It was totally Samsung's fault that crims stole your personal info from a Samsung site, says Samsung-blaming Sprint Sprint has told some of its subscribers that a piss-poor Samsung website exposed their personal details to the internet. The North American mobile carrier is right now sending out letters (PDF) to unlucky customers whose account and device details were leaked onto the web thanks to, apparently, dodgy Samsung coding and …
The article leaves a few options open. I'm sure this is because Sprint and Samsung are not all that happy to give out information and have contradicted one another, but here are a few things this could be:
1. Samsung has Sprint credentials (why?), and they left them unsecured. Criminals obtained them and started logging into Samsung's site.
2. Sprint left Sprint credentials unsecured, and criminals stole them and started to use them to log into Samsung's site because you can evidently use them on both (why?).
3. Sprint credentials were found by criminals from somewhere, and they started using them to log into Samsung's site (where were they found, or do the companies not know)?
Neither company seems to have bothered trying to explain exactly where the credentials came from. Logically, Sprint should be the only people with them, but who adheres to logic?
...Sprint should be the only people with them...
Exactly. And if, for some reason, I would trust another party having my clients' credentials, it's my obligation to make sure that this other party keeps them secure - first in the contract and second with additional assurance such as reviews and audits.
No specific sympathies for either side. But I certainly don't trust Sprint's statement.
Ok my reading of it was, that the miscreants got a couple of Spring credentials - could have just been from password reuse or similar, doesnt actually have to be a sprint failure - and that having these one or two credentials they were able to access more sprint customers details of the samsung site - maybe a similar failure/stupidity as the Amadues one, using consecutive account numbering, not checking for rights to other accounts one inside, etc., who knows.
Samsung's statement that no samsung customer details were released versus the long list spring provided does open up a lot of questions though. Either way, another fine example of why relying on an external provider to hold your customers data is a sure fire way to get bitten in the a$$.
"I certainly don't trust Sprint's statement."
Nor should you. "Sprint" and "customer service" are mortal enemies. Many years ago my dad had Sprint. One day he called and asked for a copy of his bill. The correct answer was "Could you please confirm your address?" The answer he received was "Why?" He wasn't a Sprint customer much longer after that. Never trust a word out of Sprint's mouth, because they do not understand how important good customer service is.
Long ago I received a letter from a relative of a deceased person who was perplexed at phone calls he was sure his late mother could not have made on Sprint's land line service to a small town I used to live in. I called him and asked what Sprint said about the calls in question, and he said they bragged that "Sprint's computers never make a mistake - it is totally impossible"; So I told the man they were indeed my calls, and they were - I got extreme satisfaction telling Sprint their computers or some J-I-J-O mistake did make errors and that the calls were mine. They insisted on saying it was impossible. So I said, "Why would I claim these were my calls if it were not true? Don't you think I'd normally enjoy the fact that someone else paid for my 45 dollars worth of calls?" Sprint canceled the debt to the estate and didn't even bother billing me for their mistake even though I said I'd pay for it. They didn't care if they lost money as long as they didn't have to admit they made a mistake somewhere in the system. Needless to say I've never wanted to use Sprint from then on, and thank God we now have cell phones with competition so folks aren't forced to use despicable services just because a small town only has one phone company!!!
I used to have an account with Sprint. Once the phone was paid off I told them that I wanted it unlocked. They tried to say that they couldn't. I pointed out that I'd spoke with the device's manufacturer (Apple) and had been assured that they could. They tried to say that it would only talk to Sprint frequencies, so there was no point. I again pointed out that the device's vendor disagreed with them, and in any case that would be my problem, not theirs, so unlock the damn phone. They refused. I pointed out that there was actual Federal law on this point, and the Feds said that once the device is fully paid off the telco MUST unlock it on request. I further said that I had the address of the Feds to which to make a complaint and that my next stop would be said Feds if they didn't unlock the damn phone IMMEDIATELY. They unlocked the phone. I closed the account and took the phone to Verizon, where it did, in fact, work just fine. (Verizon is a whole different level of customer non-support, but that's a different story.) While the phone was at Sprint it would get max speeds of about 8 Mb/s, even with four bars; the same phone, on Verizon, would get 20 Mb/s with three bars. There would be a reason why they want to make it hard for you to move.
I have since left Verizon for AT&T, where the same phone got about 18 Mb/s, and got a new phone there. Verizon attempted to bill me for two months of service _after_ I moved to AT&T, stating that I hadn't paid off the phone. An actual paper letter on legal letterhead pointing out that I'd brought the phone with me and didn't owe them a penny not only got the attempted charges removed, despite their threatening to take me to collections and to repossess the phone, but got me a refund as I'd switched in the middle of the billing period after having paid for the full month. Verizon attempted to bill me when they owed me money.
AT&T have, so far, proved a lot better than either Sprint or Verizon. This is not difficult.
Would this be the same Samsung that let the SSuggest.com domain lapse, thus potentially exposing to miscreants millions of Galaxy mobile users with the non-removable SSuggest app, https://brownglock.com/library/2017/06/21/samsung-lets-domain-ssuggest-com-lapse-and-exposes-millions-of-phones-to-potential-hackers/ ?
Whenever I see "XXX takes security very seriously," I translate it as "It costs money to have good security, and that might mean less compensation for the c-suite. Besides, we don't give a crap about other people's private information staying private because it's not our problem."
Here's hoping GDPR and (if we ever get something here in the US) privacy legislation makes that attitude more expensive than fixing the problem. Since everything these days is all about money and nothing else, that's the only way big corporations would ever spend a penny towards other people's security.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
