Virgin Mobile accounts are vulnerable to hack, blogger says

Update: The Consumerist heard back from Sprint and then got a reaction from the original blogger; see the new post, Sprint Says Virgin Mobile Site Isn't Completely Insecure; Blogger Disagrees, for details.

A Virgin Mobile customer claims that it's easy for hackers to access customers' accounts via the wireless provider's website—and not only is there nothing customers can do to defend themselves, the folks at the Virgin don't really seem too concerned about it.

On his blog, Kevin Burke goes through the ins and outs of how he realized the vulnerability and how he attempted to bring it to the company's attention.

"There is no way for any of their 6 million subscribers to defend against this attack," he told [our sister blog] Consumerist. "I contacted Virgin Mobile over a month ago about the issue and they have refused to fix it."

The problem is really quite simple, he explains. Virgin Mobile requires you to use your phone number as your log-in, and the password can only be 6 numbers—no letters or special characters. And there doesn't appear to be a limit on how many failed attempts one can make before being locked out of one's account.

Thus, says Burke, he was able to write a "brute force" script that would keep attempting to generate PINs until it found the right one.

It's worth noting that Virgin Mobile's numerical passwords cannot have 3 sequential numbers or three of the same numbers in a row. While that would seem to cut down on the number of people who have passwords like "123123" or "111111," it seems to us like that just makes the hacker's job easier by eliminating potential passwords.

Regardless, Kevin says he was able to use the script to crack open his own account. He claims that if someone does this to a Virgin Mobile customer they can:

• Read your call and SMS logs, to see who's been calling you and who you've been calling.


• Change the handset associated with an account, and start receiving calls/SMS that are meant for you.


• Purchase a new handset using the credit card you have on file, which may result in $650 or more being charged to your card.


• Change your PIN to lock you out of your account.


• Change the e-mail address associated with your account (which only texts your current phone, instead of sending an e-mail to the old address).


• Change your mailing address.

He suggests a number of possible fixes for Virgin to implement, including:

• Allow people to set more complex passwords, involving letters, digits, and symbols.


• Freezing your account after 5 failed password attempts.


• Requiring both your PIN, and access to your handset, to log in.

Starting in mid-August, Burke began trying to bring this to the attention of Virgin Mobile and its parent company, Sprint. Within a few days, Kevin says, he began communicating with a high-level Sprint customer service rep, but after several weeks of back-and-forth, he was told last Friday that there would be no further action on Sprint or Virgin's part.

[Consumerist has] reached out to the folks at Virgin Mobile and Sprint to see if they have an explanation for the lax password policy. If we get any response, we'll update the story.

For tips on how to stay safe on the web, create strong passwords, and more, see our free Online Security Guide at ConsumerReports.org.

This story originally appeared on The Consumerist.

Source: Virgin Mobile fails web security 101, leaves six million subscriber accounts wide open [Kevin Burke]

—Chris Morran