for the recently called numbers so that I could call those numbers to track down the phone, they said NO that it was against their policy. I protested saying that the person who picked it up was now obviously stealing the phone and it was my phone. The answer was still NO. Sprint said that I would have to wait till I received my bill to see the phone numbers. Well we had the phone turned off. After getting the bill I called those numbers and the answer was the expected "I don't remember who called".

Bad customer service, bad security.
[ link to this | view in thread ]
Larry, 10 Apr 2008 @ 5:53am

r u serious
someone actually gets paid to write nonsense like this....
*qwak* America
[ link to this | view in thread ]
Bill M, 10 Apr 2008 @ 5:54am

The whole concept is ridiculous
I have NEVER seen a "security question" scheme that has ever made any sense, with the possible exception of systems that require you to enter the "last five digits" of a social security number, drivers license, or credit card.

There are tons of sites that ask you to choose from a list like this that is generated from credit bureau reports. One problem with this is that if you're trying to log in to CORRECT a problem with your report, it may well be those answers are incorrect, and you won't be able to get in. The other problem is of course highlighted by the Consumerist article. If you knwo even a little bit about someone you can answer those questions easily.

Same thing applies to the security questions you make up yourself or select from a drop-down list. They are typically things like:

- your mother's maiden name
- your favorite pet's name
- the street you grew up on
- your first car

Again, all of these are something a family member or friend would know. Certainly something you could find out with some basical sleuthing and social engineering.

"Oh, you're from Akron? I grew up there, too. I was on Capital street. What about you?"

These "insecurity" questions are almost never optional. At least when they ask you to write out answers, you can put in a PIN-like number you can remember. But when the answers are multiple-choice and pulled from credit databases, it's worse than not having them at all.
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2008 @ 6:07am

What is totally bizarre is that my employer's software system does a decent job of requiring a secure password, but then asks for a security question that would be very easy to guess the answer to. You get locked out if you guess your password wrong 5 times, but anyone could do a dictionary attack on the security question.
[ link to this | view in thread ]
Justino, 10 Apr 2008 @ 6:15am

Security Questions
Over the past year, all of my bank and credit card websites have added these questions. It wouldn't have been too bad if I could have the same set of questions on each. But, no. And, no, I don't use the same password on the websites. I never have problems remember the random passwords I do use. But I can never remember if I spelled the answer to 'My First Concert' correctly or did I use capital letters in my answer to 'My Favorite Movie'.

So what do I do? I have the Q&A stored in an encrypted text file on the only computer I use to access the websites.

I guess you could consider the whole Q&A thing to be 'Security Through Frustration'. If the "bad guys" get too frustrated, it won't be worth their time.
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2008 @ 6:25am

Hmm, info gathering for targeted marketing hidden under the guise of security questions.
I think I'll patent that.
[ link to this | view in thread ]
Todd Middleton, 10 Apr 2008 @ 6:53am

Fake Out
I purposely misspell my mother's maiden name and will use my kids first street address. That way someone who knows me, or figures it out will still have the wrong answers.

And of course, the name above is an alias.
[ link to this | view in thread ]
Rose M. Welch, 10 Apr 2008 @ 6:54am

OMG, Yahoo has an asshat system...
...the jewelry store that I work part-time at has a webhosting, pop3 e-mail, and a buncle of other services with Yahoo. They all center around a plethora of e-mail accounts, none of which have anything written down about them.

The main account controls our webhosting and merchant services (pretty important) and you can't make any big changes without the security code, which we didn't have. You can't change the security code without a ton of other info, which we didn't have. The woman who originally set up the accounts couldn't remember what answers she'd put. She didn't know if she'd used her birthday and street she grew up on hometown and first pet, or the owner's or the store's 'birthdate' (date of opening), etc.

Yahoo was zero help. They can't tell you any of the answers, because they just type them in and it says correcort or incorrect. They can't reset an account, switch your services to a new account, or anything at all even remotely helpful.

