Is your Virgin Mobile account insecure?

Virgin Mobile. Kevin Burke, a programmer and web developer, recently ran a blog post detailing Virgin’s weak security. The worst part: there’s no real way around it until Virgin acts. More after the jump. In a nutshell, the issue centers on password predictability. We’re always warned to choose a strong password that contains numbers, letters, and symbols. As Burke notes, an 8-digit password case-sensitive password that uses digits makes for over 200 trillion possible passwords. Add in symbols and you create even more possibilities. Unfortunately, Virgin only allows passwords that contain six digits. That makes for just one million combinations — even fewer, because they restrict passwords that use more than three identical numbers in a row, or three sequential digits. There are, then, fewer than 1 million possibilities, which makes hacking much, much easier. Hackers can gain access to your account using brute force. That is, they have a program run through these million combinations — which takes little time — and eventually it will hit on the right one. Virgin has told people that they have started locking out people after four failed attempts, but this is not an effective method. As Burke explains, emphasis his:

However, the fix relies on cookies in the user’s browser. This is like Virgin asking me to tell them how many times I’ve failed to log in before, and using that information to lock me out. They are still vulnerable to an attack from anyone who does not use the same cookies with each request.
If a hacker or other malicious type is savvy enough to execute a brute force attack on your account, surely he or she is smart enough to delete cookies. As Burke notes, there’s no way to prevent this type of attack, since there’s no way to make your password less predictable. One big thing you should do: remove any credit card information from your account. If you have a credit card on file, whoever gains access to your account can use that to make purchases. This is an unfortunate situation, and given Burke’s published dealings with Virgin Mobile, it’s even more unfortunate that they haven’t done anything about it. Perhaps media pressure will change that. I can’t imagine Virgin subscribers being happy to read this information. Via CNET.]]>

Posted in