19 Sep 2012

Hacking Virgin Mobile User Accounts Too Easy, Dev Says, Due to Six-Digit Passwords, Number-Only PINs

Developer Kevin Burke claims that Virgin Mobile USA has a faulty authentication process, which makes account PINs number-only and limits passwords to six digits, putting users at high risk of brute-force attacks, reports cnet.com. 

Virgin Mobile forces you to use your phone number as your username, and a 6-digit number as your password, writes Burke in a blog post quoted by cnet.com. With “only one million possible passwords you can choose” the system is “horribly insecure. Compare a 6-digit number with a randomly generated 8-letter password containing uppercase letters, lowercase letters, and digits -- the latter has 218,340,105,584,896 possible combinations. It is trivial to write a program that checks all million possible password combinations, easily determining anyone's PIN inside of one day."

Burke says he double-checked his discovery by creating a script that brute-forced his own PIN. Another security slip he pointed out is that, by clearing browser cookies, an attacker could easily circumvent Virgin’s account-freeze system, which kicks in after several failed login attempts.

Armed with your Virgin Mobile USA phone number alone, an attacker could “see who you’ve been calling and texting … change the handset associated with your number … change your address, your email address, or your password,” and “purchase a handset on your behalf.”

Burke has already notified the company about the issues. In his blog post, he provides a lengthy history of his communication with Virgin Mobile representatives that led to no progress whatsoever on the matter. “I reported the issue to Virgin Mobile USA a month ago and they have not taken any action, nor informed me of any concrete steps to fix the problem, so I am disclosing this issue publicly,” Burke wrote.

The security blogger sends out a serious warning to current Virgin Mobile USA users. “There is currently no way to protect yourself from this attack. Changing your PIN doesn’t work, because the new one would be just as guessable as your current PIN. If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn’t like you. For the moment I suggest vigilance, deleting any credit cards you have stored with Virgin, and considering switching to another carrier.”