It was not a good week for telecommunications companies: security researchers uncovered security vulnerabilities in AT & T, Sprint, and T-Mobile systems that made customer information accessible to bad actors.
Yesterday, BuzzFeed News reported two vulnerabilities that made customer information vulnerable to AT & T and T-Mobile. In the case of T-Mobile, a "technical error" between Apple's online storefront and T-Mobile's account verification API enabled an unlimited number of attempts on an online form, allowing a hacker to frequently use available guessing tools to use an account number or the last four digits in a customer's social security number, in a so-called brute force attack.
A similar problem occurred with the telephone insurance company Asurion and its AT & T customers. An online application form would allow anyone with a customer's phone number to access a form that allows them to guess a customer's passcode, making them vulnerable to another brute force attack.
In both cases, both companies addressed the security vulnerabilities when contacted by BuzzFeed News.
In another case this weekend, TechCrunch reported that security researchers at Sprint could access an internal employee portal because there were "weak, easy-to-use usernames and passwords" two-factor authentication. After the reporter's arrival, it was reportedly possible to access customer account information for Sprint, Boost Mobile, and Virgin Mobile. The researcher also reported that anyone who had access could make changes to customer accounts and that customer PINs could be brutally enforced. A sprint spokesman confirmed the vulnerability to TechCrunch and found that he believed that no customers were affected by the vulnerability, noting that he was working to fix the issue.
It should be noted that vulnerabilities do not necessarily pose security vulnerabilities, but they are vulnerabilities such as these that allow malicious actors to access a system and use the customer data they access. These systems are inevitably complicated: companies like AT & T, Sprint and T-Mobile need to balance access to the people who do their jobs and the customers who get access to their information. But given the damage a malicious actor can do to the huge amounts of data these companies have, it's clear they need to be proactive in protecting their customers.