Virgin Mobile Uses “Draconian” Password System Primed for Hackers

According to a developer, Virgin Mobile subscribers are at risk of having their accounts hacked because of the “draconian password policy” the company is using.

Virgin subscriber and developer for cloud communications company Twilio, Kevin Burke, stated that Virgin Mobile only requires a six-digit numerical password for users to be able to access their online accounts.  According to Burke, what this means is that there’s no more than 1 million possible valid combinations compared to eight-character passwords which includes numbers, capital and lower-case letters and would require 218.3 trillion—or 628—valid combinations.  A hacker would only need a Virgin Mobile phone number, an Internet connection, and the ability to cycle through 1 million possible guesses and they would be free to access a user’s account, view account history, make changes and even charge the account.

According to Burke, he informed Virgin of their security weakness about a month ago but the company has yet to take steps to improve their security, let alone inform him if they are taking any steps to fix the problem.  That’s the reason he decided to make his findings public.

By writing a script to “brute force” the PIN number on his own account, Burke set out to try and hack it.  To avoid putting any undue strain on Virgin’s servers, he limited the attack to one request per second for a few hours, or a little more than 10,000 requests in three hours.  When he finally figured out the right combination, he was able to log in without any hassles.

“They didn’t lock me out, throttle my IP, implement exponential backoff or any other techniques I expected they’d have in place,” he says.  Burke notes that his script automatically cleared a browser cookie Virgin Mobile set after each login attempt. “Obviously, clearing your cookies gets around this issue—it’s like Virgin asking me to tell them how many times I’ve failed to log in before.”

Burke pointed out that Virgin should allow people to set more complex passwords, involving letters, digits, and symbols; freeze an account after 5 failed password attempts, and requiring you to identify more personal information before unfreezing the account; requiring both PIN and access to a user’s handset to log in or a two-step verification.

Aside from that, Burke recommends that Virgin alter their practices so they can identify and protect users from “bad behavior” by “providing the same error message when someone tries to authenticate with an invalid phone number, as when they try to authenticate with a good phone number but an invalid PIN. Based on the response to the login, I can determine whether your number is a Virgin number or not, making it easy to find targets for this attack.”

There are other recommendations from Burke found on his blog.

Sprint, the parent company of Virgin Mobile, has been contacting the media saying that they’ve addressed the problem and that “a lockout feature for multiple password attempts is part of Sprint’s standard procedures.”  They’re also looking into the matter and checking that everything’s well in their system.

In an update on his blog, Burke pointed out that though Sprint and Virgin claim that the security vulnerability has been addressed, you can still get by it by clearing your cookies, so hackers can still do multiple failed login attempts until they enter the right one and hijack a user’s account.