It may be easier than you think for someone to steal your wireless phone records. At least, that's the case if you're a Sprint wireless phone user.
Sprint makes it very easy for customers to go online to view and manage their accounts and account activity. Signing up to take advantage of that service is simple. It may be too simple.
I first read about this on Monday at The Consumerist, a blog that covers consumer gripes. As The Consumerist describes, anyone can visit the Sprint homepage and sign up as a new user. You simply enter the Sprint phone number of the account you want to register, enter the owner's first and last name, an e-mail address, and then pick a username and password. While the signup process may check to see if the first and last name matches the account on file for that number, a user can enter any e-mail address, username and password you like (within the bounds of the password guidelines explained on the Sprint site).
Check the button next to "I am the account holder (the person who set up the account)", and then click the button beside "Ask me questions that validate my identity," hit the "continue" button, and you get to the scary part. The next page asks you to select the correct answers to three multiple choice questions. When I tried this out, it asked me:
Which of the following people have resided with you at: (one of the listed people was my wife).
Which of the following streets have you never lived on or used as your address? (one option was a misspelling of a street I previously have lived at, the other was my current address, and another was my most previous address).
In which of the following cities have you never lived or used in your address? (all were cities that are nowhere near where I currently live, so the obvious answer was D: none of the above).
This means that anyone with a basic knowledge of my history could hijack my cell phone records. They could even sign up for services in my name, such as location tracking, which allows anyone with a laptop to view my location on a map any time of day or night. An attacker could also set it up so that future bills are sent paperless to an e-mail address the bad guy controls