Blogger: Virgin Mobile Accounts Are Vulnerable To Hack; No One Seems To Care

A Virgin Mobile customer claims that it’s easy for hackers to access customers’ accounts via the wireless provider’s website — and not only is there nothing customers can do to defend themselves, the folks at the Virgin don’t really seem too concerned about it.

On his blog, Kevin Burke goes through the ins and outs of how he realized the vulnerability and how he attempted to bring it to the company’s attention.

“There is no way for any of their 6 million subscribers to defend against this attack,” he tells Consumerist. “I contacted Virgin Mobile over a month ago about the issue and they have refused to fix it.”

The problem is really quite simple, he explains. Virgin Mobile requires you to use your phone number as your login, and the password can only be a 6 numbers — no letters or special characters.

And there doesn’t appear to be a limit on how many failed attempts one can make before being locked out of one’s account.

Thus, says Burke, he was able to write a “brute force” script that would keep attempting to generate PINs until it found the right one.

It’s worth noting that Virgin Mobile’s numerical passwords can not have 3 sequential numbers or three of the same numbers in a row. While those would seem to cut down on the number of people who have passwords like “123123” or “111111,” it seems to us like that just makes the hacker’s job easier by eliminating potential passwords.

Regardless, Kevin says he was able to use the script to crack open his own account. He claims that if someone does this to a Virgin Mobile customer they can:
* Read your call and SMS logs, to see who’s been calling you and who you’ve been calling

* Change the handset associated with an account, and start receiving calls/SMS that are meant for you.

* Purchase a new handset using the credit card you have on file, which may result in $650 or more being charged to your card

* Change your PIN to lock you out of your account

* Change the email address associated with your account (which only texts your current phone, instead of sending an email to the old address)

* Change your mailing address

Because this problem is tied to the Virgin Mobile password system and customers have no control over this, Burke say customers have no way of protecting their accounts.

He suggests a number of possible fixes for Virgin to implement, including:
* Allow people to set more complex passwords, involving letters, digits, and symbols.
* Freezing your account after 5 failed password attempts.
* Requiring both your PIN, and access to your handset, to log in.

Starting in mid-August, he began trying to bring this to the attention of Virgin Mobile and its parent company, Sprint. Within a few days, Kevin says he began communicating with a high-level Sprint customer service rep, but after several weeks of back-and-forth, he was told last Friday that there would be no further action on Sprint or Virgin’s part.

We’ve reached out to the folks at Virgin Mobile and Sprint to see if they have an explanation for the lax password policy. If we get any response, we’ll update the story.


Edit Your Comment

  1. techconsumer says:

    AT&T GoPhone’s website is the same way, but far easier to write that script. It’s 4 digits with unlimited attempts. Clearly AT&T doesn’t care about the security of their pre-paid customers.

  2. dolemite says:

    Yeah, wait until this hits the main stream media…THEN we’ll see some results.

  3. sorta savvy consumer says:

    As we speak, thousands of hackers, both savvy, and amatuer are cleaning out peoples accounts at Virgin, buying phones by the bucket load, whatever, other havoc they can cause.

    By the end of the day Virgin will have a mess that will months to clean up and will likely have to shut their site down altogether shortly.

    Even better, a really savvy hacker will have hacked the high level execs and will start posting all the SMS chatter going on too.

    This is going to be a very long day for the IT folks at Virgin.

    As with most companies, the CS reps just don’t have a mechanism to report this up the chain. The OP needed to use the EECB to get this infront of someone in IT, but then is it really the customers job to tell a company that their IT dept are a bunch of losers and should of had better security in the first place.

    • atomix says:

      I almost thought you knew what you were talking about it until you blamed it on “the bunch of losers” in the IT Dept.

      Patching security holes is a management issue, not a ground-level IT issue. An IT dept capable of building and running a system like Virigin has surely is made of IT staff with the competence to detect and resolve security problems like this. The problem is getting that CTO to listen and approve the time required to patch the vulnerabilities.

