Virgin Mobile Plugs Security Hole, Millions Sigh in Relief
The power of the Internet makes us wonder how we ever got along without it. Case in point: Kevin Burke, an independent developer, discovered a major security hole that left six million Virgin Mobile USA customers vulnerable to a relatively simple brute force attack. After alerting Virgin Mobile of the flaw a month ago and seeing no fix in sight, he decided to make the matter public
"Virgin Mobile forces you to use your phone number as your username, and a 6-digit number as your password. This means there are only one million possible passwords you can choose," Burke explained in a blog post. "This is horribly insecure, Compare a 6-digit number with a randomly generated 8 letter password containing uppercase letters, lowercase letters, and digits -- the latter has 218,340,105,584,896 possible combinations."
If a Virgin Mobile user ticked off the wrong person, all they'd need to do is write a fairly simple script to determine their password using brute force, and they'd have access to their online account within the day. Furthermore, changing the PIN on a compromised account would only provide temporary relief, because the new one would be just as guessable.
According to Burke, he informed Virgin Mobile USA of this issue on August 17, but it was only after he made a stink on the Internet and publicly disclosed the vulnerability that the wireless company finally took action.
"Now, after about 20 incorrect logins from one IP address, every further request to their servers returns 404 Not Found. This fixes the main vulnerability I disclosed Monday," Burke added to his blog in a recent update.
Even with the fix in place, Burke contends that PINs are a bad idea, for a number of reasons. One of those is the fact that people can't use their usual password, so they fall back to using something obvious, like a birthday. It's also potentially dangerous that Virgin Mobile asks for PINs in emails and over the phone, "so if an attacker gains access to someone's email, or is within earshot of someone on a call to customer service, they have the PIN right here."
"Virgin Mobile forces you to use your phone number as your username, and a 6-digit number as your password. This means there are only one million possible passwords you can choose," Burke explained in a blog post. "This is horribly insecure, Compare a 6-digit number with a randomly generated 8 letter password containing uppercase letters, lowercase letters, and digits -- the latter has 218,340,105,584,896 possible combinations."
If a Virgin Mobile user ticked off the wrong person, all they'd need to do is write a fairly simple script to determine their password using brute force, and they'd have access to their online account within the day. Furthermore, changing the PIN on a compromised account would only provide temporary relief, because the new one would be just as guessable.
"Now, after about 20 incorrect logins from one IP address, every further request to their servers returns 404 Not Found. This fixes the main vulnerability I disclosed Monday," Burke added to his blog in a recent update.
Even with the fix in place, Burke contends that PINs are a bad idea, for a number of reasons. One of those is the fact that people can't use their usual password, so they fall back to using something obvious, like a birthday. It's also potentially dangerous that Virgin Mobile asks for PINs in emails and over the phone, "so if an attacker gains access to someone's email, or is within earshot of someone on a call to customer service, they have the PIN right here."
