Writing on his personal blog, Burke explains how Virgin’s log-in system is a privacy hell story waiting to happen since the only credentials required to log-in are a user’s phone number and a six number password.
The fact that users can’t opt for alpha-numerical, mixed case passwords, leaves the system open to cracking, and customer data exposure. Burke explains how easily an account can be accessed if the phone number is known:
This is horribly insecure. Compare a 6-digit number with a randomly generated 8-letter password containing uppercase letters, lowercase letters, and digits – the latter has 218,340,105,584,896 possible combinations. It is trivial to write a program that checks all million possible password combinations, easily determining anyone’s PIN inside of one day. I verified this by writing a script to “brute force” the PIN number of my own account.
Here’s another kicker, the Virgin site appears to have no limitation on failed log-ins. Burke himself made 100 failed log-in attempts with no lock-out – that’s a particularly worrying flaw as it allows hackers to keep trying password combinations without pressure.
Now to the important part, what can a potential hacker do once they are in a Virgin Mobile customer’s account? Quite a lot, it seems.
Read your call and SMS logs, to see who’s been calling you and who you’ve been calling
Change the handset associated with an account, and start receiving calls/SMS that are meant for you. They don’t even need to know what phone you’re using now. Possible scenarios: $5/minute long distance calls to Bulgaria, texts to or from lovers or rivals, “Mom I lost my wallet on the bus, can you wire me some money?”
Purchase a new handset using the credit card you have on file, which may result in $650 or more being charged to your card
Change your PIN to lock you out of your account
Change the email address associated with your account (which only texts your current phone, instead of sending an email to the old address)
Change your mailing address
Make your life a living hell
Particular emphasis on that final point and, most importantly, Burke points out that there is very little customers can do, bar changing their operator (we’ll see how that goes).
The part that raises the most concern is that the Twilio staffer says he has highlighted these points to Virgin Mobile already and yet, one month later, the system remains the same.
This set-up is emblematic of an ‘it’ll never be me’ mentality that so many firms adopt when it comes to online security. They trust in the fact that they are unlikely to be targeted and don’t need to worry about upgrading their systems, which are ‘probably safe’.
Given the spate of hackings this year — which have included LinkedIn, Yahoo Voices, Formspring, Billabong and more — Virgin would do well to address this issue immediately. Not only will Burke’s concerns gain the attention of the media, but his post already hit the front page of Hacker News – the horse has bolted.
We contacted Virgin Mobile for comment but, as it is the middle of the night US time at the time of writing, we don’t anticipate receiving a response until Tuesday morning Stateside.
Wired did touch base with the carrier, only to be told that it has a “lockout feature for multiple password attempts”, which Burke was unable to verify. A spokesperson with Sprint — owner of Virgin — also told the news site: “We are reviewing the systems we have in place and conducting audits to ensure our standards are being met, including for Virgin Mobile.”
Burke says he is testing other Virgin Mobile sites in other countries, which could lead to more security concerns the world over. Already some Virgin customers have hacked into their own accounts using code.
Go check out Burke’s post for the full low-down.
A Virgin Mobile USA spokeswoman provided this comment to TNW:
To be clear, we haven’t seen any reports of Virgin customers’ account being hacked, nor any unauthorized access.
It’s important to note that there are many different overlapping safeguards in place to ensure our customers’ privacy and security, and we have taken steps to further prevent intrusions and spoofing. While we maintain confidentiality about our security measures, our customer accounts are monitored constantly for several types of activity that would indicate if something illegal or inappropriate may be taking place.
We have had no unusual reports of fraud incidents or adverse consequences to our customers and believe that the total security measures in place prevent vulnerability of their accounts. Payment card data is not visible on an account and we have additional processes in place to monitor and limit balance transfers and correction of inappropriate charges. We maintain our vigilance in this area to avoid any compromise of our customers’ accounts and the privacy and security of their information.
We greatly appreciate Mr. Burke’s outreach to the company and are reaching out to him as well. His inquiry did enable us to even further secure our customers’ accounts.