14 DAY TRIAL // Sprint, the mobile carrier that owns Virgin Mobile, claims to have addressed the PIN brute force attack issue discovered by Kevin Burke. However, the expert claims that more measures should be implemented.
A few days ago, Burke highlighted the fact that the use of 6-digit PINs for a password was not efficient as it could be easily cracked with brute force attacks. Initially, the company didn’t seem to be willing to address the issue, but after the problem was picked up by numerous media outlets, their attitude changed.
On Monday night, the expert noticed that the carrier tried to address the vulnerability by restricting the number of failed login attempts to four.
“However, the fix relies on cookies in the user’s browser. This is like Virgin asking me to tell them how many times I’ve failed to log in before, and using that information to lock me out. They are still vulnerable to an attack from anyone who does not use the same cookies with each request,” Burke noted.
A couple of days later, Sprint went even further and properly addressed the main security hole.
“Virgin took down their login page for 4 hours Tuesday night to deploy new code. Now, after about 20 incorrect logins from one IP address, every further request to their servers returns 404 Not Found. This fixes the main vulnerability I disclosed Monday,” the expert explained.
Although the brute force attack is no longer working, Burke claims that PIN-based authentication is faulty at its core for several reasons. Firstly, users tend to set passwords that they can remember easily, such as their birth dates, making the information easily accessible to any skilled social engineer.
Furthermore, Virgin Mobile’s customer service requests users to hand over their PINs in emails and via phone calls. This means that if the attacker gains access to the email account or can eavesdrop on a phone call, the passcode becomes exposed.
A company representative told Computerworld that there were additional safeguards set in place to protect customers, but they failed to detail the measures. They did underscore the fact that customer accounts were permanently monitored for any signs of misuse.