Sprint Says Virgin Mobile Site Isn't Completely Insecure; Blogger Disagrees

Earlier this week, we told you about blogger Kevin Burke’s claims that the website for Virgin Mobile (a subsidiary of Sprint) is incredibly vulnerable to any hacker who could write a script to generate PINs. Since then, Sprint has told Consumerist that the site isn’t as much of an open door to hackers as it’s been made to be, while Burke claims that the phone folks are missing the point.

For those coming late to this party, Burke — a Virgin Mobile customer — claims that because the company’s site requires that your wireless number is your User ID and customers can only use 6-digit numeric PINs, it’s incredibly easy for someone with the know-how to write a script that continues generating PINs until the hacker has access to a customer’s account.

Burke says he tested his theory by doing just that and was able to get into his own account using the script. He then spent weeks trying to get the attention of folks at Virgin Mobile and Sprint, who ultimately didn’t seem to care.

When we reached out to Sprint (no one at Virgin Mobile has replied to our request for comment), a rep responded with the following:

A lockout feature for multiple password attempts is part of Sprint’s standard procedures. We are reviewing the systems we have in place and conducting audits to ensure our standards are being met, including for Virgin Mobile.

Wait — so if there’s a lockout feature, how did Burke’s script manage to crack open the account? Did he just get lucky and get the solution in a few tries?

In an effort to test Sprint’s claim, Burke tells Consumerist he ran a script that deliberately fed incorrect logins to his Virgin Mobile account — 100 times.

He figured that if Sprint had actually implemented a lockout system, he should not have been able to log in after all those failed attempts. But when he entered the correct PIN at the end of the 100 incorrect PINs, he had no problem accessing his account.

“Unless the lock out is triggered after more than 100 failed logins,” he writes, “which seems unlikely.”

Also, points out Burke, he believes that one could get around a basic lockout system by simply writing a script that clears the browser’s cookies between login attempts.

This is why the lockout was only one of several suggestions he tried to make to Sprint to improve the security on Virgin Mobile’s site.

If Sprint were to simply allow the use of letters and special characters in PINs, it would significantly increase the complexity of any script intended to hack accounts.

In what could be a completely unrelated development, some time on Tuesday night and continuing into the early hours of Wednesday, Virgin Mobile USA customers could no longer access their accounts via the website and were greeted with a generic “service unavailable” message.

Tweets from the company’s customer care Twitter account indicated that the company knew of the outage but that the issue had been reported to the proper department.

Since Burke provided us with his rebuttal to Sprint’s lockout claims, we’ve made two attempts to get further comment, but to no avail.

UPDATE: Since posting this story, Sprint & Virgin Mobile have provided Consumerist with the following statement:

It’s important to note that there are many different overlapping safeguards in place to ensure our customers’ privacy and security, and we have taken steps to further prevent intrusions and spoofing. While we maintain confidentiality about our security measures, our customer accounts are monitored constantly for several types of activity that would indicate if something illegal or inappropriate may be taking place.

We have had no unusual reports of fraud incidents or adverse consequences to our customers and believe that the total security measures in place prevent vulnerability of their accounts. Payment card data is not visible on an account and we have additional processes in place to monitor and limit balance transfers and correction of inappropriate charges. We maintain our vigilance in this area to avoid any compromise of our customers’ accounts and the privacy and security of their information.

We greatly appreciate Mr. Burke’s outreach to the company and are reaching out to him as well. His inquiry did enable us to even further secure our customers’ accounts.