Virgin Mobile Plugs Security Hole, Millions Sigh in Relief
"Virgin Mobile forces you to use your phone number as your username, and a 6-digit number as your password. This means there are only one million possible passwords you can choose," Burke explained in a blog post. "This is horribly insecure, Compare a 6-digit number with a randomly generated 8 letter password containing uppercase letters, lowercase letters, and digits -- the latter has 218,340,105,584,896 possible combinations."
If a Virgin Mobile user ticked off the wrong person, all they'd need to do is write a fairly simple script to determine their password using brute force, and they'd have access to their online account within the day. Furthermore, changing the PIN on a compromised account would only provide temporary relief, because the new one would be just as guessable.
"Now, after about 20 incorrect logins from one IP address, every further request to their servers returns 404 Not Found. This fixes the main vulnerability I disclosed Monday," Burke added to his blog in a recent update.
Even with the fix in place, Burke contends that PINs are a bad idea, for a number of reasons. One of those is the fact that people can't use their usual password, so they fall back to using something obvious, like a birthday. It's also potentially dangerous that Virgin Mobile asks for PINs in emails and over the phone, "so if an attacker gains access to someone's email, or is within earshot of someone on a call to customer service, they have the PIN right here."