      • Chuft-Captain says:

        Said IT department is a failure and a bunch of losers because they implemented such a security setup in the first place. I guarantee you the CTO did not design the password requirements himself. Someone in IT was tasked to develop the plan.

        • nugatory says:

          more likely they were given the business requirement that the password had to be the same as that used on the phone support system.

          • Chuft-Captain says:

            Still idiots for not refusing to implement it.

            • ovalseven says:

              But I’d bet they still have their jobs.

            • MuleHeadJoe says:

              Jeez Louise … you can refuse to do something that clearly illegal, maybe even something that’s immoral (per your own definition of morality), but to refuse to implement a program because of percieved risk? That’s an immediate firing offense in any of these 50 states, and probably in most 1st world countries as well.

              So I can be an “idiot” and keep my job, or be “smart” and get fired while accomplishing absolutely nothing to resolve the technical problem in the first place. Wow, some choice.

              The security program was implemented by stereotypical IT grunts, who have no say in *how* things work. It was DESIGNED by a systems architect, via an approved corporate project, and was vetted by senior management. I assure in no uncertain terms that the responsibility for this flawed system lies entirely at the CIO’s feet.

              I don’t think you grasp what *is* or *is not* and IT issue in modern corporations.

              • Chuft-Captain says:

                Believe it or not it is actually possible to disagree with your boss and present a case for not doing something a certain way, and not get fired outright. You don’t just walk up and say “No, I won’t do this”, you show them WHY it is a bad idea, provide alternatives that would be better, and show them why.

            • atomix says:

              I cringe at the thought of engaging a troll, but just in case you’re being sincere, I’ll give it one shot:

              Think of it in terms of feudal England. The King tells the peasants to build a wall around the palace, but also demands that a 50 foot section should be left wide open.

              The peasants may be the most talented wall builders in the world, but they don’t have a say in design. Clearly the vulnerability is the King’s fault. Sure, the peasants talk about how stupid the king is all day long, but at the end of the day, their responsibility is to build what they’re told and to feed their families.

              The individuals in the IT dept that built and maintains this system may be very talented, and may grumble about how stupid their management is, but at the end of the day, they’ve fulfilled their requirements.

  4. SirWired says:

    No, please, do not require access to the handset to log in. I maintain a pre-paid account for my grandmother, who lives 250 miles away.

    Certainly additional security is appropriate when the handset cannot be accessed, but making it a requirement is stupid.

  5. atomix says:

    I almost thought you knew what you were talking about it until you blamed it on “the bunch of losers” in the IT Dept.

    Patching security holes is a management issue, not a ground-level IT issue. An IT dept capable of building and running a system like Virigin has surely is made of IT staff with the competence to detect and resolve security problems like this. The problem is getting that CTO to listen and approve the time required to patch the vulnerabilities.

  6. Jawaka says:

    So in other words, he hacked their website?

    Isn’t that against the law?

    • Ben says:

      He hacked into his own account.

      • Hi_Hello says:

        I don’t think people care. Use the word hack, he’s screwed for life.

      • RandomLetters says:

        He still broke into their system. It doesn’t matter that it’s his own account.

        • Ben says:

          It seems like all he did was use some sort of script to try multiple passwords to get into his account. How is this different from him actually sitting down and typing out all those possible passwords? Is it illegal just because he had his computer do it? I’m no programming expert, but it doesn’t seem like he would need to enter their system at all to do this.

          • RandomLetters says:

            I’m not sure on this, but I think running a script like that to gain entry into an account, even if it’s your own, is still illegal entry. Doing it manuallu I’m not clear on at all.

      • who? says:

        Technically, it is still illegal, even if it was his own account. That said, as long as he didn’t hack into anyone else’s accounts, this is such an egregious hole that I doubt anyone is going to hold him responsible.

        Agree with “sorta savvy consumer”. This is bad, very bad, and the bad guys are already taking advantage.

      • Jawaka says:

        …on their website.

