Sign in with
Sign up | Sign in

Virgin Mobile Vulnerability Leaves 6 Million at Risk

By - Source: Kevin Burke | B 15 comments

Virgin Mobile USA leaves users open to possible attack.

One developer has discovered a vulnerability in Virgin Mobile's system that leaves the carrier's six million subscribers at risk. Kevin Burke writes that anyone with your phone number can log into your Virgin Mobile account and make purchases, see your call and SMS logs, change your account details, and change the phone associated with your account.

According to Burke, Virgin Mobile, a subsidiary of Sprint, uses your phone number as your username and forces you to use a 6-digit number (no letters or special characters allowed) as the password for your account. This 6-digit number means there's only one million possible passwords to choose from. This alone is pretty bad practice, but the fact that Virgin Mobile USA doesn't actually lock your account after a given number of wrong attempts means you, or a handy script you've written, can enter wrong passwords all day long until you hit upon the correct combination of numbers. That's just what Burke did.

"It is trivial to write a program that checks all million possible password combinations, easily determining anyone’s PIN inside of one day," Kevin writes. "I verified this by writing a script to 'brute force' the PIN number of my own account."

Burke says he has had multiple conversations with Virgin Mobile USA regarding the problem dating back to August 15. His last correspondence was on September 14, when Virgin Mobile told him there would be no further action on this issue from their end.

Follow @JaneMcEntegart on Twitter.                     

Contact Us for News Tips, Corrections and Feedback

 

 

Display 15 Comments.
This thread is closed for comments
  • 4 Hide
    Jim_L9 , September 18, 2012 5:42 PM
    Ouch, that stinks!
  • 3 Hide
    snowzsan , September 18, 2012 5:48 PM
    Considering I personally use Virgin, that kinda blows.

    But in the same respect, I don't associate anything of any monetary value to anything I could so easily lose, or in this case, could be easily accessed by malicious means.

    In general, this is just further proof that the best defence is your own. Be smart with your money and where you put it.
  • 4 Hide
    teh_chem , September 18, 2012 6:18 PM
    I also use VM, and I was concerned about this since the get-go.

    What bothers me more is that when you call and speak with CS, in order to access your account, they ask for your password. UMMMMM...isn't that ALSO a bad thing? Why should "real" customer support on the inside of the system require my password that I use to log in from the outside? IIRC, people have verified that they require your password because they essentially log in to your account as you in order to see the information on your account (not to actually verify your identity). I'd be more worried about that first than some brute-force password crack.

    @snowzsan--do you use their option for automatic payments?
  • 0 Hide
    COLGeek , September 18, 2012 6:35 PM
    Pretty (as in VERY) loose security model (not!) there. Accounts are sure to not remain "virgins" to nefarious uses. Not good, Virgin, not good at all.
  • 4 Hide
    Old_Fogie_Late_Bloomer , September 18, 2012 6:55 PM
    I'm waiting for Virgin Mobile to sue this guy for going public about a massive security flaw that they're refusing to fix...
  • 4 Hide
    ddpruitt , September 18, 2012 7:12 PM
    I guess it's time for me to switch to someone else. False security is worse than no security.
  • 2 Hide
    rantoc , September 18, 2012 8:04 PM
    Now when media know of it they will say they take all users security as highest priority and change it, not a second before.... bastards!
  • 2 Hide
    kelemvor33 , September 18, 2012 8:08 PM
    I always thought it was lame that VM just used a 6 digit PIN. Especially with all the sites getting hacked into lately and things like that, you'd think they'd change their system. Maybe they will now that this has gone public...
  • -1 Hide
    teh_chem , September 18, 2012 8:40 PM
    I think another good question is, while it's clear that their extent of password security is terribad and needs to change, what is the real likelihood that you're going to get hacked? People would have to have your cell phone number AND know that you're a VM user. Is it possible to extract carrier from cell phone number?

    I'm not defending the situation, but the real chance of brute-forcing an account is dependent on knowing the specific cell phone number = and knowing that it's a VM account. Think about myself, the only people I can think of who know that much about my cell phone are probably just my friends and family--I doubt they're going to try to brute force into my account.

    Regardless, it should be fixed--I wonder if a petition is going to start up? Also, is there a stipulation of site access security that the FCC presides over? Can one lodge a complain on these grounds?
  • 3 Hide
    Vorador2 , September 18, 2012 9:09 PM
    How hard is to change a password system? Really, Virgin?
  • 0 Hide
    bunz_of_steel , September 18, 2012 9:15 PM
    I just signed up w/boost mobile... wonder if same thing - just not a virgin. Anyways nobody will hack your account cuz they make u sign an agreement that you promise not to hack... LOL.
  • 0 Hide
    Anonymous , September 18, 2012 11:10 PM
    Boost only has a 4 digit pin
  • 0 Hide
    livebriand , September 19, 2012 12:07 AM
    T-Mobile doesn't allow you to use special characters - just numbers and letters. Darn...
  • 1 Hide
    face-plants , September 19, 2012 4:55 AM
    "Virgin Mobile told him there would be no further action on this issue from their end."

    Yeah good luck getting away with not fixing this issue now Virgin! It's out in the open and not the kind of obscure exploit that only a handful of people can take advantage of. Anyone with minimal IT knowledge and access to Google can access any Virgin Mobile account at will now.
  • 0 Hide
    Anonymous , September 20, 2012 11:48 PM
    they will eventually lock it after three attempts the same way boost does. also sprint needs to step the fuck in