Developer reveals Virgin Mobile login flaw

Company has flunked 'Web security 101' with lax username and password requirements, says developer who divulged

An independent developer has disclosed what he says is a glaring hole in Virgin Mobile USA's account login system that leaves the company's 6 million subscribers open to attack.

Kevin Burke disclosed the flaw in a blog post on Monday after waiting a month for Virgin to fix the problem.

Burke claims Virgin has flunked "Web security 101" by requiring subscribers to use their mobile phone number as a username and a six-digit number as a password when setting up online access to their accounts. The latter leaves only 1 million password possibilities.

"It is trivial to write a program that checks all million possible password combinations, easily determining anyone's PIN (personal identification number) inside of one day," Burke said. "I verified this by writing a script to brute force the PIN number of my own account."

In a statement sent by email Tuesday, Virgin Mobile USA's parent company, Sprint, said it was evaluating Burke's claims. "We are reviewing the systems we have in place and conducting audits to ensure our standards are being met, including for Virgin Mobile."

Sprint pointed out that people are automatically locked out of their accounts after multiple failed attempts. Burke claimed that extra layer of security is ineffective, if it relies on cookies set in the browser to tell the site that it is the same computer trying to access the account. "They are still vulnerable to an attack from anyone who does not use the same cookies with each request," Burke said.

[See also: Mobile security threats are heating up

George Tubin, senior security strategist for Trusteer, agreed that a six-digit password alone is not considered very secure. However, Virgin Mobile could have other authentication mechanisms hidden from the user, such as device identification. In addition, the lockout mechanism based on failed attempts could be linked to the person's user name, not browser cookies.

"They could very well have other things going on in the background, which I expect they do," Tubin said. "Nonetheless, having a six-digit password is usually considered to be insufficient."

To make the login more secure, Virgin could require more complex passwords and provide two-step verification that requires a password and access to the mobile phone, Burke said. Just upping password requirements to include an eight-character password of uppercase and lowercase letters, as well as digits increase the number of possible combinations to almost 220 trillion.

A hacker with someone's password would have access to a Virgin subscriber's call and text-messaging logs and could purchase a handset with the credit card the subscriber has on file. A hacker could also change the handset associated with the account and start receiving and responding to calls and SMS messages meant for the subscriber.

Copyright © 2012 IDG Communications, Inc.

8 pitfalls that undermine security program success