Virgin Mobile USA customers vulnerable to password security flaw

Virgin Mobile USA customers vulnerable to password security flaw

Summary: Virgin Mobile USA's method of making customers use a mobile number and a 6-digit password to log in to their accounts makes them easy to hack, according to one of the company's customers.

SHARE:
TOPICS: Security, Australia
3

Virgin Mobile customers in the US are vulnerable to a simple security flaw that could put their personal information in jeopardy and allow hackers to take over their mobile phone accounts.

Virgin Mobile USA users manage their account by logging in through an online portal, which requires a mobile number and a 6-digit pin. Once inside, customers can check their call records, change the handset associated with their number, and update their personal details.

A 6-digit pin only results in around 1 million possible combinations, and the system does not freeze the account after a certain number of failed password attempts. Hackers can therefore easily use brute-force hacking methods to access a customer's account, as long as they know the mobile phone number.

The vulnerability was raised by Virgin Mobile USA customer Kevin Burke, who successfully hacked his own account to prove that there is indeed a security issue. He pointed out that there is no way to avoid this vulnerability, and said that he informed Virgin Mobile USA of the issue over a month ago, but that the company has yet to take any action.

Virgin Mobile USA's Manage My Account portal is down as of Wednesday, September 19, 3:34 p.m. AEST (Tuesday, September 18, 11:34 p.m. PT).

Virgin Mobile Australia also uses a 6-digit PIN system for customers to access their account online. It stressed that while both companies operate under the Virgin Brand, Virgin Mobile Australia is a completely separate entity to Virgin Mobile USA.

Virgin Mobile Australia claimed that its customers are not affected by the security flaw in question.

"We have a raft of security measures in place to safeguard our customers' personal information, including a formal identification process consistent with the Privacy Act and Telecommunications Act," Virgin Mobile Australia told ZDNet. "For added security, Virgin Mobile customers cannot use a PIN consisting of sequential numbers or the same number repeated, and will receive only three attempts to log in to My Account prior to being locked out of the system."

Topics: Security, Australia

Spandas Lui

About Spandas Lui

Spandas forayed into tech journalism in 2009 as a fresh university graduate spurring her passion for all things tech. Based in Australia, Spandas covers enterprise and business IT.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • 2FA can be the key

    Thanks for the article. We all need to be more proactive about our personal account security. One thing I personally am encouraging people to do is when possible take advantage of the sites that offer Two-Factor Authentication. Although 2FA has been around for a while, more and more sites are starting to offer and promote this option. 2-Factor Authentication for email wins every day. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.
    Tgneg
  • 2FA can be the key

    Thanks for the article. We all need to be more proactive about our personal account security. One thing I personally am encouraging people to do is when possible take advantage of the sites that offer Two-Factor Authentication. Although 2FA has been around for a while, more and more sites are starting to offer and promote this option. 2-Factor Authentication for email wins every day. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.
    Tgneg
  • 2FA can be the key

    Thanks for the article. We all need to be more proactive about our personal account security. One thing I personally am encouraging people to do is when possible take advantage of the sites that offer Two-Factor Authentication. Although 2FA has been around for a while, more and more sites are starting to offer and promote this option. 2-Factor Authentication for email wins every day. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.
    Tgneg