Printed from http://www.electronista.com

Developer: Virgin Mobile USA customer account security weak

updated 03:06 am EDT, Wed September 19, 2012

Security system allows for limited number of unique passwords

Twilio developer Kevin Burke appears to have found a serious security flaw in Virgin Mobile USA's online authentication system. Anyone who knows a customer's valid Virgin Mobile number may, with little effort, be able to see who a subscriber has been calling, change the handset associated with a phone number, change billing information, and even purchase a handset using a credit card if it is stored on the service.

Prepaid phone service provider Virgin Mobile requires users to use the phone number as the account username, and a six digit number as a password (with the suggestion that users use their birthdate) -- allowing only around a million possible passwords, which can be easily determined by a "brute force" attack with a rudimentary script.

Burke suggested basic security steps to Virgin Mobile upon discovering the issue, none of which have been seriously undertaken -- prompting the public disclosure of the issue after several warnings to Virgin Mobile executives. He suggests the company "freeze" accounts after five failed personal attempts, along with implementation of the most basic of password security measures -- allowing users the option of setting more complex passwords involving letters and numbers with the existing digits allowed.

Virgin Mobile was contacted by Burke on August 15 with the details of the weak security. Burke was rebuffed at every turn by customer support representatives, few of whom he says understood the magnitude of the issue. The company finally did implement a cookie on a user's browser, tracking how many login attempts have been made with inaccurate passwords and locking the user out if the maximum number of attempts was made. However, the "lockout" facilitated by the cookie wasn't implemented server-side, so a well-coded "brute force" tool could easily remove this cookie prior to every fifth attempt, making the "security" measure ineffective.

Electronista spoke with a Virgin Mobile representative about the matter, and was told that "further measures are being considered for implementation," but when pressed, the contact declined to provide any more information on what countermeasures would be taken or a timetable for implementation.



By Electronista Staff
toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this y ...

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

Adesso Compagno X Bluetooth keyboard

The shift from typing on physical keyboards to digital versions on smartphones and tablets hasn't been an easy for many consumers. Fro ...

Sponsor

toggle

Most Commented

 
toggle

Popular News