T-Mobile/Hilton follow up

From the washingtonpost.com:

The group already had spent a year studying weaknesses in T-Mobile's Web sites. The group member interviewed for this story had already written a simple computer program that could reset the password for any T-Mobile user whose phone number the hackers knew.

The hacker called a T-Mobile store and convinced the employee that they were calling from HQ

When prompted, the employee then offered the Internet address of the Web site used to manage T-Mobile's customer accounts -- a password-protected site not normally accessible to the general public -- as well as a user name and password that employees at the store used to log on to the system.

There are a lot of other interesting tid-bits, the whole article is worth a read.

Companies like T-Mobile face a big problem in how they can convince an employee that the passwords for their systems are important, when they don't pay them much money.

Of course, since the exposure provided by the Hilton attack actually increased Sidekick sales, why should they? Perhaps this is why my calls to Danger have gone unanswered ;).

BTW, if anyone has a Sidekick and would be willing to test our J2ME software token on it, please contact me (nowen at wikidsystems.com) or just try it out here. You will not get any obnoxious sales emails.