Sprint staff portal poorly secured, allowed for easy SIM swapping attack

Posted:
in General Discussion
"Weak passwords" are being blamed for a security breach at wireless carrier Sprint, which could have set up users for an attack allowing for phone number theft and transfer.

Sprint


According to TechCrunch, an anonymous individual described as a "security researcher" was able to easily access an internal Sprint staff portal. The researcher got into the system using "two sets of weak, easy-to-guess usernames and passwords," while also exposing the system's lack of two-factor authentication. This led to the hacker reaching pages that "could have allowed access [to] customer account data." This data was for Sprint as well as subsidiaries Boost Mobile and Virgin Mobile.

At one point, the researcher ended up in a part of the portal in which all that was needed to access individual accounts was a phone number and PIN number, with no time or attempt limitation on PIN number attempts. In that section of the site, attackers could execute a device swap, adjusted plans or replenished the account. The system, at that point, had no limit for the amount of attempts.

This vulnerability leaves Sprint's system especially vulnerable to "SIM-swapping" attacks. The vector allows an attacker to take over a target's phone number, and use it to access bank accounts and other personal information. Given the phone number-centric nature of most two-factor authentication methods, this can expose a target to mass account theft.

After getting into the system, the researcher then notified TechCrunch, who in turn told Sprint.

"Based on the information and screenshots provided, legitimate credentials were utilized to access the site," Sprint said in a statement. "Regardless, the security of our customers is a top priority, and our team is working diligently to research this issue and immediately changed the passwords associated with these accounts."

The Sprint breach follows news from last week that T-Mobile recently suffered a data breach of its own. The carrier announced Friday that it had "discovered and shut down an unauthorized access to certain information" which may have affected the data of up to two million customers. Sprint and T-Mobile earlier this year agreed to merge, with the deal now in the hands of regulators.

Comments

  • Reply 1 of 6
    Sprint staff portal poorly secured, allowed for easy SIM swapping attack
    I suggest suing Apple as soon as possible. /s
    Soliwatto_cobra
  • Reply 2 of 6
    SoliSoli Posts: 8,461member
    AI, is there anything that users can do to protect themselves from careers that are weak on security? For instance, would a SIM card PIN do a damn thing?
  • Reply 3 of 6
    claire1claire1 Posts: 494unconfirmed, member
    Sprint staff portal poorly secured, allowed for easy SIM swapping attack
    I suggest suing Apple as soon as possible. /s
    Celebrity passwords, Xbox suicides, world hunger....

    its apples fault... somehow.
    watto_cobra
  • Reply 4 of 6
    coolfactorcoolfactor Posts: 1,364member
    After getting into the system, the researcher then notified TechCrunch, who in turn told Sprint. 

    Okay, a "reseearcher" first went to a technology news outlet, not directly to Sprint? I call this an amateur hacker, not a researcher. Jail time.

  • Reply 5 of 6
    sflocalsflocal Posts: 4,382member
    So long as there is a human involved in any part of the security link, it will always be prone to failure.  The current password schema is broken. We need an new, more modern way to validate secure sites.  Heck, getting rid of passwords altogether and using something entirely different like FaceID would be better than what's going on now.
  • Reply 6 of 6
    sflocal said:
    So long as there is a human involved in any part of the security link, it will always be prone to failure.  The current password schema is broken. We need an new, more modern way to validate secure sites.  Heck, getting rid of passwords altogether and using something entirely different like FaceID would be better than what's going on now.
    Many companies have already moved to multi factor authentication.  FaceID by itself isn’t enough.  Something you know + something you have (like yubikey) is better.  FaceID and TouchID are just OK.  I’ve been waiting for Apple to allow NFC keys in addition to FaceID, but that’s still something you have + something you have.  Long term, because of the static nature of your fingerprint and face they aren’t great solutions.

    Sprint half a$$ed it and got caught.

    Individuals can use something like LastPass + YubiKey.

Sign In or Register to comment.