NEWS
NEWS
NEWS
Are You an Online Virgin Mobile Subscriber? You May a Victim to Poor Security
A developer has just discovered that the online accounts of Virgin Mobile USA subscribers are highly vulnerable to brute force attacks, as the mobile company employs poor security guidelines on its website, forcing its customers to use weak passwords for their online accounts. The vulnerability of Virgin Mobile website was discovered by Kevin Burke, a software engineer at cloud communication company Twilio, who himself wrote a program to determine the PIN number for any Virgin Mobile USA online account, and discovered it can be hacked in less than a day, provided the target’s phone number is known. Though Virgin mobile has implemented some security standards, but those can also be easily breached.
“Compare a 6-digit number with a randomly generated 8-letter password containing upper-case letters, lower-case letters, and digits – the latter has 218,340,105,584,896 possible combinations”, said Burke. “Some people are mentioning they freeze you out after 4 invalid login attempts. However you can get around this limitation by clearing your cookies, or not using a Web browser like Google Chrome or Firefox to try the login attempts. I tried 100 bad logins in a row, followed by my good login, without getting locked out last night. An attacker could do the same.”
As the account setting requires a 6-digit PIN as the password, it becomes really easy for the hacker to guess the right password. On to that, the site allows as many password guesses as one likes, which is simply pitiable. As soon as the hacker gets into the user’s account by hitting the right password, he can read the account owner’s call and SMS logs, change the handset linked with the account, change the email ID and the mailing address, and use the credit card information on record for almost anything.
“They should allow people to use any character in their passwords, and probably set a *minimum* of 6 characters in a password”, Burke said. “As I pointed out, an 8 character password with 62 possibilities for each character has 218 trillion possible different combinations, making it impractical to brute force during our lifetime.”
The worst part is that when Burke went public and tweeted to Virgin Mobile U.S. about the security concern, he received a response from the company only directing him to a section of their Terms of Service agreement. What an irony! Enterprises get to know after they get massive outages and then try fixing it up. But here, when Virgin Mobile can proactively take security measures to safeguard its users, it is not willing to take any measurable steps.
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
