California-based Boost Mobile, founded in 2000 as a joint venture with Nextel Communications and now a Sprint subsidiary, has warned an unspecified number of customers about unauthorized online account activity on March 14, 2019.
An undated customer letter posted on the Boost Mobile website provides very little information beyond that “an unauthorized person accessed your account through your Boost phone number and Boost.com PIN code.” The implication is that the unauthorized person either already had the user’s phone number and PIN code, or acquired it at the same time. There is no indication that Boost Mobile suffered a system breach with large quantities of phone and PIN numbers stolen.
However, with so little information provided, it is difficult to know exactly what happened. The notice merely says, “The Boost Mobile fraud team discovered the incident and was able to implement a permanent solution to prevent similar unauthorized account activity.” Again, it talks about unauthorized account activity rather than a system intrusion.
It also says customers had been sent a temporary PIN code with instructions on how to change it to one of their own choice. If the March 14 incident referred to is merely unauthorized account activity on a limited number of accounts, then changing the account PINs would be enough to protect against further unauthorized activity. There is no indication in this statement of any large-scale data exfiltration by intruders, nor any suggestion that any customers’ credit cards or social security numbers — which are encrypted — have been compromised.
The problem then becomes one of how did the attacker get hold of the users’ PIN numbers, and is it a process that can be repeated against other customers? One option could be credential stuffing — with PIN numbers rather than passwords — provided the phone number, PIN number and access attempts were rotated and kept low enough to avoid automatic detection via Boost’s system logs. Noticeably, the Boost statement includes the comment, “As a reminder, we recommend that PIN codes such as 1234 or 1010 are to be avoided.”
Individual user phishing attempts — such as phoning the user and pretending to Boost customer service — seem to be ruled out by Boost’s stated ability ‘to implement a permanent solution to prevent similar unauthorized account activity.’ Credential stuffing could be eliminated through the purchase and installation of a modern advanced bot detection and blocking system. An insider working with the criminal or criminals could be fired.
The simple reality is that from the information provided by Boost, we do not know what happened. There have been suggestions that since the company notified the California attorney — which it isn’t required to do so if less than 500 people from California are affected — means that at least that number of accounts were involved in the incident; but this is speculation.
SecurityWeek has asked Boost’s parent company, Sprint, for further details. Any information provided will be appended to this article.