Ad-free. Influence-free. Powered by consumers.
Skip to Main ContentSuggested Searches
Suggested Searches
Product Ratings
Resources
CHAT WITH AskCR
Resources
All Products A-ZThe payment for your account couldn't be processed or you've canceled your account with us.
Re-activateDon’t have an account?
My account
Other Membership Benefits:
Update: The Consumerist heard back from Sprint and then got a reaction from the original blogger; see the new post, Sprint Says Virgin Mobile Site Isn't Completely Insecure; Blogger Disagrees, for details.
A Virgin Mobile customer claims that it's easy for hackers to access customers' accounts via the wireless provider's website—and not only is there nothing customers can do to defend themselves, the folks at the Virgin don't really seem too concerned about it.
On his blog, Kevin Burke goes through the ins and outs of how he realized the vulnerability and how he attempted to bring it to the company's attention.
"There is no way for any of their 6 million subscribers to defend against this attack," he told [our sister blog] Consumerist. "I contacted Virgin Mobile over a month ago about the issue and they have refused to fix it."
The problem is really quite simple, he explains. Virgin Mobile requires you to use your phone number as your log-in, and the password can only be 6 numbers—no letters or special characters. And there doesn't appear to be a limit on how many failed attempts one can make before being locked out of one's account.
Thus, says Burke, he was able to write a "brute force" script that would keep attempting to generate PINs until it found the right one.
It's worth noting that Virgin Mobile's numerical passwords cannot have 3 sequential numbers or three of the same numbers in a row. While that would seem to cut down on the number of people who have passwords like "123123" or "111111," it seems to us like that just makes the hacker's job easier by eliminating potential passwords.
Regardless, Kevin says he was able to use the script to crack open his own account. He claims that if someone does this to a Virgin Mobile customer they can:
He suggests a number of possible fixes for Virgin to implement, including:
Starting in mid-August, Burke began trying to bring this to the attention of Virgin Mobile and its parent company, Sprint. Within a few days, Kevin says, he began communicating with a high-level Sprint customer service rep, but after several weeks of back-and-forth, he was told last Friday that there would be no further action on Sprint or Virgin's part.
[Consumerist has] reached out to the folks at Virgin Mobile and Sprint to see if they have an explanation for the lax password policy. If we get any response, we'll update the story.
For tips on how to stay safe on the web, create strong passwords, and more, see our free Online Security Guide at ConsumerReports.org.
This story originally appeared on The Consumerist.
Source: Virgin Mobile fails web security 101, leaves six million subscriber accounts wide open [Kevin Burke]
—Chris Morran
Build & Buy Car Buying Service
Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.
Get Ratings on the go and compare
while you shop