Dumb Sprint 'Security' Questions Make It Easier To Hijack Accounts
from the with-security-like-that... dept
I was recently discussing this with a colleague who told me that if I wanted to see the most ridiculous example, I should look at Sprint's system, as it had a bunch of security questions where it tried to pull information on you. Before I had a chance to check it out, it looks like the folks over at Consumerist decided to take on Sprint, and discovered not just how ridiculous the questions are but noticed some patterns that make it quite easy to get control of any Sprint user's account.
The way it works is Sprint asks you a series of "security" questions that it thinks only you would know the answer to. Things like "what type of car has been registered at your address?" and "which of the following people has lived at your address?" It sounds like some data collection company probably convinced Sprint to purchase access to their data to set up these questions in the name of "security." The problem is that if you know just a little about certain people, you can easily guess the answers. Even worse, a former Sprint employee notes that, mostly to avoid "accidentally" having two right answers, it's usually quite easy to figure out the actual answers. For example, on the automobile question, the incorrect answers are usually expensive luxury vehicles.
This isn't "security." It's barely security theater. It's a huge security hole. Hopefully with a little attention Sprint gets rid of it and puts something more reasonable in place. I just hope it doesn't involve asking me where I hope to travel some day.