March 6th, 2004


security with Sprint

A couple of weeks ago, I called Sprint customer service from my Sprint cell phone to ask for help with something (I couldn't get Internet services, it turns out their network was partly down in the east coast for a while). The service rep who answered asked me for my cell phone number, which I gave him. Then he asked me for my password. I assumed he meant my telephone customer account code that I'd given them to verify my identity when calling in. Actually, I didn't remember if I'd done that with Sprint, but I assumed they ask everyone to do that, and I knew what code I would have given them, so I gave him that code. He typed for a few seconds and then told me:
"That's not your password, but I do recognize that as your account code. Your password is XXXXXXX [not the actual password]."
The password he had just read off to me over the phone, is the password I use to log in to the sprint web site. From that account, I can view my bills, change my service options, and it's linked to my bank account to let me pay bills online. I was not happy. I told him so.

We had a short conversation about the security implications of reading off people's passwords to them over the phone, especially over a cell phone, and about customer service using the same password as people use to log into their Sprint web accounts that are linked to their bank accounts. I asked him to pass my complaint on, after I explained it to him. Then I was ready to move on to the reason I had called, so I asked him to continue.

The next thing he asked me:
"What is the email address that you use as your username?"

(Sprint's online system uses an email address as the login username, and I use a sprint-specific email address there that I don't use for any other purpose.)