Virgin Mobile Leaves Their Customers Wide Open To Attack
September 19, 2012

Millions of Virgin Mobile Accounts Are Vulnerable To Attack

Michael Harper for — Your Universe Online

Last month, the Internet watched along in horror as one Wired writer had his entire digital life placed in jeopardy. His iPad, iPhone and MacBook Air were locked down and his Twitter account (along with the Twitter account for Gizmodo) were taken over and used to broadcast all sorts of idiotic dribble in quick succession.

As he tried to piece together his digital life, Mat Honan had a chance to speak with his teenaged hackers who told him exactly how they were able to take control of his accounts with relative ease. While the hackers were responsible for bringing emotional harm to Honan´s life, it turned out Amazon and Apple didn´t do much to stop them.

This week, another online personality has discovered another incredibly dangerous flaw in the privacy protocols of another company, Virgin Mobile.

When Virgin Mobile customers are asked to create a username and password to gain access to the Virgin Mobile Web site, they are locked into 2 very insecure credentials. First, Virgin doesn´t give customers a choice in selecting a username: It can only be your phone number. Secondly, a customer´s password can only be composed of 6 digits. No more, no less, and no letters or characters can be used.

While some may continue to guard their cell phone number, for many, they´re as freely given as a handshake in matters of business or otherwise. It´s because of this easily accessible and wide open piece of data that Kevin Burke, a web designer from Silicon Valley, became alarmed at how vulnerable Virgin Mobile customers´ data can be. What´s even more frightening is Virgin Mobile´s response when Burke brought this terrible gap in security to their attention.

As Burke explains in his blog, limiting customers to 6-digit (and digit only) account PIN is “horribly insecure.” With only 6 digits, there are around 900,000 possible password combinations to be picked from by Virgin customers. To prove just how easy it would be to discover a 6-digit PIN, Burke wrote a script to basically conduct a “brute force” attack on his own account. He was able to do so in a single day.

Once inside a Virgin account, hackers have full access to call and text logs, change the phone associated with the account, buy a new phone (the price of which would be reflected on the next bill) and even change the PIN and account email address, locking a customer out of their account.

Our phones are with us every day and, as such, end up picking up a lot of details and information about our lives, such as who we´ve been talking to, where we´ve been and who we plan on talking to in the future and where. Imagine how much damage a hacker could do with this kind of sensitive and incredibly personal information.

It was this thought which drove Burke to bring this vulnerability to the attention of Virgin Mobile.

He started low on the chain, reaching out to the company first on Twitter, though the representative didn´t understand the weight of the problem in only 140 characters.

Burke then tried calling various other representatives over the next 2 days, each time being asked to present his username (phone number) and PIN.

Finally, a rep escalates the matter to Sprint Executive and Regulatory Services. An executive from SPRS asked Burke to get in touch, and after explaining the gaping hole in the security fence, the Regulatory Services executive promised only to keep the issue moving to another team.

For nearly a month, Burke heard nothing more from the Regulatory Services executive other than that the issue had been passed on to the appropriate team. Frustrated, Burke then told the executive he planned to take this news public if Virgin didn´t announce any plans to resolve the issue. In response, Burke said he received a phone call saying Virgin would take no action to repair this flaw.

Since this story has gone public, Sprint and Virgin have said they have begun to lock people out of accounts after 4 failed attempts, but as Burke points out, anyone can easily sidestep this feature by not using the same cookies for each request.

So far, neither Sprint nor Virgin have taken any further steps to fix this vulnerability.

“For the moment,” writes Burke, “I suggest vigilance, deleting any credit cards you have stored with Virgin, and considering switching to another carrier.”