A Virgin Mobile customer claims that it’s easy for hackers to access customers’ accounts via the wireless provider’s website — and not only is there nothing customers can do to defend themselves, the folks at the Virgin don’t really seem too concerned about it.
On his blog, Kevin Burke goes through the ins and outs of how he realized the vulnerability and how he attempted to bring it to the company’s attention.
“There is no way for any of their 6 million subscribers to defend against this attack,” he tells Consumerist. “I contacted Virgin Mobile over a month ago about the issue and they have refused to fix it.”
The problem is really quite simple, he explains. Virgin Mobile requires you to use your phone number as your login, and the password can only be a 6 numbers — no letters or special characters.
And there doesn’t appear to be a limit on how many failed attempts one can make before being locked out of one’s account.
Thus, says Burke, he was able to write a “brute force” script that would keep attempting to generate PINs until it found the right one.
It’s worth noting that Virgin Mobile’s numerical passwords can not have 3 sequential numbers or three of the same numbers in a row. While those would seem to cut down on the number of people who have passwords like “123123” or “111111,” it seems to us like that just makes the hacker’s job easier by eliminating potential passwords.
Regardless, Kevin says he was able to use the script to crack open his own account. He claims that if someone does this to a Virgin Mobile customer they can:
* Read your call and SMS logs, to see who’s been calling you and who you’ve been calling
* Change the handset associated with an account, and start receiving calls/SMS that are meant for you.
* Purchase a new handset using the credit card you have on file, which may result in $650 or more being charged to your card
* Change your PIN to lock you out of your account
* Change the email address associated with your account (which only texts your current phone, instead of sending an email to the old address)
* Change your mailing address
Because this problem is tied to the Virgin Mobile password system and customers have no control over this, Burke say customers have no way of protecting their accounts.
He suggests a number of possible fixes for Virgin to implement, including:
* Allow people to set more complex passwords, involving letters, digits, and symbols.
* Freezing your account after 5 failed password attempts.
* Requiring both your PIN, and access to your handset, to log in.
Starting in mid-August, he began trying to bring this to the attention of Virgin Mobile and its parent company, Sprint. Within a few days, Kevin says he began communicating with a high-level Sprint customer service rep, but after several weeks of back-and-forth, he was told last Friday that there would be no further action on Sprint or Virgin’s part.
We’ve reached out to the folks at Virgin Mobile and Sprint to see if they have an explanation for the lax password policy. If we get any response, we’ll update the story.