Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Holes Found in T-Mobile Website

Posted by Zonk on from the website-made-by-the-swiss? dept.

mogwhat writes "Even though T-Mobile's website was decisively hacked into over a year ago by now (in)famous cracker Nick Jacobsen, a blog posting by computer security expert Jack Koziol details many serious security holes in various T-Mobile websites. You would think that T-Mobile would have paid attention the first time? Time to get a new cell phone provider!"

13 of 183 comments (clear)

  1. Don't get it... by numLocked · · Score: 4, Insightful

    I just find myself not caring. Great, another company has an insecure website. Can someone explain why this is a big deal?

  2. Tmobile SUX by JhohannaVH · · Score: 4, Insightful

    Now the question is how the hell we get our company to switch after moving alllll of our crackberries to T-Mobile, and we are constantly having issues.
    And with all of this privacy concern, what kind of liability does that put T-Mobile at when sensitive market data can be compromised? *SCARY*

    --
    Sorry man... the Internet pooped on me.
  3. Just wondering... by hollismb · · Score: 5, Insightful

    Why is it that every time a Slashdot news story gets posted, a riducilousy inane comment or question has to be appended to the actual news item?

    Could this be the lamest thing ever?

    1. Re:Just wondering... by Short+Circuit · · Score: 1, Insightful

      It's the Slashdot way. Typically, people who submit comments would like to give a little initial direction to discussion. If the submitter doesn't add a question, the editor usually does.

      Though if the submitter does append a question, the editor occasionally gives his own answer, or a link to some additional information he googled up before the story went live.

      --
      tasks(723) drafts(105) languages(484) examples(29106)
  4. Umm... by suwain_2 · · Score: 4, Insightful

    Time to get a new cell phone provider!

    Because of their website?

    I'm willing to bet that the guy in charge of coding the backend for their site is not the same guy setting up the telephone network.

    --
    ________________________________________________
    suwain_2 :: quality slashdot p
    1. Re:Umm... by m50d · · Score: 5, Insightful

      No, but the guy who hired him (or the guy who hired that guy, or so on up the chain), and didn't do something about it when he failed the first time, is the same guy who hired the guy who runs your telephone network, and is responsible for ensuring he does a good job. Still feel happy using them?

      --
      I am trolling
    2. Re:Umm... by Rosco+P.+Coltrane · · Score: 2, Insightful

      Because of their website?

      I'm willing to bet that the guy in charge of coding the backend for their site is not the same guy setting up the telephone network.

      Yes, but one could argue that a website is like a logo, or a sales sheet, or a press kit: it's what represents the values the companies want to convey across, and if they suck, there's a strong hint that the rest of the company may suck too. It's not always true though, as Microsoft, its shiny frontpage and not-so-good OS demonstrates, but more often than not you can trust the first impression a company leaves you. Which is why said companies pay designers and PR folks big bucks to look good incidentally.

      Having said that, it's a phone company, so you can bet they're stinking bad regardless :-)

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  5. Attention All TMobile Customers by elzbal · · Score: 5, Insightful

    TMobile Customers should let TMobile know that we care about security issues on their website, and that we consider this to be very important for our continued relationship with them!

  6. Security as PR, not as security by Sunrun · · Score: 5, Insightful

    From the latest CryptoGram by Bruce Schneier:

    "T-Mobile suffered some bad press for its lousy security, nothing more. It'll spend some money improving its security, but it'll be security designed to protect its reputation from bad PR, not security designed to protect the privacy of its customers."

    And I seriously doubt if the treatment of security would be or is any better from any of the other cellular carriers.


    - SR

    --
    "God is a comedian playing to an audience too afraid to laugh." -- Voltaire
  7. Time to get a new cell phone provider? by Daedala · · Score: 4, Insightful

    The problem is that there's no point [for Americans; there may be for people in other countries]. What, exactly, is getting a new cell phone provider going to do for you? It will punish T-mobile for not being careful with your data, which is deserved. But will it protect your data? Not really. Oh, if you use their data services you might prevent some eavesdropping or picture-stealing...or might not. T-Mobile got caught, but that doesn't mean the other services aren't having problems.

    But it won't protect your personal data. That is out of your hands and has been for the last thirty years or so. Your personal information has already been given away or sold by ChoicePoint, the government, the credit bureaus, and everyone else. Your only option is to assume it's gone, check your credit report regularly, and hope someone isn't using your social security number. Identity theft isn't something you can do anything to prevent. You can only catch it in time, and then hope you can fix it. Despite all the rosy stories about how after 300 hours of work people managed to clear their names, there are real stories of people who don't get their money and credit ratings back. There simply haven't been any solid studies one way or the other -- it's all anecdotal.

    No, I'm not fucking bitter at all.

    --
    What I say does not represent the views of my employers, my friends, my cats, or myself.
  8. Well... by Blue-Footed+Boobie · · Score: 2, Insightful
    Anyone that is using a Cellphone and expecting a secure and private communication is seriously deluding themselves.

    Sure pwning the network through their website doesn't help but you shouldn't be talking company secrets over a cell (for example) and not expecting someone, somewhere, to be able to hear you.

    --
    DAMN YOU OCTODOG! DAMN YOU TO HELL!
  9. So? by Storlek · · Score: 3, Insightful

    We can make the login page say "I like cheese" and cause server errors. Wee. These aren't holes so much as simple bugs, unless someone can point to a definite way to, say, log in as any user without a password, or get a list of account numbers, or something besides making the login form display some silly phrase.

    Another statement the article makes is that the text bug "could be used in a phishing attack on T-Mobile customers, especially if you hex encoded portions of the URL." How? Wouldn't any phishing attack involve making the form submit to some place besides the official website? Doing so much as trying to insert an HTML tag produces a server error (which, I'm guessing, is intentional), so it wouldn't even be possible to close the form and open a new one in its place that submits to a rogue site.

    --
    Bears don't normally eat things that talk and move backwards.
  10. Preventing Identity Theft by Anonymous Coward · · Score: 1, Insightful
    Identity theft isn't something you can do anything to prevent. You can only catch it in time, and then hope you can fix it.
    I disagree. Creating laws that penalize companies for not properly authenticating identities would go a long ways towards eliminating identity theft. As it stands today, if a company screws up and creates accounts for someone else in your name, you must bear the cost of the cleanup. If the company had to bear the cost for their own mistake, identity theft would disappear overnight.

    We'll never see this happen in the U.S. though because it will cost companies' money.