Virgin Mobile Shrugs as Coder Warns Accounts Are Easily Hijacked

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/threatlevel/2012/09/virgin-mobile/

By Ryan Singel
Threat Level
Wired.com
09.17.12

Virgin Mobile U.S. promises its customers that it uses “standard 
industry practices” to protect its customers’ personal data -- but 
according to a Silicon Valley web developer, any first-year coder can 
bust into a subscriber’s account, see who they call and text, register a 
different phone on the account and even purchase a new iPhone.

That’s according to developer Kevin Burke, who discovered the flaws on 
his own account in August and notified the company, only to be told that 
the company had no intention of fixing its systems. Virgin Mobile U.S. 
serves millions of customers through pre-paid plans and is a wholly 
owned subsidiary of Sprint.

Virgin Mobile U.S. account security uses a customer’s phone number as 
the account name, which is very guessable, and then requires a 6-digit 
PIN as the password -- which only provides a million possible passwords. 
Even worse, the site allows as many password guesses as one likes — 
something Burke confirmed by writing a short script to guess his own 
password in a day.

Once an unauthorized user is in, they can change read a customer’s 
communication logs, register a different phone to lock the customer out 
and read their text messages, change their address and order a new phone 
with the credit card on file. They can also lock a user out by changing 
the PIN and e-mail address on the account -- without notification to the 
previous address.

[...]

--
#HITB2012KUL - The 10TH ANNUAL HITB Security Conference in Malaysia
with no keynotes, no labs - just three tracks filled with our most
popular speakers from the last decade: http://conference.hitb.org/