Virgin Mobile Vulnerability Leaves 6 Million at Risk

One developer has discovered a vulnerability in Virgin Mobile's system that leaves the carrier's six million subscribers at risk. Kevin Burke writes that anyone with your phone number can log into your Virgin Mobile account and make purchases, see your call and SMS logs, change your account details, and change the phone associated with your account.

According to Burke, Virgin Mobile, a subsidiary of Sprint, uses your phone number as your username and forces you to use a 6-digit number (no letters or special characters allowed) as the password for your account. This 6-digit number means there's only one million possible passwords to choose from. This alone is pretty bad practice, but the fact that Virgin Mobile USA doesn't actually lock your account after a given number of wrong attempts means you, or a handy script you've written, can enter wrong passwords all day long until you hit upon the correct combination of numbers. That's just what Burke did.

"It is trivial to write a program that checks all million possible password combinations, easily determining anyone’s PIN inside of one day," Kevin writes. "I verified this by writing a script to 'brute force' the PIN number of my own account."

Burke says he has had multiple conversations with Virgin Mobile USA regarding the problem dating back to August 15. His last correspondence was on September 14, when Virgin Mobile told him there would be no further action on this issue from their end.

Follow @JaneMcEntegart on Twitter.                     

Contact Us for News Tips, Corrections and Feedback

 

 

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
15 comments
    Your comment
  • Jim_L9
    Ouch, that stinks!
    4
  • snowzsan
    Considering I personally use Virgin, that kinda blows.

    But in the same respect, I don't associate anything of any monetary value to anything I could so easily lose, or in this case, could be easily accessed by malicious means.

    In general, this is just further proof that the best defence is your own. Be smart with your money and where you put it.
    3
  • teh_chem
    I also use VM, and I was concerned about this since the get-go.

    What bothers me more is that when you call and speak with CS, in order to access your account, they ask for your password. UMMMMM...isn't that ALSO a bad thing? Why should "real" customer support on the inside of the system require my password that I use to log in from the outside? IIRC, people have verified that they require your password because they essentially log in to your account as you in order to see the information on your account (not to actually verify your identity). I'd be more worried about that first than some brute-force password crack.

    @snowzsan--do you use their option for automatic payments?
    4