The hilarious part is, even if someone did guess your security answers, there's not really any damage they can do, because no useful billing or personal information appears anywhere. Unless someone can start charging your card with just the last four digits... So all of that is for nothing.
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2008 @ 7:17am

even worse system
Recently one of my online student loan accounts went through this 'security' upgrade. It asked me the general questions:
"What was your grandmothers maiden name?"
"What did you want to be growing up?"
"What is your mothers maiden name?"
"What is your fathers middle name?"
etc....
A month later I was locked out of my account because *surprise* I had forgotten the exact answers to the questions. After a call to customer service I was horrified to find out that the operator ... could read to me, in plain text, what my answers were!! I had, wrongly, assumed that they would be treated like secure passwords and would simply be reset and I'd have to log in and choose new answers. Nope, they are stored in plain text and easily readable by anyone. Now, thanks to that company, all of those 'personal, secure' answers are now very much insecure and open.

I promptly changed them to rubbish.
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2008 @ 7:25am

You people are idiots. Gosh. Ever try remembering something? Apparently, not.
[ link to this | view in thread ]
Xanius, 10 Apr 2008 @ 7:54am

Re: The whole concept is ridiculous
I have that problem right now. To log in to check one of my credit reports I need to enter the number of a credit card that citi bank told me I was declined for but still put out a number and an account but never got around to printing or mailing the card.
I tried to get it taken off but citi says I need the card number to cancel it and I can't get the card number because I never got the card.
[ link to this | view in thread ]
Anonymous Coward, 10 Apr 2008 @ 7:58am

Re:
WOW Hilarious

NOT
[ link to this | view in thread ]
asdf, 10 Apr 2008 @ 8:02am

Re: The whole concept is ridiculous
nail on head.
[ link to this | view in thread ]
asdf, 10 Apr 2008 @ 8:05am

Re:
ego much?

you're missing the point. the system is stupid and insecure.
[ link to this | view in thread ]
M., 10 Apr 2008 @ 8:20am

Sprint
It was a sad day when Sprint bought Nextell and outsourced customer service to India.

It explains why they lost a gazillion customers last year.

One phone call to Sprint to add a new phone could take up to 6 hours on the phone to India. They would call you back and require you to give out your account information to foreigners. I refused. But after about 8 hours and 3 days - a phone would finally arrive - talk about disgruntled - I was.

Sprint sucks. They have made alot of changes this year to get back their business - but I'm still pissed. The point is that they are more concerned about bilking their customers first, and the customer again comes second.

This is the New America. I guess I should get used to it - but it just makes me want to crap in their Cheerios.

Security. HA! Beligerance.
[ link to this | view in thread ]
Pete Valle, 10 Apr 2008 @ 9:01am

Security questions and Latinos
For us Latinos, there is a specific security question that is extremely useless: "What's your mother's maiden name?" First, this so-called security question is retarded. If you know just a little bit about the person, you'd know all their family's names.

But for Latinos its even more obvious. In most Latin cultures, women don't take their husband's last name, so there is no such thing as a "maiden name" for us. And we usually write our names down with two last names, our father's and our mother's. So, for example, if your name is Juan Diaz Olmedo, Olmedo is your mother's maiden name. Not a huge secret.
[ link to this | view in thread ]
thedemographic, 10 Apr 2008 @ 9:05am

....and
So what we have here is an easy Sprint Account hijack and the possibility of Identity theft from our Sprint "representatives" in India.

Have you also noticed that the lost username feature maps your cell phone number to your email address? So if you have a sprint user's phone number, you also have their email address.

Using the username retrieval feature yields "We have sent your username to your email address (your_address@email.com)." That is another clever idea!
[ link to this | view in thread ]
Chronno S. Trigger, 10 Apr 2008 @ 9:57am

Re: The whole concept is ridiculous
"- your favorite pet's name"

That's my favorite one. I got that question on one of my accounts and I typed in "7:9" (I believe the numerical representation for "seven of nine") but it won't take a : so I had to type something else. Heaven help me if I need to answer that again.
[ link to this | view in thread ]
Thane, 10 Apr 2008 @ 10:00am

Re: The whole concept is ridiculous
I have seen one security scheme that made sense. It was Redstone federal credit union - and you could turn it on or off as you desired.

Instead of keying your password - you entered it using an on screen keyboard. This used ajax to send the entered keystrokes to the server, thus defeating keystroke loggers.

