It's one of the largest wireless companies in the United States. It has billions of dollars in the bank. And last week, it had a colossal security problem on its hands.
In the classic cool-features-versus-common-sense scenario, the company, which we cannot name given the gravity of its security hole, decided to improve its Web site with a new "customer friendly" feature that allowed its wireless users to check on their plan and the amount of minutes available and make online payments.
The caveat? There was absolutely no authentication needed. None. Period.
Anyone with access to a Web browser could type in the company's URL, then a wireless phone number and ZIP code in two fields on the home page and -- viola! -- instant access to a portion of an account. Another click or two and anyone could change amounts and continually make payments.
I know this because on the first day of service I found the flaw. First, I worried. The 12-year-old I yelled at last week for using foul language gets back at me by upping my credit card payment from $50 to $5,000. What if I'm on a cruise when this happens and all of a sudden I have no funds in my checking account?
Then I got mad. From an organizational perspective, there should be a review process by which each department involved -- including information security -- approves the initiative before it moves forward. Lawyers should be brought in to make sure everything is according
Yet, this wireless company had no apparent oversight and disregarded the very pillars of information security. The confidentiality of the customer's account was destroyed once authentication to the individual accounts was eliminated. Integrity went out the window when an unauthorized payment was made, and non-repudiation never existed in the first place.
It's ironic that the entire communication between the customer and the company was encrypted via SSL. Why encrypt if anyone can access the account anyway? Even more interesting: When a session timed out, a message popped up informing a user the termination was for security purposes.
My colleagues and I attempted to contact the company on several occasions almost immediately. At first we were told that the information security department does not exist. Then we were transferred to an empty extension that supposedly belonged to the previously unknown department. Repeated calls to customer service yielded nothing except scaring the daylights out of the representatives themselves.
Finally, two days later, we were able to get an official representative from the office of the president on the phone, who promptly explained that our problem has been noted. Much to my dismay, she essentially said officials were aware of the situation but had no short-term plans to abandon the new service. My response to her was that I have no long-term plans to stay their customer.
As a final note, shortly after that conversation, we located the wireless number of one of their executives using a simple Internet search. By then, someone had made at least one $5,000 payment to the account. VISA, I later learned, was bombarded with calls reporting credit card fraud. Later that day, the company took the feature offline.
Somehow, I'm not amazed.
Jason Beta, CISSP, is a security contractor with the City of Jacksonville in Florida