Printed from http://www.electronista.com

Developer: Virgin Mobile USA customer account security weak

updated 03:06 am EDT, Wed September 19, 2012

Security system allows for limited number of unique passwords

Twilio developer Kevin Burke appears to have found a serious security flaw in Virgin Mobile USA's online authentication system. Anyone who knows a customer's valid Virgin Mobile number may, with little effort, be able to see who a subscriber has been calling, change the handset associated with a phone number, change billing information, and even purchase a handset using a credit card if it is stored on the service.

Prepaid phone service provider Virgin Mobile requires users to use the phone number as the account username, and a six digit number as a password (with the suggestion that users use their birthdate) -- allowing only around a million possible passwords, which can be easily determined by a "brute force" attack with a rudimentary script.

Burke suggested basic security steps to Virgin Mobile upon discovering the issue, none of which have been seriously undertaken -- prompting the public disclosure of the issue after several warnings to Virgin Mobile executives. He suggests the company "freeze" accounts after five failed personal attempts, along with implementation of the most basic of password security measures -- allowing users the option of setting more complex passwords involving letters and numbers with the existing digits allowed.

Virgin Mobile was contacted by Burke on August 15 with the details of the weak security. Burke was rebuffed at every turn by customer support representatives, few of whom he says understood the magnitude of the issue. The company finally did implement a cookie on a user's browser, tracking how many login attempts have been made with inaccurate passwords and locking the user out if the maximum number of attempts was made. However, the "lockout" facilitated by the cookie wasn't implemented server-side, so a well-coded "brute force" tool could easily remove this cookie prior to every fifth attempt, making the "security" measure ineffective.

Electronista spoke with a Virgin Mobile representative about the matter, and was told that "further measures are being considered for implementation," but when pressed, the contact declined to provide any more information on what countermeasures would be taken or a timetable for implementation.



By Electronista Staff
toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lacking ...

Sponsor

toggle

Most Commented

 
toggle

Popular News