What companies consider “standard industry practices” for web security never fail to amaze. This time it’s Virgin Mobile US in the firing line, having been outed as having some incredibly poor authentication on their website.
The main problem here is that the Virgin Mobile US website forces you to use your cell phone number as your username and a 6-digit numerical PIN as your password, with unlimited attempts to guess that password. Having 6 digits as password possibilities means that there are only 1 million combinations. Given that the website gives restrictions for the number of repeated or sequential digits, it’s really a whole lot less than that. I’m sure the intent there was to help you create a more difficult-to-guess PIN, but when there are so few choices and so many attempts, it’s really a wasted effort. And given that Virgin Mobile US has 6 million subscribers, this means that well more than 1 in every 6 customers have the same PIN.
Virgin Mobile has not yet made any effort to fix this, despite being informed about the issue over a month ago by developer Kevin Burke. Even more galling is that Virgin reps requested that he include both phone number and PIN in communications with them. So there are the keys to the metaphorical castle, in plain text, for anyone to steal. How convenient!
This vulnerability in the Virgin Mobile website allows the following actions:
- Seeing who you’ve been calling and texting
- Changing the handset associated with your account
- Purchasing a handset on your behalf, with your credit card on file
- Changing your mailing address, email address, or PIN
At this time, there is no way for Virgin Mobile users to protect against access or change to their accounts. It’s recommended that you remove your credit card information from the website, at least until this issue has been fixed.
Burke provided Virgin Mobile with a list of possible ways to resolve this issue, which are all excellent security recommendations. Hopefully they get on this soon, as this could lead to some serious Honan-style hacking mayhem.