[ISN] Verizon Wireless Fixes Web Site Vulnerabilities

[InfoSec News]

http://www.washingtonpost.com/wp-dyn/content/article/2005/08/11/AR2005081101240.html

By Brian Krebs
washingtonpost.com Staff Writer
August 11, 2005

Verizon Wireless said today that computer programming flaws in its
online billing system could have allowed customers to view account
information belonging to other customers, possibly exposing limited
personal information about millions of people.

A spokesman for the Bedminster, N.J., company, a joint venture between
Verizon Communications Corp. and Vodafone Group PLC, declined to say
how many of the company's 45 million subscriber accounts were at risk.  
Verizon Wireless said the problem appeared to be limited to accounts
for customers in the eastern United States who had signed up for its
"My Account" feature.

The phone giant said it had corrected the glitch as of 2 a.m. Eastern
Time today. The "My Account" feature has been available on the Verizon
Wireless Web site for the past five years, though spokesman Tom Pica
said the company does not yet know how long the faulty code was in
place on the service.

Pica confirmed the Web site flaw allowed a user to view another
subscriber's balance of remaining airtime minutes and the number of
minutes that customer had used in the current billing cycle. Two other
flaws could have exposed data about a customer's general location --
i.e., city and state -- and the make and model of phone the customer
uses, Pica said.

There is no indication that anyone took advantage of the flaws or that
any customer financial information such as Social Security or credit
card account numbers was disclosed, Pica said. The flaws also did not
allow access to phone numbers associated with customers' incoming and
outgoing calls, and "no customer data could be manipulated and changed
in any way," he said.

Pica said the company was still assessing whether it would notify
customers about the situation, but he said that based on the
information gathered so far Verizon Wireless does not believe any
sensitive personal information was revealed.

The flaw that exposed account information was reported to Verizon
Wireless by Jonathan Zdziarski, a software developer from
Milledgeville, Ga., who said he discovered it while writing a computer
program that would automatically query his account online and report
the number of minutes he had used from his wireless plan.

Zdziarski found that by simply entering another subscriber's wireless
phone number on a particular portion of the site, he could pull up
some information about that person's account.

Pica said the flaws did not expose customer account balances or latest
payment information. But Zdziarski provided washingtonpost.com with a
screenshot showing that the vulnerabilities exposed account balances
and the date of the most recent payment, a claim that Pica said the
company could not confirm.

After Zdziarski's alert, Verizon Wireless technicians reviewed other
portions of the company's billing system and fixed one, but the
technicians disabled the feature that allowed viewing of customer
location until technicians could figure out a way to secure it,
according to Pica.

Zdziarski said he later conducted other tests and found that the
glitch he discovered could also be exploited to transfer one
customer's account to another handset, a technique known as "cloning."

The user of a cloned phone can intercept all of the victim's incoming
wireless calls, and also make calls that later would be billed to the
victim's account. Zdziarski said he was prevented from fully testing
whether the flaw could be used to clone Verizon Wireless phones
because the service that allows customers to map existing phone
numbers to new handsets appeared to be offline at the time he reported
the flaw.

"This was a very easy hack to do," Zdziarski said. "I'm sure if I've
discovered it, then certainly your typical 'script kiddie' could
figure it out."

Pica said company technicians were still trying to verify Zdziarski's
phone-cloning claims.

The incident is just the latest in a string of disclosures from
companies that failed to adequately secure access to their customers'
personal information. One of Verizon Wireless's biggest competitors,
Bellevue, Wash.-based T-Mobile International, disclosed last year that
a security hole in its Web site exposed data on at least 400
customers, including a then-active Secret Service agent. Earlier this
year, a group of hackers used other flaws in T-Mobile's site to break
into the phones of dozens of celebrities, in an incident that exposed
racy photographs and personal notes and contacts for hotel heiress and
socialite Paris Hilton.

Bruce Schneier, founder of Counterpane Internet Security in Mountain
View, Calif., said the type of security vulnerability that affected
the Verizon Wireless site is exceedingly common and will remain so as
long as companies face no legal liability when they fail to secure
customer data.

"There are probably tons of other big companies who have the same
problems, because this is a really common mistake," Schneier said.  
"But if 15 million people can sue Verizon when they make a sloppy
mistake like this, then it becomes an expensive mistake. Right now the
only thing that happens to Verizon is they have a somewhat bad
public-relations day."

© 2005 Washingtonpost.Newsweek Interactive