There were some other features but this one I thought was quite useful.
[ link to this | view in thread ]
Marc, 10 Apr 2008 @ 11:01am

these always bothered me
I have never answered any of these honestly, just for the simple reason you stated, a little background info is all you need.

The solution I used was using three additional "passwords" for answers.

I have not encountered the use of publicly available info verify ID, but a simple US Search query would have given you the answer to the "hardest" question and a paid US Search would have you the answer to all.
[ link to this | view in thread ]
another mike, 10 Apr 2008 @ 12:22pm

lore sjoberg was here
wired's alt text column already took a funny jab at this very topic.
Test Your Brain With Trivial Security Questions
[ link to this | view in thread ]
Shaniac, 10 Apr 2008 @ 1:33pm

Choice Point
The system is one provide by Choice Point, this system is in use across many business sites. Nice that the FCC says that this system is one of the best.

Don't get me wrong, not that I am saying this is alright but the odd choices that have been made in the wake of the HP pre-texting case are now being suffered by the customers it is meant to protect.

What is most interesting is that most of the changes ushered in with the new FCC regs in December of 2007 where already in place but when they get over thought it all falls apart.

It is impossible to legislate away social engineering. When will we face that you can't fix stupid.
[ link to this | view in thread ]
solak, 10 Apr 2008 @ 2:17pm

Don't they test these ideas on actual security experts?
Fixed Q&A like that is just an six-bit password (of which you only need to get four correct!), but Fixed Q has a workaround:

When the questions are fixed, but the answers are free-form text, I do something like

+ Mother's maiden name: [ aSecretwoRd ]
+ Street where you grew up: [ Trogdor ]

In other words, lie about the answer so that someone who knows something about me will definitely get it wrong. For me, those field labels are just misspellings of the word "Password".
[ link to this | view in thread ]
Etch, 10 Apr 2008 @ 3:56pm

Finally someone is taking on these stupid security "experts"
I've always been critical of these STUPID security questions, Especially when they FORCE you to add one!

My concern is purely because it makes me LESS secure! Anyone who knows me, knows my mother's maiden name. Why? Because in my culture(Egyptian), women don't adopt their husbands last name, only the kids!
So my mom (along with anyone of Middle eastern descent) is known by her maiden name to everyone else!

Most of the other Default questions they ask you are ever changing:

-Who is your favorite teacher? (what if I don't have a favorite teacher? Is this question biased towards teacher's pets only?)

-What make is your first car? Why is this a security question in the first place?? My roommate and all my neighbors, along with my friends and family know the answer to that one!

-What is the name of your favorite pet: Again, family, neighbors, friends, ex-girlfriends, etc!

-What is your city of birth? Ok, here is MY Question: How many people you know stay in the same city they were born well into their 20's? Most of the people I know never leave their birthplace!

What is wrong with a simple reset password email?? Huh? Someone please tell me!
[ link to this | view in thread ]
Etch, 10 Apr 2008 @ 3:58pm

Re: Don't they test these ideas on actual security experts?
Did you just say TROGDOR!?? (the dragon)
AWESOME!!!
That video is etched in my mind forever!
[ link to this | view in thread ]
Lawrence D'Oliveiro, 10 Apr 2008 @ 5:36pm

So that's where you've been hiding...
You are Bruce Schneier and I claim my $3.
[ link to this | view in thread ]
dah, 11 Apr 2008 @ 6:16am

Re: Sprint Bad
dah like they would actually tell you who called on a stolen phone? you put way too much faith in people. if you haven't noticed there are bad people in the world and they have bad friends.
[ link to this | view in thread ]
Yep.. Not givin it., 11 Apr 2008 @ 6:35am

Re: Sprint
Sprint is the company who had the customer serivce in India. Nextel never had that, Nextel was the leader in customer service before Sprint and Nextel merged. As for the security questions, there is no making anyone happy! You get mad if someone is in your account, you get mad if you can't get in your account, the FCC regulates all of this. There is nothing that can be done to make you people happy! Get over it. Welcome to the year 2008. This is what is has come to. YOU SELECT THE ANSWER. WHO CARES WHAT THE QUESTION IS!! Give what you want to give and remember it! Don't rely on someone else to do it for you! Also don't just go off the deep end when you have 1 bad expereience. No one comes to your job and throws rocks at you while you're mowing the lawn!
[ link to this | view in thread ]
John Duncan Yoyo, 11 Apr 2008 @ 6:50am

Re: Finally someone is taking on these stupid security "experts"
Nothing. Password reset email to my email account with a short duration of usefulness is my favorite choice.

