Slashdot Mirror
More Holes Found in T-Mobile Website
mogwhat writes "Even though T-Mobile's website was decisively hacked into over a year ago by now (in)famous cracker Nick Jacobsen, a blog posting by computer security expert Jack Koziol details many serious security holes in various T-Mobile websites. You would think that T-Mobile would have paid attention the first time? Time to get a new cell phone provider!"
Can you pw*404*
Aaw crap. I guess he could.
I just find myself not caring. Great, another company has an insecure website. Can someone explain why this is a big deal?
Now the question is how the hell we get our company to switch after moving alllll of our crackberries to T-Mobile, and we are constantly having issues.
And with all of this privacy concern, what kind of liability does that put T-Mobile at when sensitive market data can be compromised? *SCARY*
Sorry man... the Internet pooped on me.
I wish I could switch to a provider that protects their "secured" website better than T-Mobile but they're the only company that provides the Sidekick II in the United States. And I can't really use other phones because of my hearing disability.
I hate the feeling of being trapped to one provider because they have something the others don't, even though they treat their customers like complete and utter shit. T-Mobile customer service leaves quite a lot to be desired.
"Black holes are where God divided by zero." - Steve Wright
Why is it that every time a Slashdot news story gets posted, a riducilousy inane comment or question has to be appended to the actual news item?
Could this be the lamest thing ever?
Time to get a new cell phone provider!
Because of their website?
I'm willing to bet that the guy in charge of coding the backend for their site is not the same guy setting up the telephone network.
________________________________________________
suwain_2
TMobile Customers should let TMobile know that we care about security issues on their website, and that we consider this to be very important for our continued relationship with them!
little known, but the Secret Service have jurisdiction over counterfeiting crimes
It's not a little known fact amongst people who follow the hacking/cracking/phreaking/carding scene, even loosely. Read the excellent book the hacker crackdown by Bruce Sterling for an informative account of what the SS does (and also does spectacularly wrong).
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Traditional Landline companies take customer privacy very seriously (at least the ones I worked for) but the new technologies - Mobility, cell, internet divisions/companies always seemed to be playing fast and loose with phone company policy. Very frustrating from the landline side of the house. Not that the landline divisions are much more secure but at least they generally have the right attitude to security.
The rock, the vulture, and the chain
From the latest CryptoGram by Bruce Schneier:
"T-Mobile suffered some bad press for its lousy security, nothing more. It'll spend some money improving its security, but it'll be security designed to protect its reputation from bad PR, not security designed to protect the privacy of its customers."
And I seriously doubt if the treatment of security would be or is any better from any of the other cellular carriers.
- SR
"God is a comedian playing to an audience too afraid to laugh." -- Voltaire
But i just finished compiling my embededd gentoo for it!
How do we know that Verizon, Sprint, AT&T or others are safe? T-Mobile should get hit with the liability for the identities of their violated customers, which would force them to tap their business liability insurance. That would force the other telcos insurance companies to force audits of them. We still wouldn't know whether we were protected, but it would be more likely. If a T-Mobile liability suit could find that T-Mobile violated its own published privacy policy, and held it accountable, that might force the other telcos down the same road, of honoring their own privacy policies. The same goes, of course, for all other personal info cachers, with their own toothless privacy policies. Until there's some serious consequences for lying about these responsibilities rather than backing them up, it's all wide open.
--
make install -not war
The problem is that there's no point [for Americans; there may be for people in other countries]. What, exactly, is getting a new cell phone provider going to do for you? It will punish T-mobile for not being careful with your data, which is deserved. But will it protect your data? Not really. Oh, if you use their data services you might prevent some eavesdropping or picture-stealing...or might not. T-Mobile got caught, but that doesn't mean the other services aren't having problems.
But it won't protect your personal data. That is out of your hands and has been for the last thirty years or so. Your personal information has already been given away or sold by ChoicePoint, the government, the credit bureaus, and everyone else. Your only option is to assume it's gone, check your credit report regularly, and hope someone isn't using your social security number. Identity theft isn't something you can do anything to prevent. You can only catch it in time, and then hope you can fix it. Despite all the rosy stories about how after 300 hours of work people managed to clear their names, there are real stories of people who don't get their money and credit ratings back. There simply haven't been any solid studies one way or the other -- it's all anecdotal.
No, I'm not fucking bitter at all.
What I say does not represent the views of my employers, my friends, my cats, or myself.
according to netcraft they are running win 2k for the server.
Evolution or ID?
T-Mobile is a german company. Originally it was called "Telekom" which is short for "Telecommunication", then they split up their departments into T-Com (responsible for telephone services), T-Onlien (ISP services), T-Systems (business solutions) and T-Mobile (mobile communication). They just kept the name when buying themselves into the US market.
The article says the site uses ASP, but that error message at the end sure looks like a Java stack trace to me.
Go ahead and waste your life with your inhibitions, just don't ruin other people's lives with your intolerances.
lets see, your network is so insecure that someone hacks into it using government accounts and steals private information from your company.
do you...
a) tighten your security on your network so it doesnt happen again
b) appoligize and place it on your "things to do" list or
c) dont change a damn thing but pay snoop dog and company mega bucks to advertise your new sidekick II?
if your t-mobile then c is the correct answer!
Good Karma, Bad Karma, doesnt matter to me... I'm still going to say whats on my mind!
Get More... Of other people's data... ;)
"Nature bats last..."
Sure pwning the network through their website doesn't help but you shouldn't be talking company secrets over a cell (for example) and not expecting someone, somewhere, to be able to hear you.
