Easy Access to T-Mobile and Cingular Accounts
by Battery (Battery@chicago2600.net)
When talking about data security, there has always been a mantra: if someone has physical access to your computer, it's their computer, not yours.
This always seemed to make sense when talking about large pieces of hardware (laptops, PCs, servers, etc.). You would surely know if an attacker had physical access to your computer. Hard drives would probably be missing or the computer would simply be gone. But how would you know if someone had physical access to something else of yours? For example, what if someone accessed your cell phone?
Last month my sister found a T-Mobile BlackBerry outside a bar.
Unable to find the BlackBerry's owner inside the bar, she gave it to me, hoping I would be able to track him down and return the device.
First, I called T-Mobile, who thanked me for trying to return the phone. But the customer service representative informed me that he couldn't release any of the owner's information. This was completely understandable to me. After all, I might just be social engineering him, so I didn't have a problem with him not telling me the owner. I asked if he would contact the owner and give them my phone number and name and tell them I found their BlackBerry and was trying to return it to him. He said he was not able to do that and that no one answered the home phone number on the account.
He then advised me to drop off the BlackBerry at a T-Mobile we where the staff would locate the owner and return the phone. I had two problems with this.
First, there were no T-Mobile stores within 25 miles of me, so I would have to go quite out of my way.
Second, from past dealings with cell phone stores and kiosks, I wouldn't trust most people working in those stores to get the phone back to the rightful owner.
I offered to mail it to T-Mobile Customer Care, but this was also shot down by the representative. I myself am a T-Mobile customer and the handling of this situation annoyed me quite a bit; the representative didn't seem to want to do anything to aid me to returning the phone.
Finally, I just asked that he put a note on my account and the BlackBerry's owner's account, making note of my call and giving them permission to give my phone number to the owner should he call T-Mobile to report his BlackBerry missing.
At this point, I decided to find the owner myself. Unfortunately, there was little information in the address book of the BlackBerry to help me find the owner. I knew the device's phone number since the BlackBerry shows the phone number assigned to it in its phone application. But I could have also called my cell phone from the BlackBerry to find it's number if I didn't already know it.
Since I knew the phone number, I could begin hacking into the account.
This is where the biggest problem in T-Mobile's data security exists. The information that the T-Mobile customer care representative refused to give me due to "customer confidentiality policies" was easily accessed via the phone provider's website.
Once on the T-Mobile website, I clicked "Forgot My Password," entered the BlackBerry's phone number, and the account password was sent to the BlackBerry via SMS (text message).
From there, I was able to login to the account with the phone number and the acquired password. I then had access to complete billing records, calling records, and was able to make plan changes to the account.
Luckily, I was able to find a legit email address in the billing information and finally got in contact with the BlackBerry's owner's father (apparently he was the one paying the phone bill).
I was able to locate and return the BlackBerry to the owner the next day, due to the information I obtained through the extremely weak security on the T-Mobile website.
The more I thought about it, the more troubled I became with the way T-Mobile handles their lost password retrieval. I looked at other cell phone providers and found that out of the biggest five national providers in the United States, only T-Mobile and Cingular send customers their lost passwords in this manner (via SMS text message after only providing a phone number).
These providers rely on physical possession of the phone (or actually the phone's SIM card) to prove ownership. I can imagine many situations where it would be quite easy to grab a person's phone and request your lost password to be sent to you from either of these company's websites (www.t-mobile.com or www.cingular.com). A simple check of the text message sent to the phone and you would have the password to the account.
On T-Mobile phones, you can dial #NUM# then hit Send and the handset will display its assigned number.
Other fun commands that work the same way on most T-Mobile phones include:
One interesting thing to note is that many new smart phones have web browsers and Internet access.
Theoretically, you could use the web browser on the phone to go to the T-Mobile or Cingular site and request your lost password. A couple of seconds later you'd get the text message with the password. This could all be done quickly with the victim's own phone. I tried this with my T-Mobile Sidekick II and from the time when I picked up the phone and used the Sidekick's web browser to request the password to when I had my account password in my text message inbox was less then two minutes, using only the Sidekick II itself.
This is quite scary when you think about it. Pretend you are a stalker. You can now just steal someone's phone and probably learn where they live (via account billing address).
You could also probably obtain their home phone numbers and email addresses. You could be really sneaky and just steal the phone's SIM card, since the victim probably wouldn't even notice for a while, leaving you to put the SIM card in another phone in the privacy of your own home and request the password information at your leisure.
Think about how many times you've seen someone showing off how cool their expensive new phone is. Usually they are more then willing to let someone look at it for a couple of minutes if asked. They might never know how they may be putting their data and account information at risk.
You could be nosy and ask to borrow someone's T-Mobile phone and, while pretending to make a call, check their minutes used and their account balance or maybe even reset their voice mail password and listen to their voice mail.
The root cause of this data insecurity is that T-Mobile and Cingular have their systems set up to only rely on physical possession of a phone or SIM card to prove the account owner's identification. All other providers require either the knowledge of a unique User ID (that is different from the account phone number) or answers to security questions before they use email to send lost passwords.
Until their system is changed, T-Mobile and Cingular customer data can be at risk. I would recommend T-Mobile and Cingular customers protect themselves by using a locking key guard with a pass code.
Most phones have these. It requires a password before the phone's functions are able to be accessed. This simple step would stop someone from picking up your phone and using it without your knowledge.
I would also be very careful who you let use your phone and be very observant when you do let someone use it. Sending email to T-Mobile and Cingular and blasting them for putting your information at risk might help nudge them into fixing the insecurity of their systems.
A more extreme solution would be to simply switch service providers. Until these companies change their systems to make them more secure, users should stay vigilant and change their account passwords on a regular basis.