Virgin Mobile Exposes Millions of Customers by Implementing Poor Password Security

In an age where information security should be at the top of the priority list for all companies that handle sensitive information, passwords are a key element to protecting data and digital assets. However, according to an expert, Virgin Mobile fails at this chapter, leaving its millions of customers exposed.

Developer Kevin Burke has found that a serious vulnerability in the systems of Virgin Mobile – a prepaid subsidiary of Sprit, the third largest carrier in the United States – allows a potential attacker to gain access to texting and call logs, change users’ email address, physical address and password, and change the handset associated with a specific phone number.

A cybercriminal could also leverage the security hole identified by Burke to purchase a handset on behalf of the customer whose account he has breached.

So what is the actual vulnerability?

When logging in to their accounts, customers – all six million of them – have to use their phone number as the username and a 6-digit number as a password.

The problem lies in this 6-digit PIN. Compared to passwords made of uppercase and lowercase letters, numbers and symbols, it’s very easy to break with a brute-force attack.

To demonstrate his theory, Burke wrote a simple script that he tested on his own account. As he learned, the PIN could be cracked in no-time, allowing malicious actors to “make the victim’s life a living hell.”

Unfortunately, there are no ways to protect yourself against this attack, because even if you change your PIN, the new one would be just as easy to guess.

There are a number of things Virgin Mobile could do to address this issue. They could allow customers to set stronger PINs, freeze accounts after 5 failed password attempts, and implement two-step verification.

The implementation of best practices to protect against “bad behavior” even if an attacker knows the passcode would also be a good solution to this problem.

However, even though they have been made aware of this issue since the middle of August, Virgin Mobile representatives failed to do anything about it, leaving their customers exposed to these easy-to-execute attacks.

Hopefully, now that the issue has escalated and attracted media attention, the company will act on implementing at least some of the security measures highlighted by Burke.