A developer has just discovered that the online accounts of Virgin Mobile USA subscribers are highly vulnerable to brute force attacks, as the mobile company employs poor security guidelines on its website, forcing its customers to use weak passwords for their online accounts. The vulnerability of Virgin Mobile website was discovered by Kevin Burke, a software engineer at cloud communication company Twilio, who himself wrote a program to determine the PIN number for any Virgin Mobile USA online account, and discovered it can be hacked in less than a day, provided the target’s phone number is known. Though Virgin mobile has implemented some security standards, but those can also be easily breached.

“Compare a 6-digit number with a randomly generated 8-letter password containing upper-case letters, lower-case letters, and digits – the latter has 218,340,105,584,896 possible combinations”, said Burke. “Some people are mentioning they freeze you out after 4 invalid login attempts. However you can get around this limitation by clearing your cookies, or not using a Web browser like Google Chrome or Firefox to try the login attempts. I tried 100 bad logins in a row, followed by my good login, without getting locked out last night. An attacker could do the same.”

As the account setting requires a 6-digit PIN as the password, it becomes really easy for the hacker to guess the right password. On to that, the site allows as many password guesses as one likes, which is simply pitiable. As soon as the hacker gets into the user’s account by hitting the right password, he can read the account owner’s call and SMS logs, change the handset linked with the account, change the email ID and the mailing address, and use the credit card information on record for almost anything.

“They should allow people to use any character in their passwords, and probably set a *minimum* of 6 characters in a password”, Burke said. “As I pointed out, an 8 character password with 62 possibilities for each character has 218 trillion possible different combinations, making it impractical to brute force during our lifetime.”

The worst part is that when Burke went public and tweeted to Virgin Mobile U.S. about the security concern, he received a response from the company only directing him to a section of their Terms of Service agreement. What an irony! Enterprises get to know after they get massive outages and then try fixing it up. But here, when Virgin Mobile can proactively take security measures to safeguard its users, it is not willing to take any measurable steps.