  7. Chuft-Captain says:

    So let me see, if I recall how to work this problem correctly, with a six digit, numerical characters only password, you have a potential for 1 Million possible passwords (10*10*10*10*10*10). Even this is a RIDICULOUSLY small pool for any modern brute-force algorithm, and could be solved exceptionally quickly. The only limiting time factor is how fast the system can accept an attempt after the last one.

    However, their stupid rules (no sequential numbers, no using the same number twice in a row) mean that the first character has ten possibilities, but each successive space only has EIGHT possibilities, because for each succeeding character, you must remove the number that precedes it from the pool, as well as the number that immediately follows that one. So again, if I recall the method properly, you’re now down to 327,680 possible passwords (10*8*8*8*8*8).

    Holy failbuckets, Batman!

    • atomix says:

      Add to that, the law of averages, and you’ll probably access an account within 163,840 guesses. At a modest 50 guess per second, assuming their site will allow that kind of a pounding, the average account will be accessed within about 2.27 days.

    • TheMansfieldMauler says:

      Can’t have 3 sequential numbers or 3 of the same number twice in a row. So you can have 112233, or 125689.

      The number of possible passwords is higher than what you calculated, but you have the right general idea.

      • TheMansfieldMauler says:

        or 3 of the same number twice in a row

        I meant 3 of the same number in a row.

        /no edit button

      • Chuft-Captain says:

        Yeah, my bad. I think it works out to something like 10*10*9*10*10*9, which is still only 810,000 possible combos.

  8. ColoradoShark says:

    He sounds like an ethical hacker. He pointed out the problem, they ignored him for a month, and then he went public to shame them into fixing it. It’s likely the unethical hackers already knew about the issue but could find no way to make money off of it.

    And, locking the account after 5 bad passwords is a bad idea. The hack then becomes attempting to log in to every account 5 times with the wrong password and lock every account in site.

    • who? says:

      The reason that 4 digit pins work on ATM cards is because the ATM will lock you out after 3 attempts. Limiting the number of attempts is exactly what Virgin needs here. They don’t have to lock the account permanently, but they could do something like “after 5 attempts, we lock your account for 1/2 hour. After 10 attempts, it’s locked for an hour.” That would allow the account to reset, but slow the attack process down enough to stop brute forcing.

  9. luxosaucer13 says:

    Virgin’s lack of a response to this problem is typical of Sprint. Virgin is a prepaid arm of Sprint, and after having an account with Sprint and knowing several people who worked for Sprint, I can say that the customer’s safety, security and satisfaction are the last things on their collective minds. The only thing Sprint seems to care about is acquiring new customers.

  10. Lucky225 says:

    The same is true of Boost Mobile, which the PIN for is only 4 digits. Also no limit on number of failed attempts. At least virgin mobile would require a maximum of 1 million attempts vs 10,000.

    • Lucky225 says:

      Above comment before mine about PIN rules on Virgin Mobile reveals only about 650,000 combos on virgin mobile, still better then 10,000.

  11. triana says:

    Good luck getting anyone at Virgin to care. The fiance and I just switched because we saved a bundle, but we are really getting what we pay for in terms of customer service. He’s had problems with his Evo since day one, and no amount of “escalation” can get the attention of anyone capable of fixing the problem.

    I’m going to go remove my credit card on file right now.

    • notserpmh says:

      As a general tip, if at all possible, email their “social care” team when you need just about anything at Don’t call in. Most of the call in people can’t do much, but the social team generally will get back to you within 24 hours at the most, can easily authorize account resets, phone replacements, etc. I’ve been with VM for a while and this has always been the best way, IMO, to get support.

  12. Not Given says:

    He could crack some executive’s accounts and change their pins, every day for a month.

  13. Crank says:

    I fixed my Virgin Mobile account by switching to Ting.

  14. pamelad says:

    Of course Virgin Mobile should fix this pronto, but meanwhile I wonder if it would help to use a five-digit rather than six-digit password? I realize that extra digit greatly increases the number of tries required, but aren’t the odds that hackers would set the algorithm for six digits much greater than for five?