 |
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
David Berlind's Reality Check
By David Berlind
June 8, 2004
Having often reported on issues relating to how easy it is to violate a consumer's privacy and the lengths to which enterprises must go to ensure the privacy of all of their constituents (customers, employees, stockholders, etc), I perked up when ZDNet reader Kevin Priester alerted me to a rather astonishing flaw in Cingular's newly launched online account management system. In an e-mail to me, Priester wrote, "I figured you might like this. Cingular has now implemented a new feature on their site that will allow you to look up basic account information with only a cell number and a zip code." That, by itself, is of course a privacy violation. But it gets worse. Kevin's note went on to say, "Once you find that basic account information, if the account holder has ever paid on Cingular.com you can pay their bill for them using their Credit Card or bank account. You can also pay their bill with their funds and as much of their funds as you would like." Later, via telephone, Priester informed me that the same security hole was available for exploitation via Cingular's telephone-based interactive voice response (IVR) system through 1-866-CINGULAR.
To help readers visualize the problem, this story links to several screen images that demonstrate how easy it was to do as Kevin says: execute a fraudulent transaction on Cingular's Web site using a credit card. [Editor's Note: Since notifying Cingular of the problem late yesterday (June 8th), company spokesperson Tony Carter issued the following comment: "Cingular Wireless recently implemented some trial improvements on its customer facing Web site. While the improvements had the desired effect of enhancing our customers' experience, primarily by simplifying the access, it had adverse affects as well. We demonstrated this in our trial which we concluded, and made the appropriate adjustments. We appreciate being alerted however, and apologize for any inconvenience to our customers." Although the company has shut down the easily hacked path into its customers' accounts, at the time this column was published on June 9, the hole was still open in the company's IVR system.]
Whereas the difference between Cingular's live site and the screenshots provided with this story help to show how the design of the site's pages have changed overnight, the changes themselves appear to have been hastily designed. For example, as this story was being completed, the new account login page contained nonsensical instructions such as "To view or pay your bill, update your account, add features and more, enter your ZIP code or wireless phone number below and click Login." Entering your zip code hardly seems like a first logical step towards viewing or paying a bill. Priester, who designs Web applications, agreed that the design was sub-optimal, but suggested that Cingular may have separate regional billing systems instead of one central one and that zip code may be the key to redirecting the data flow to the proper back-end system.
Fran Maier, executive director at privacy watchdog TRUSTe, was shocked when it took no more than three minutes for me to talk her through a handful of steps on her Web browser before she was one click away from using a Cingular employee's Visa card to pay a $37,000 phone bill. (Apparently, some Cingular employees do not have to pay their phone bills.) "This is a significant breach of security and privacy," said Maier. "The functionality may be a convenience to users, but at a cost that's not worth it." Maier is referring to how easy it was to access limited Cingular customer account information from Cingular's home page as well as the Manage My Account that was one click away from the home page by entering nothing more than a Cingular customer's wireless phone number and zip code. To demonstrate the ease with which this possible, I had to find the phone number of someone using a wireless phone that's provisioned by Cingular. This didn't take long. The numbers for certain Cingular employees are easy to find on Cingular's Web site.. Finding the billable zip code for those employees was guesswork that a 6th grader could manage. After keying in the Cingular employees' phone numbers and their billable zip codes, I was taken to the My Account Quick Summary, where it shows me the type of minutes plan that's subscribed to, the number of minutes remaining, how many have been used, the last payment amount, and the total amount due. There are two primary paths that can be taken from the summary page. One of these paths -- "Manage My Account" -- is for accessing detailed account information and fortunately, to go down this path, an account ID and password are needed. But to take the other primary path -- "Pay Bill" -- no such authentication was needed at the time this story was published. Clicking on that link advances the user to the Payment Options page, which offers four payment option choices. One of these is to pay with a "Previously used credit card/debit card/checking account." Selecting that and moving on to the Repeat Previous Payment Method page puts the user one click away from executing a transaction. In the test cases of the two Cingular employees, a Visa card was indicated as the previous form of payment and though all but the last four digits of the Visa card number were masked, not much stands between a hacker and a fraudulent transaction at this point. The IVR system, which can still be exploited, works the same way. After dialing 1-866-CINGULAR and pressing "1", a hacker is literally a phone number, a zip code, and a couple of other keystrokes away from executing an unauthorized payment. Of course, it could be asked (as several people did in the course of investigating this story) what harm is done in paying someone's bill with their own credit card. It turns out that there are plenty of concerns. For example, for budgeting purposes, what if a card holder is timing payments so that they're made after a new billing cycle from the card issuer begins? Or, what if the charges on the cellular account are currently being disputed? How about if the card holder is preparing to close the credit card account that was used last time and is avoiding adding new charges to it? Priester, who is a Cingular customer, asked "What would happen if I was planning a trip out of the country and someone accessed the system and maxed out my credit card? I could see a merchant confiscating my card and cutting it up with a scissors." These are just a few of the many reasons why a card holder might not want their credit card being charged unbeknownst to them. As TRUSTe's Maier says, it constitutes a breach of both security and privacy. According to Visa USA spokesperson Rosetta Jones (Visa was selected for comment since both tests revealed the opportunity to execute a transaction with a Visa card), Visa's card holders "are protected against fraudulent transactions by way of Visa's Zero Liability program. If a consumer suspects a fraudulent transaction has taken place, then, pending an investigation by the [card-issuing] financial institution, the charge is removed from the account as soon as the dispute is filed." Jones, however, wouldn't speculate on the average length of time it takes to resolve such disputes or how a situation like this, where identifying whether the transaction was executed legitimately or fraudulently is difficult if not impossible, would be resolved. Jones did, however, say that for merchants such as Cingular that offer the ability to execute online transactions, Visa has published a set of 12 guidelines that are core to Visa's Cardholder Information Security Program. The program specifies fines for non-compliance, but the wording of the guidelines leaves a lot of wiggle room for what constitutes protection. For example, where as one guideline says "Protect stored data," another says "Assign unique ID to each person with computer access." But nowhere does it say that all user account information must be protected by a minimum of two-factor security (such as a combination of user ID and password). Priester, whose work in Web application development includes the development of e-commerce systems, was at a loss to explain how a design idea like this makes it to fruition in not one, but two systems. "With a big company like Cingular, a design change like this that covers two systems (Web and phone) and takes a long time has to go through several layers of approval and development," said Priester. "How is it that no one spoke up? Not the designers, not the managers, and not even the developers who should know better." TRUSTe's Maier says that in addition to standard sets of best practices that TRUSTe has published for merchants interested in protecting the privacy of their customers, TRUSTe is also drafting a set of security guidelines. Cingular is not a TRUSTe licensee. You can write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.
What do you think? |
|
|
|
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
|
|