I like my verisign key from Paypal. It generates a random looking six digit number that I append to my my password. Too bad they made it possible to talk around that.
[ link to this | view in thread ]
no longer a Sprint employee, 11 Apr 2008 @ 7:09am

> It sounds like some data collection company probably convinced Sprint to purchase access to their data to set up these questions in the name of "security."

Yes, that is true.

And the best-case demo they showed off in the very first presentation was overtly a problem for all the reasons outlined.

But don't worry, when the in-house guys wrote questions before this clever solution, they were just as bad.
[ link to this | view in thread ]
Pat, 11 Apr 2008 @ 9:33am

What happens if you are married?
My wife and I share bank accounts (Yeah - I know - unusual). So when the question is anything personal:

"What high school did you graduate from?" - Me or my wife?
"Mother's maiden name?" In-law's or mine?

"What's your favorite sports team?" - neither one of us watch sports.

The list goes on:

"What's your brother's name?" - sorry only sisters for each of us.

"What is your favorite TV show?" -- Shock! I don't have a TV. I have a life.

I remember one account -- none of the questions were at all relevant. But it was also clear that the list was invented by 20-something, single programmers because the questions all made assumptions about what we would be interested in and would remember -- that was completely irrelevant to my family.

Stupid, stupid...
[ link to this | view in thread ]
Sprint User, 11 Apr 2008 @ 11:31am

Y'all need to know the facts before you badger.

The reason security questions are required is because of all the nasty crap that people have done to steal secure info. You as the person expecting to be protected need to own up to your half of the responsiblity. You can't expect the company to completely protect you when you leave your door wide open. Granted, the Sprint questions could definitely be improved, they do serve the purpose. The problem is they aren't questions that people can securely remember. Oh and btw, its not a series of dumnb questions, it's only one. And the ones listed earlier in this thread aren't ones that Sprint uses. The way it works is you must have a 6-10 digit PIN. if you get it right, you are in... if you get it wrong you have to answer the Q/A. if you get that wrong you get a text message so that you can provide a temporary PIN.

Oh and I love the comment about calling Customer Care and wanting the last several numbers called from your phone... let me tell you why that will never happen. Sprint (and all carriers) must follow FCC rules which directly state they can't provide that info to you without a subpoena. It's called CPNI. Let me give you an example.... Your wife calls Sprint and wants to know the last 10 calls made from your phone yesterday. Should Sprint give that info up... and your wife finds out that you have a gay lover and files for divorce and takes everything you have including your 2.5 kids you could come after Sprint for providing that info... and let me guess you would also be pissed because she got through because you didn't want to put any security on your account.

you think big companies do this stuff just piss of the people who send them tons of money every month? think outside the bun, man. You should be greatful that companies are doing their part to protect you.
[ link to this | view in thread ]
Dana, 15 Mar 2009 @ 12:37pm

Re: Sprint Bad
It is against the law and sprint's policy to give out unbilled information. Employees can get in a lot of trouble for giving out that information. The most we can recommend is that you have your line suspended. Sorry we couldn't be of more help!
[ link to this | view in thread ]
Dana, 15 Mar 2009 @ 12:39pm

Re: The whole concept is ridiculous
Customer's have the option of putting special notes on their account which restrict access to the account via security question. Call in and request these notes to be placed on your account if you do not wish to have the security question option. That, or choose a harder question to answer, such as "What was your first elementary school?" -- No one ever seems to know the answer to that. Not even the account holder. LOL
[ link to this | view in thread ]
Dana, 15 Mar 2009 @ 12:48pm

Re: Security questions and Latinos
The solution for that is simple. Don't select, "What is your mother's maiden name?" as a security question... It's not an available one for Sprint anyway.
[ link to this | view in thread ]