Sprint Security: Flawed Thinking

radiorange · EVDO User Joined: 28 Jun 2005 Posts: 52

Sprint Security Problem

This is a heads up on flawed thinking by Sprint regarding the security of personal info.

I recently requested that a discount be applied to my Sprint account. The discount was available because of my membership in a credit union.

Sprint required an email address to accomplish this. Why an email address is required I don't know. I faxed all the required info to a specific employee in the Sprint store where I had initially seen the sign offering the discount to credit union members.

I received an email sometime later confirming that the discount had been applied. This email contained:

-- my Sprint account #
-- my Sprint (voice) phone #
-- the name of the financial institution
-- my valid email address

I noticed that the email had 2 email addresses in the TO: field: mine and the 2nd email address.

The 2nd email address was not mine and not Sprint's.

In the body of the message the 2nd email address was listed as the customer's (my) email address.

Wondering why this information was going to someone other than me, I called Sprint. Thus began the usual Sprint nightmare.

I called Sprint and wasted my time with Sprint customer non-service, which eventually passed me on to the fraud department. This took about two hours and they determined there was no fraud.

Fraud explained it this way:

-- the agent needed an email address to apply the discount
-- the agent created a "bogus" email address

I was not satisfied with this flawed logic, so I poked around and finally got a number to the media relations person. I sent him info via email and got a call from a guy in corporate security.

The security guy told me:

-- that he had talked with the employee
-- there was no ill-intent on the part of the employee
-- that the employee needed an email address to apply the discount so he made one up
-- that the domain name in the email address and the email address were "fictitious"

When I asked how he knew both were fictitious he said the employee just made them up.

Well, while I was on hold for 47 minutes during one of early calls, I had already done the following:

-- WHOIS lookup on the domain name; it existed
-- trace route on the domain name; it was hosted
-- http request to the domain name; it responded

No less than 3 Sprint people -- including the corporate security guy -- were operating on the logic that if it is "bogus" or "fictitious" in the mind, that it is "bogus" or "fictitious" in cyberspace. Not!

Plus, the story doesn't even make sense because when I faxed the info to the guy at the Sprint store, it had my email address, so there was no need to make up a "bogus" email address.

Further, I was told that the employee used his own name "Jon" in the email address. I faxed my info to "David".

So, there are three important issues here for Sprint customers:

1. Sprint using non-customer email addresses
2. Sprint adopting flawed thinking about what is bogus or not
3. Sprint corporate security failing to properly investigate (eg, saying that the employee needed to create a "bogus" email address when in fact there was no need to create such)

jackrodgers · EVDO Addict Joined: 23 Mar 2006 Posts: 1131

I design databases for a living. One thing I have learned is that the person using the system is seldom well trained and most likely not very experienced. Sprint seems to have a very high employee turnover.

The more I move up the ladder with the companies management, the more I come to understand the devastating truth of the Peter Principle: everyone gets promoted because of their skills until they reach a point where they are incompetent.

I would like to introduce the IndigoKid principle: People expect perfection from the imperfect and that they expectations will be met even if those expectations are unrealistic. Almost always they cannot understand why the world does not function according to their expectations.

deparson · EVDO Junkie Joined: 30 Aug 2006 Posts: 248

Send an email to the other address and ask them if they received a copy of the email in question from Sprint.

If it bounces, etc, you don't have to worry. If they reply then you know it was received.

But, I don't think it is a huge deal. It did not include any password, address, or similar data right?