I went to the local Sprint store today to get a new phone. I was the
first existing customer to get a phone there that day, and so was the
first person they got to try the new system on.

First thing that was apparent is that no one in the store had been
trained on dealing with the discounts. They didn't know if they had to
do anything, or if the discount would show up automatically when they
rang up the sale.

So, they tried just ringing it up, and it didn't have the discount.
After much fiddling, they got the discount on. I signed the new
contract. And something didn't work. Another sales guy came over and
tried. He basically started over. I signed another contract. He ran
into the same problem, then fiddled a long time, and got it to accept
the discount.

All in all, it took them about 45 minutes to deal with this. This was
long enough that I was close to being late for a meeting, so rushed off
as soon as they were done.

After work, I took a closer look at my receipt, and saw that my discount
had only been $100. It should have been $150. Also, the estimate at
the bottom of my monthly fee said $172. That's about twice what it
should be, so I naturally wondered if both contracts had been entered,
and I now had double service. Checking my account at the web site, it
seemed fine...my plan was exactly the same as it had been on the old
phone. Only the phone itself was different.

So, back to the store to see about getting my other $50. This caused a
bit of discussion among the staff. At first, they thought that they
should void the first transaction and ring it all up again, but they
decided that this would require taking back the phone and giving me a
new one, and they didn't want to do that. Finally, they decided that
they could easily give me a $50 credit on my account, if that was OK
with me. It was. When they printed the receipt up for that, it also
had a monthly estimate that was more in line with what I expect.

One thing disturbed me a bit. At the start of this whole thing, they
asked my existing phone number and my password. A friend and I are
using a family plan to share our phone costs, and I had to guess whether
the right password was the account password or the password for my
number. I guessed wrong. They asked me for the last 4 digits of my SSN
as an alternative, which I gave. Then, now that they knew it was me,
they casually mentioned what the other password was.

That disturbs me because it shows that Sprint's system does not follow
good security principles. It should not be possible for the sales guy
to find out my password, because Sprint should not be storing the
password at all. Sprint should be storing a salted hash of the
password. When you give your password to login, they should hash what
you gave, and compare to the stored hash. If they match, they know you
gave the right password.

The reason for this (which has been standard best practice since the mid
70's) is so that if their password database gets leaked or stolen, the
passwords are not compromised.

--
--Tim Smith


See More: the new discounts instead of rebates