How Paris Got Hacked?
Subject:   Sounds like T-Mobile's fault to me
Date:   2005-02-23 14:30:43
From:   tychay
Seems like the media and Bruce Scheier (who may know everything there is to know about encryption but needs to use the web a little more often) are confusing PASSWORDS with SECURITY ANSWERS.

The former should be hard to guess, the latter should be easy to remember (thus easy to guess).

On nearly every other website out there, answering your security answer DOES NOT allow you to change your password. Instead, it send your password or a link to change your password to your primary e-mail address. The first secures your account, the second secures the sending of access control over an unencrypted communication.

I did something similar to this when I had my notebook stolen and couldn't access my O'Reilly Account.

T-Mobile account system should be requesting a primary e-mail on registration. When I signed up for mine a year ago, I assumed it would send the password via SMS--they use your mobile phone number to secure your login name. Instead answering the security answer allows you to reset your T-Mobile password.

That's plain and simple stupidity on the part of T-Mobile's internet. Paris Hilton's intelligence notwithstanding.

tressermckay: You are probably confusing the MSN report a couple months ago when Paris Hilton's voice mail was hacked with the recent hack of her T-Mobile phone book. These are two different incidents.