Virgin Mobile USA customers vulnerable to password security flaw

Summary:Virgin Mobile USA's method of making customers use a mobile number and a 6-digit password to log in to their accounts makes them easy to hack, according to one of the company's customers.

Virgin Mobile customers in the US are vulnerable to a simple security flaw that could put their personal information in jeopardy and allow hackers to take over their mobile phone accounts.

Virgin Mobile USA users manage their account by logging in through an online portal, which requires a mobile number and a 6-digit pin. Once inside, customers can check their call records, change the handset associated with their number, and update their personal details.

A 6-digit pin only results in around 1 million possible combinations, and the system does not freeze the account after a certain number of failed password attempts. Hackers can therefore easily use brute-force hacking methods to access a customer's account, as long as they know the mobile phone number.

The vulnerability was raised by Virgin Mobile USA customer Kevin Burke, who successfully hacked his own account to prove that there is indeed a security issue. He pointed out that there is no way to avoid this vulnerability, and said that he informed Virgin Mobile USA of the issue over a month ago, but that the company has yet to take any action.

Virgin Mobile USA's Manage My Account portal is down as of Wednesday, September 19, 3:34 p.m. AEST (Tuesday, September 18, 11:34 p.m. PT).

Virgin Mobile Australia also uses a 6-digit PIN system for customers to access their account online. It stressed that while both companies operate under the Virgin Brand, Virgin Mobile Australia is a completely separate entity to Virgin Mobile USA.

Virgin Mobile Australia claimed that its customers are not affected by the security flaw in question.

"We have a raft of security measures in place to safeguard our customers' personal information, including a formal identification process consistent with the Privacy Act and Telecommunications Act," Virgin Mobile Australia told ZDNet. "For added security, Virgin Mobile customers cannot use a PIN consisting of sequential numbers or the same number repeated, and will receive only three attempts to log in to My Account prior to being locked out of the system."

Topics: Security, Australia

About

Spandas forayed into tech journalism in 2009 as a fresh university graduate spurring her passion for all things tech. Based in Australia, Spandas covers enterprise and business IT.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.