Virgin Mobile customers beware: Your phone number is the key to your personal information. According to independent developer Kevin Burke, who warned Virgin Mobile USA customers about a glaring security hole in the phone company's account login protocol said, "If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn’t like you."
Virgin
Mobile USA users manage their account by logging in through an online
portal, which requires a mobile number and a 6-digit pin. Once inside,
customers can check their call records, change the handset associated
with their number, and update their personal details.
In a blog post
on Monday, Kevin Burke detailed how the username and password system
used by Virgin Mobile to let users access their account information, is
inherently weak and open to abuse.
"It
is trivial to write a program that checks all million possible password
combinations, easily determining anyone's PIN inside of one day," Burke said in a blog post. "I verified this by writing a script to 'brute force' the PIN number of my own account."
For comparison, an 8-letter password with uppercase letters, lowercase
letters, and digits has 218,340,105,584,896 possible combinations, Burke
said.
Burke
said that after several phone and email exchanges with parent company
Sprint in which he attempted to warn them about the exploit, he was
ignored and his concern was dismissed. That's when he decided to expose
the flaw to the public.
The
Sprint spokeswoman said that the company maintains confidentiality
about its security measures, but noted that customer accounts are
monitored constantly for possible illegal or inappropriate activity.
"We greatly appreciate Mr. Burke's outreach to the company and are reaching out to him as well," she said. "His inquiry did enable us to even further secure our customers' accounts."
Virgin Mobile USA's Manage My Account portal is down as of Wednesday, September 19, 3:34 p.m. AEST (Tuesday, September 18, 11:34 p.m. PT). Virgin Mobile Australia also uses a 6-digit PIN system for customers to access their account online. It stressed that while both companies operate under the Virgin Brand, Virgin Mobile Australia is a completely separate entity to Virgin Mobile USA.Virgin Mobile Australia claimed that its customers are not affected by the security flaw in question.
"We greatly appreciate Mr. Burke's outreach to the company and are reaching out to him as well," she said. "His inquiry did enable us to even further secure our customers' accounts."
Virgin Mobile USA's Manage My Account portal is down as of Wednesday, September 19, 3:34 p.m. AEST (Tuesday, September 18, 11:34 p.m. PT). Virgin Mobile Australia also uses a 6-digit PIN system for customers to access their account online. It stressed that while both companies operate under the Virgin Brand, Virgin Mobile Australia is a completely separate entity to Virgin Mobile USA.Virgin Mobile Australia claimed that its customers are not affected by the security flaw in question.
No comments:
Post a Comment