T-Mobile's web security

It made all the websites yesterday that Paris Hilton’s T-Mobile Sidekick got hacked leading to a public viewing of her cell phone pictures (some on the pornographic side) and hundreds of crank phone calls to famous people who had the misfortune of being in her address book.

I remember the first time this happened it led to an amusing sound bite:

“It became obvious to her what was going on. She was pretty upset about it. It’s one thing to have people looking at your sex tapes, but having people reading your personal e-mails1 is a real invasion of privacy.”

But since I work for a company whose whole business is managing people’s customer data, I am more curious about the security hole that lead to the hack. The first articles implied that it was part of a general hacking of T-Mobile, but the real answer was so absurd that I thought it was insane. The article claims that someone guessed her security answer: “Favorite Pet Name”.

Unfortunately, I have T-Mobile and decided to test it out on myself. Sure enough, once you know my mobile phone it was fairly easy to use the interface to change my password and hack my account.

Now you could say this makes me as dumb as Paris, but what people aren’t considering here is that this is a flaw in T-Mobile’s web site security. Security answers are designed to be easily guessable. Huh? Try to think back to the last time you forgot a password to the website. You easily recalled your pet’s favorite name and it mailed to your primary e-mail address the password (or, better yet, some unique URL to a secure website to change your password), the web interface did not allow you to directly change your password once you recall your answer to the security question. Why do you think the security questions are usually fixed the the first place?

A lot of people confuse passwords (hard to guess) with security questions (easy to recall reliably). If you were one of them, don’t worry, you are in good company.

But T-Mobile doesn’t have my primary e-mail. If T-Mobile didn’t, then they should have asked for it when I registered or they should have sent your password via SMS. This hack occurred because security and privacy at T-Mobile is not a concern. Instead they mistakingly implement something that looks secure without thinking about how it is secure—it is close enough to the usual “affordance” to fool me when I set up my account last year. The appearance of security made things far less secure.

Perhaps Paris Hilton is as stupid and irresponsible as others are implying, but the stupidity and irresponsiblility lies in T-Mobile’s internet division.

1 That time it was her voicemail and not her e-mail. T-Mobile allows you to access your voice mail without a password if you come in from your mobile phone. I found out today that it is pretty easy to forge where a mobile phone CallerID and sneak into other people’s voicemail. Read the article to protect yourself. Just another example of how T-Mobile values your privacy.

Update: Added links to Brian McWilliams and Bruce Schneier’s weblog entries.

Update: Added T-Mobile Voice Mail hacking article.

One thought on “T-Mobile's web security

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.