Virgin Mobile login leaves customers open to hacks

Virgin Mobile USA customers are vulnerable to hackers, says one user who says he’s been unable to get the company to take the issue seriously.

To access and manage their accounts, customers need to log in with their phone number and a six-digit PIN. They can then see who’s been called or texted using the phone, change the handset associated with the number, change address, email address and password, and even buy a new handset.

But a PIN of this length means there are only around a million possible combinations. And the company’s system permits people to carry on trying indefinitely, rather than only allowing a certain number of attempts.

“This is horribly insecure,” says customer Kevin Burke, who alerted the company to the problem. “It is trivial to write a program that checks all million possible password combinations, easily determining anyone’s PIN inside of one day. I verified this by writing a script to ‘brute force’ the PIN number of my own account.”

But when Burke alerted the company, he says, he got a very unsatisfactory response.

“I reported the issue to Virgin Mobile USA a month ago and they have not taken any action, nor informed me of any concrete steps to fix the problem, so I am disclosing this issue publicly,” he says.

Indeed, after to-ing and fro-ing for a month, Virgin told him not to expect any action on the issue.

Sprint has now claimed that users will from now on be locked out after four failed attempts. However, the fix relies on cookies in the user’s browser.

“This is like Virgin asking me to tell them how many times I’ve failed to log in before, and using that information to lock me out,” says Burke. “They are still vulnerable to an attack from anyone who does not use the same cookies with each request.”

Meanwhile, Virgin’s login page was out of action last night – it’s not clear why.