[BreachExchange] Weak passwords let a hacker access internal Sprint staff portal

Mon Aug 27 23:58:14 EDT 2018

https://techcrunch.com/2018/08/25/hacker-accessed-sprint-portal-customer-data/

It’s not been a great week for cell carriers. EE was hit with two
security bugs and T-Mobile admitted a data breach. Now, Sprint is the
latest phone giant to admit a security lapse, TechCrunch has learned.

Using two sets of weak, easy-to-guess usernames and passwords, a
security researcher accessed an internal Sprint  staff portal. Because
the portal’s log-in page didn’t use two-factor authentication, the
researcher — who did not want to be named — navigated to pages that
could have allowed access customer account data.

Sprint is the fourth largest US cell network with 55 million customers.

TechCrunch passed on details and screenshots of the issue to Sprint,
which confirmed the findings in an email.

“After looking into this, we do not believe customer information can
be obtained without successful authentication to the site,” said a
Sprint spokesperson.

“Based on the information and screenshots provided, legitimate
credentials were utilized to access the site. Regardless, the security
of our customers is a top priority, and our team is working diligently
to research this issue and immediately changed the passwords
associated with these accounts,” the spokesperson said.

We’re not disclosing the passwords, but suffice to say they were not
difficult to guess.

The first set of credentials let the researcher into a prepaid Sprint
employee portal that gave staff access to Sprint customer data — as
well as Boost Mobile and Virgin Mobile, which are Sprint subsidiaries.
The researcher used another set of credentials to gain access to a
part of the website, which he said gave him access to a portal for
customer account data.

A screenshot shared with TechCrunch showed that anyone with access to
this portal allowed the user to conduct a device swap, change plans
and add-ons, replenish a customer’s account, check activation status
and view customer account information.

All a user would need is a customer’s mobile phone number and a
four-digit PIN number, which could be bypassed by cycling through
every possible combination.

The researcher said there were no limits on the number of PIN attempts.

Account PIN numbers are highly sensitive as they can be used to
transfer ownership from one person to another. That gives hackers an
easier route to carry out a “SIM swapping” attack, which target and
hijack cell phone numbers. Hackers use a mix of techniques — such as
calling up customer service and impersonating a customer, all the way
to recruiting telecom employees to hijack SIM cards from the inside.
In hijacking phone numbers, hackers can break into online accounts to
steal vanity Instagram usernames, and intercept codes for two-factor
authentication to steal the contents of cryptocurrency wallets.

SIM swapping is becoming a big, albeit illegal business. An
investigation by Motherboard revealed that hundreds of people across
the US have had their cellphone number stolen over the past few years.
TechCrunch’s John Biggs was one such victim.

But the authorities are catching up to the growing threat of SIM
swapping. Three SIM swappers have been arrested in the past few weeks
alone.