Mar. 6th, 2004 00:14
security with Sprint
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
cosA couple of weeks ago, I called Sprint customer service from my Sprint cell phone to ask for help with something (I couldn't get Internet services, it turns out their network was partly down in the east coast for a while). The service rep who answered asked me for my cell phone number, which I gave him. Then he asked me for my password. I assumed he meant my telephone customer account code that I'd given them to verify my identity when calling in. Actually, I didn't remember if I'd done that with Sprint, but I assumed they ask everyone to do that, and I knew what code I would have given them, so I gave him that code. He typed for a few seconds and then told me:
"That's not your password, but I do recognize that as your account code. Your password is XXXXXXX [not the actual password]."
The password he had just read off to me over the phone, is the password I use to log in to the sprint web site. From that account, I can view my bills, change my service options, and it's linked to my bank account to let me pay bills online. I was not happy. I told him so.
We had a short conversation about the security implications of reading off people's passwords to them over the phone, especially over a cell phone, and about customer service using the same password as people use to log into their Sprint web accounts that are linked to their bank accounts. I asked him to pass my complaint on, after I explained it to him. Then I was ready to move on to the reason I had called, so I asked him to continue.
The next thing he asked me:
"What is the email address that you use as your username?"
(Sprint's online system uses an email address as the login username, and I use a sprint-specific email address there that I don't use for any other purpose.)
"That's not your password, but I do recognize that as your account code. Your password is XXXXXXX [not the actual password]."
The password he had just read off to me over the phone, is the password I use to log in to the sprint web site. From that account, I can view my bills, change my service options, and it's linked to my bank account to let me pay bills online. I was not happy. I told him so.
We had a short conversation about the security implications of reading off people's passwords to them over the phone, especially over a cell phone, and about customer service using the same password as people use to log into their Sprint web accounts that are linked to their bank accounts. I asked him to pass my complaint on, after I explained it to him. Then I was ready to move on to the reason I had called, so I asked him to continue.
The next thing he asked me:
"What is the email address that you use as your username?"
(Sprint's online system uses an email address as the login username, and I use a sprint-specific email address there that I don't use for any other purpose.)
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
when I informed him that I absolutely would never speak my password over the phone, he said "Ok, we'll just reset it for you then."
they totally don't understand that the phone service system should be separate from the web system, at least as far as the entry points and front ends go. they should be able to access the same data, of course. (a problem that Verizon Wireless actually had with me - apparently the billing system the website accesses is different from the one the phone operators use, so you could get double billed if you're not careful. but at least they didn't ask me for my password over the phone)
no subject
WE
no subject
Can't the suck all be concentrated in a few companies, so the rest can be good?
no subject
no subject
no subject