Assurant is a security risk. And fix your website.

  • 19 August 2021
  • 0 replies
  • 32 views

Badge

mytmoclaim only requires a phone number, and a postal code to check a claim. That’s it. No authentication whatsoever, no SSO with T-Mobile, no two-factor authentication, no anything. And if you know a phone number, you can deduce the zip code. And that’s all you need to see the customer’s name and address. This is unacceptable. This is mind-blowingly unacceptable. 

First, their website (which is on two different domains and your website lists both at different places) looks and acts as if it was made in 1995. Since they are able to connect to your systems, then that is also a cause for concern regarding the recent data hack. Seriously, what even is this? What have you fixed regarding the recent hack if THAT abomination can connect to you?

An attacker can write a bot and query mytmoclaim all day. In fact, if I know someone casually says “Hey I replaced my phone”, I can just check and now I know their address. And, to top it off, if someone’s finished a claim - doesn’t matter. The last claim will show up anyway. This is a serious privacy issue. Also, ASP.NET_SessionId is exposed and not a secure cookie. 

Second, your website is constantly breaking. 

I’m a senior software developer and I have never worked at a company that routinely pushed breaking changes to production systems. If you do not have a QA department and QA environment for your website, you need to create one. This is a live website. We should never have to see things work purely randomly based on browser, whether we load the page on a new tab or click through the website, or just by the whim of some random push to t-mobile.com that you guys did.

Right this second, I can see Angular errors and jQuery errors on several pages. I get random infinite loading spinners, errors, and even plain white pages sometimes. This attention to detail is probably why T-Mobile was hacked recently.

If you treat your security and infrastructure the same way you treat the live website presentation, then we’re bound to see more hacks all the time. And you’re T-Mobile, so it’s not like you’re broke and can’t afford to pay for the talent and time to protect our data and have a working website.

Get it together.


0 replies

Be the first to reply!

Reply