DAMN YOU OCTODOG! DAMN YOU TO HELL!
T-Mobile use GSM.
Soooooo........how does your digital scanner breal the encryption?
Encryption in the GSM network utilizes a Challenge/Response mechanism.
The Mobile Station (MS) signs into the network.
The Mobile Services Switching Center (MSC) requests 5 triples from the Home Location Register (HLR).
The Home Location Register creates five triples utilizing the A8 algorithm. These five triples each contain:
A 128-bit random challenge (RAND)
A 32-bit matching Signed Response (SRES)
A 64-bit ciphering key used as a Session Key (Kc).
The Home Location Register sends the Mobile Services Switching Center the five triples.
The Mobile Services Switching Center sends the random challenge from the first triple to the Base Transceiver Station (BTS).
The Base Transceiver Station sends the random challenge from the first triple to the Mobile Station.
The Mobile Station receives the random challenge from the Base Transceiver Station and encrypts it with the Individual Subscriber Authentication Key (Ki) assigned to the Mobile Station utilizing the A3 algorithm.
The Mobile Station sends the Signed Response to the Base Transceiver Station.
The Base Transceiver Station sends the Signed Response to the Mobile Services Switching Center.
The Mobile Services Switching Center verifies the Signed Response.
The Mobile Station generates a Session Key (Kc) utilizing the A8 algorithm, the Individual Subscriber Authentication Key (Ki) assigned to the Mobile Station, and the random challenge received from the Base Transceiver Station.
The Mobile Station sends the Session Key (Kc) to the Base Transceiver Station.
The Mobile Services Switching Center sends the Session Key (Kc) to the Base Transceiver Station.
The Base Transceiver Station receives the Session Key (Kc) from the Mobile Services Switching Center.
The Base Transceiver Station receives the Session Key (Kc) from the Mobile Station.
The Base Transceiver Station verifies the Session Keys from the Mobile Station and the Mobile Services switching Center.
The A5 algorithm is initialized with the Session Key (Kc) and the number of the frame to be encrypted.
Over-the-air communication channel between the Mobile Station and Base Transceiver Station can now be encrypted utilizing the A5 algorithm.
We can make the login page say "I like cheese" and cause server errors. Wee. These aren't holes so much as simple bugs, unless someone can point to a definite way to, say, log in as any user without a password, or get a list of account numbers, or something besides making the login form display some silly phrase.
Another statement the article makes is that the text bug "could be used in a phishing attack on T-Mobile customers, especially if you hex encoded portions of the URL." How? Wouldn't any phishing attack involve making the form submit to some place besides the official website? Doing so much as trying to insert an HTML tag produces a server error (which, I'm guessing, is intentional), so it wouldn't even be possible to close the form and open a new one in its place that submits to a rogue site.
Bears don't normally eat things that talk and move backwards.
So I'm sitting in a doughnut shop near Grand Ave in Oakland and there is apparently a T-Mobile store next door. Not knowing this at the time I turn on my wireless to see if I can score some free internet...and I get an open connection. After my internetting is done I peek at Network neighborhood (because I'm always curious to see *how* open someone's internet connection is) and Voila! I get direct access to the T-mobile store's *two* servers next door. OK, it wasn't exactly direct. I had to use my enormous hacking skills to put in a username of "Administrator" with a *blank* password when I tried to connect to the server). Bingo - direct access to ALL T-mobile business info *including* completed and pending credit info.
This is not a troll or a joke - it really happenned. I *like* T-mobile's phones...but their lack of security (well at least that one store's security anyway) scares me.
A couple of days ago some ne'rdowell got a hold of my credit card number and started buying italian airline tickets with it. Fortunately, my credit card company noticed and gave me a call.
T-mobile is about the only website I give my credit card number to. Could their weak system be the culprit? I don't know enough about hacking to know if this is possible, but it seems like quite a coincidence...
Numerous reasons the US wireless telecom industry sucks.
The main reason for what you're seeing, though, is that unlike Europe, we have several competing standards. GSM is finally starting to spread, but additional standards are still common.
So 1: your phone has to match your network standard. If you're not using a GSM provider, you're pretty much left with nowhere but the provider (or an authorized reseller, which just sells the same phones anyway) to buy a phone. And even if you could buy a phone elsewhere for a non-GSM network, it would still have to be programmed by your provider to work.
1a: Not all GSM providers are using the same frequency. And in the case of Cingular, they're not even always using the same frequency across their entire service area.
2: Providers are all over exclusivity contracts. Cingular, for example, is the only provider that can offer the Motorola RAZR V3. When Cingular merged with AT&T, Sony-Ericsson phones mysteriously disappeared from the other providers. In some cases, the manufacturer is still able to offer the phone unlocked and without activation to the general public. But...
3: Unlocked phone prices are outrageous. The US providers heavily subsidize the phones they sell (and SIM lock them). Without activation, the RAZR V3 is $600. With activation, it's $260. Prices for other phones are similarly disparate. Nokia's N-Gage runs $200 unlocked. Up until recently, you could get it for between $0 and -$150 (you made $150 by buying the phone) if you shopped around and signed into a new contract. And all this is assuming you can find a handset that's offered unlocked and without a plan. Most models simply aren't available that way. (For reference, the cheapest handset Nokia offers here "handset only" is $130.)
You buy the phone, you pay for the service, and unless you want to hemorrhage at the wallet, you select from the phones offered by your provider.
I and many others wish the wireless here was more like it is in Europe, but we're damn well screwed in the mean time.