Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Boost Mobile Detected Unauthorized Activity on Customer Accounts

California-based Boost Mobile, founded in 2000 as a joint venture with Nextel Communications and now a Sprint subsidiary, has warned an unspecified number of customers about unauthorized online account activity on March 14, 2019.

California-based Boost Mobile, founded in 2000 as a joint venture with Nextel Communications and now a Sprint subsidiary, has warned an unspecified number of customers about unauthorized online account activity on March 14, 2019.

An undated customer letter posted on the Boost Mobile website provides very little information beyond that “an unauthorized person accessed your account through your Boost phone number and Boost.com PIN code.” The implication is that the unauthorized person either already had the user’s phone number and PIN code, or acquired it at the same time. There is no indication that Boost Mobile suffered a system breach with large quantities of phone and PIN numbers stolen.

However, with so little information provided, it is difficult to know exactly what happened. The notice merely says, “The Boost Mobile fraud team discovered the incident and was able to implement a permanent solution to prevent similar unauthorized account activity.” Again, it talks about unauthorized account activity rather than a system intrusion. 

It also says customers had been sent a temporary PIN code with instructions on how to change it to one of their own choice. If the March 14 incident referred to is merely unauthorized account activity on a limited number of accounts, then changing the account PINs would be enough to protect against further unauthorized activity. There is no indication in this statement of any large-scale data exfiltration by intruders, nor any suggestion that any customers’ credit cards or social security numbers — which are encrypted — have been compromised.

The problem then becomes one of how did the attacker get hold of the users’ PIN numbers, and is it a process that can be repeated against other customers? One option could be credential stuffing — with PIN numbers rather than passwords — provided the phone number, PIN number and access attempts were rotated and kept low enough to avoid automatic detection via Boost’s system logs. Noticeably, the Boost statement includes the comment, “As a reminder, we recommend that PIN codes such as 1234 or 1010 are to be avoided.”

Individual user phishing attempts — such as phoning the user and pretending to Boost customer service — seem to be ruled out by Boost’s stated ability ‘to implement a permanent solution to prevent similar unauthorized account activity.’ Credential stuffing could be eliminated through the purchase and installation of a modern advanced bot detection and blocking system. An insider working with the criminal or criminals could be fired.

The simple reality is that from the information provided by Boost, we do not know what happened. There have been suggestions that since the company notified the California attorney — which it isn’t required to do so if less than 500 people from California are affected — means that at least that number of accounts were involved in the incident; but this is speculation.

SecurityWeek has asked Boost’s parent company, Sprint, for further details. Any information provided will be appended to this article.

Advertisement. Scroll to continue reading.

Related: Bad Bots Steal Accounts, Content and Skew the Web Ecosystem 

Related: Bot Protection Firm PerimeterX Raises $43 Million 

Related: Radware to Acquire Bot Mitigation Firm ShieldSquare

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.