T-Mobile Hotspot uses SSN for passphrase

[InfoSec News <isn () c4i org>]

http://catless.ncl.ac.uk/go/risks/22/72/7

[ http://accounts.hotspot.t-mobile.com/security.htm - T-Mobile doesn't
support WEP, and from the URL above, a small number of legacy sites
don't encrypt your username and password.   - WK]


Conrad Heiney <conrad (at) fringehead.org>
Thu, 8 May 2003 16:20:34 -0700

I just signed up for T-Mobile Wireless' "Hot Spot" service, which 
provides wireless Internet access via Starbucks Coffee, Borders Books, 
and many other semi-public places in the U.S. As a current T-Mobile 
telephone subscriber I was given a good deal. I was also given a user 
name and a passphrase, neither one of which can be changed. The user 
name is my telephone number and the pass phrase is the last four 
digits of my social security number.

The obvious RISK of using the phone number and SSN in this manner is 
pretty awful (identity theft, etc.) but what's also quite funny is 
that those are the two things you need to identify yourself to 
T-Mobile for any other purpose, too. Try again, guys.

Conrad Heiney 
conrad (@) fringehead.org 
http://fringehead.org



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.