Printed from http://www.electronista.com

Developer: Virgin Mobile USA customer account security weak

updated 03:06 am EDT, Wed September 19, 2012

Security system allows for limited number of unique passwords

Twilio developer Kevin Burke appears to have found a serious security flaw in Virgin Mobile USA's online authentication system. Anyone who knows a customer's valid Virgin Mobile number may, with little effort, be able to see who a subscriber has been calling, change the handset associated with a phone number, change billing information, and even purchase a handset using a credit card if it is stored on the service.

Prepaid phone service provider Virgin Mobile requires users to use the phone number as the account username, and a six digit number as a password (with the suggestion that users use their birthdate) -- allowing only around a million possible passwords, which can be easily determined by a "brute force" attack with a rudimentary script.

Burke suggested basic security steps to Virgin Mobile upon discovering the issue, none of which have been seriously undertaken -- prompting the public disclosure of the issue after several warnings to Virgin Mobile executives. He suggests the company "freeze" accounts after five failed personal attempts, along with implementation of the most basic of password security measures -- allowing users the option of setting more complex passwords involving letters and numbers with the existing digits allowed.

Virgin Mobile was contacted by Burke on August 15 with the details of the weak security. Burke was rebuffed at every turn by customer support representatives, few of whom he says understood the magnitude of the issue. The company finally did implement a cookie on a user's browser, tracking how many login attempts have been made with inaccurate passwords and locking the user out if the maximum number of attempts was made. However, the "lockout" facilitated by the cookie wasn't implemented server-side, so a well-coded "brute force" tool could easily remove this cookie prior to every fifth attempt, making the "security" measure ineffective.

Electronista spoke with a Virgin Mobile representative about the matter, and was told that "further measures are being considered for implementation," but when pressed, the contact declined to provide any more information on what countermeasures would be taken or a timetable for implementation.



By Electronista Staff
toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Logitech Hyperion Fury mouse

Selecting the correct gaming mouse comes down to finding a device that balances the needs of a user with a price they can afford. Ofte ...

Life n Soul BM211 Bluetooth speaker

Bluetooth speakers aren't only for listening to some music at the park or on a long bus ride, but can also be built with tablets in mi ...

Epson PowerLite Home Cinema 2030 projector

With high-definition televisions now the standard, 4K televisions becoming the next big thing, and plasma TVs going the way of the din ...

Sponsor

toggle

Most Commented

 
toggle

Popular News