updated 03:06 am EDT, Wed September 19, 2012
Security system allows for limited number of unique passwords
Twilio developer Kevin Burke appears to have found a serious security flaw in Virgin Mobile USA's online authentication system. Anyone who knows a customer's valid Virgin Mobile number may, with little effort, be able to see who a subscriber has been calling, change the handset associated with a phone number, change billing information, and even purchase a handset using a credit card if it is stored on the service.
Prepaid phone service provider Virgin Mobile requires users to use the phone number as the account username, and a six digit number as a password (with the suggestion that users use their birthdate) -- allowing only around a million possible passwords, which can be easily determined by a "brute force" attack with a rudimentary script.
Burke suggested basic security steps to Virgin Mobile upon discovering the issue, none of which have been seriously undertaken -- prompting the public disclosure of the issue after several warnings to Virgin Mobile executives. He suggests the company "freeze" accounts after five failed personal attempts, along with implementation of the most basic of password security measures -- allowing users the option of setting more complex passwords involving letters and numbers with the existing digits allowed.
Virgin Mobile was contacted by Burke on August 15 with the details of the weak security. Burke was rebuffed at every turn by customer support representatives, few of whom he says understood the magnitude of the issue. The company finally did implement a cookie on a user's browser, tracking how many login attempts have been made with inaccurate passwords and locking the user out if the maximum number of attempts was made. However, the "lockout" facilitated by the cookie wasn't implemented server-side, so a well-coded "brute force" tool could easily remove this cookie prior to every fifth attempt, making the "security" measure ineffective.
Electronista spoke with a Virgin Mobile representative about the matter, and was told that "further measures are being considered for implementation," but when pressed, the contact declined to provide any more information on what countermeasures would be taken or a timetable for implementation.