Virgin Mobile USA online subscriber accounts can be easily hacked, developer says
Software developer claims Virgin Mobile USA employs poor password security practices on its website
IDG News Service - The online accounts of Virgin Mobile USA subscribers are vulnerable to brute force attacks because the company forces customers to use weak passwords on its website, according to a software developer.
"Virgin Mobile forces you to use your phone number as your username, and a 6-digit number as your password," Kevin Burke, a software engineer at cloud communication company Twilio said Monday in a blog post. "This means that there are only one million possible passwords you can choose."
"This is horribly insecure," Burke said. "Compare a 6-digit number with a randomly generated 8-letter password containing upper-case letters, lower-case letters, and digits - the latter has 218,340,105,584,896 possible combinations."
Burke claims that he wrote a program which can determine the PIN number for any Virgin Mobile USA online account in less than a day, as long as the target's phone number is known, and which he successfully tested against his own account.
Once inside a Virgin Mobile online account, an attacker can read the account owner's call and SMS logs, change the handset associated with the account, change the email address and the mailing address, purchase a new handset with the credit card information on record and more, Burke said.
Burke claims that he notified Virgin Mobile USA and its parent company, Sprint Nextel, of the security issue on August 15 and he was initially told that the matter will be looked into. However, on September 14, in response to a request for a status update, a Sprint representative said that no further action will be taken by Virgin Mobile, Burke said.
Virgin Mobile USA did not return a request for comment.
It seems that Virgin Mobile USA does have some protection mechanism against brute force attacks built into its website. However, according to Burke, that protection is poorly implemented.
"Some people are mentioning they freeze you out after 4 invalid login attempts," Burke said Tuesday via email. "However you can get around this limitation by a) clearing your cookies, or b) not using a web browser like Google Chrome or Firefox to try the login attempts."
"I tried 100 bad logins in a row, followed by my good login, without getting locked out last night," the developer said. "An attacker could do the same."
When choosing their PIN on the Virgin Mobile website, customers are asked not to use more than 3 identical digits in a row -- for example 2222 -- and no more than 3 sequential numbers -- for example 2345. This is probably intended to make PINs more random and harder to guess.
Ironically, this actually decreases the number of variants that an attacker has to try in order to determine a PIN number when using a brute force attack.
"Practically speaking there's not much difference between 900K [thousands] possible combinations and a million combinations," Burke said. "It adds a little bit of time but what's an extra few minutes to a computer."
"They [Virgin Mobile USA] should allow people to use any character in their passwords, and probably set a *minimum* of 6 characters in a password," Burke said. "As I pointed out in the blog post, an 8 character password with 62 possibilities for each character has 218 trillion possible different combinations, making it impractical to brute force during our lifetime."
- Strategies for Securing Mobile Certificates Most organizations have no visibility into what users have access to which increases the risk of unauthorized access to critical networks, applications, and...
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Be the One Who Puts Security on the Agenda eBook You want to maximize the potential offered by new technologies and establish an advantage over your competitors. But you know the latest IT...
- The State of Video Conferencing Security Video conferencing equipment, found in almost every boardroom around the world, may be opening up companies to serious security breaches. This paper explains...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Mobile Security White Papers | Webcasts