Virgin Mobile USA online subscriber accounts can be easily hacked, developer says
Software developer claims Virgin Mobile USA employs poor password security practices on its website
IDG News Service - The online accounts of Virgin Mobile USA subscribers are vulnerable to brute force attacks because the company forces customers to use weak passwords on its website, according to a software developer.
"Virgin Mobile forces you to use your phone number as your username, and a 6-digit number as your password," Kevin Burke, a software engineer at cloud communication company Twilio said Monday in a blog post. "This means that there are only one million possible passwords you can choose."
"This is horribly insecure," Burke said. "Compare a 6-digit number with a randomly generated 8-letter password containing upper-case letters, lower-case letters, and digits - the latter has 218,340,105,584,896 possible combinations."
Burke claims that he wrote a program which can determine the PIN number for any Virgin Mobile USA online account in less than a day, as long as the target's phone number is known, and which he successfully tested against his own account.
Once inside a Virgin Mobile online account, an attacker can read the account owner's call and SMS logs, change the handset associated with the account, change the email address and the mailing address, purchase a new handset with the credit card information on record and more, Burke said.
Burke claims that he notified Virgin Mobile USA and its parent company, Sprint Nextel, of the security issue on August 15 and he was initially told that the matter will be looked into. However, on September 14, in response to a request for a status update, a Sprint representative said that no further action will be taken by Virgin Mobile, Burke said.
Virgin Mobile USA did not return a request for comment.
It seems that Virgin Mobile USA does have some protection mechanism against brute force attacks built into its website. However, according to Burke, that protection is poorly implemented.
"Some people are mentioning they freeze you out after 4 invalid login attempts," Burke said Tuesday via email. "However you can get around this limitation by a) clearing your cookies, or b) not using a web browser like Google Chrome or Firefox to try the login attempts."
"I tried 100 bad logins in a row, followed by my good login, without getting locked out last night," the developer said. "An attacker could do the same."
When choosing their PIN on the Virgin Mobile website, customers are asked not to use more than 3 identical digits in a row -- for example 2222 -- and no more than 3 sequential numbers -- for example 2345. This is probably intended to make PINs more random and harder to guess.
Ironically, this actually decreases the number of variants that an attacker has to try in order to determine a PIN number when using a brute force attack.
"Practically speaking there's not much difference between 900K [thousands] possible combinations and a million combinations," Burke said. "It adds a little bit of time but what's an extra few minutes to a computer."
"They [Virgin Mobile USA] should allow people to use any character in their passwords, and probably set a *minimum* of 6 characters in a password," Burke said. "As I pointed out in the blog post, an 8 character password with 62 possibilities for each character has 218 trillion possible different combinations, making it impractical to brute force during our lifetime."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts