Virgin Mobile USA online subscriber accounts can be easily hacked, developer says

September 18, 2012 — IDG News Service — The online accounts of Virgin Mobile USA subscribers are vulnerable to brute force attacks because the company forces customers to use weak passwords on its website, according to a software developer.

"Virgin Mobile forces you to use your phone number as your username, and a 6-digit number as your password," Kevin Burke, a software engineer at cloud communication company Twilio said Monday in a blog post. "This means that there are only one million possible passwords you can choose."

"This is horribly insecure," Burke said. "Compare a 6-digit number with a randomly generated 8-letter password containing upper-case letters, lower-case letters, and digits - the latter has 218,340,105,584,896 possible combinations."

Burke claims that he wrote a program which can determine the PIN number for any Virgin Mobile USA online account in less than a day, as long as the target's phone number is known, and which he successfully tested against his own account.

Once inside a Virgin Mobile online account, an attacker can read the account owner's call and SMS logs, change the handset associated with the account, change the email address and the mailing address, purchase a new handset with the credit card information on record and more, Burke said.

Burke claims that he notified Virgin Mobile USA and its parent company, Sprint Nextel, of the security issue on August 15 and he was initially told that the matter will be looked into. However, on September 14, in response to a request for a status update, a Sprint representative said that no further action will be taken by Virgin Mobile, Burke said.

It seems that Virgin Mobile USA does have some protection mechanism against brute force attacks built into its website. However, according to Burke, that protection is poorly implemented.

"Some people are mentioning they freeze you out after 4 invalid login attempts," Burke said Tuesday via email. "However you can get around this limitation by a) clearing your cookies, or b) not using a web browser like Google Chrome or Firefox to try the login attempts."

"I tried 100 bad logins in a row, followed by my good login, without getting locked out last night," the developer said. "An attacker could do the same."

When choosing their PIN on the Virgin Mobile website, customers are asked not to use more than 3 identical digits in a row -- for example 2222 -- and no more than 3 sequential numbers -- for example 2345. This is probably intended to make PINs more random and harder to guess.

Ironically, this actually decreases the number of variants that an attacker has to try in order to determine a PIN number when using a brute force attack.

"Practically speaking there's not much difference between 900K [thousands] possible combinations and a million combinations," Burke said. "It adds a little bit of time but what's an extra few minutes to a computer."

"They [Virgin Mobile USA] should allow people to use any character in their passwords, and probably set a *minimum* of 6 characters in a password," Burke said. "As I pointed out in the blog post, an 8 character password with 62 possibilities for each character has 218 trillion possible different combinations, making it impractical to brute force during our lifetime."

Virgin Mobile USA did not return a request for comment.