Virgin Mobile USA customers vulnerable to password security flaw

Virgin Mobile customers in the US are vulnerable to a simple security flaw that could put their personal information in jeopardy and allow hackers to take over their mobile phone accounts.

Virgin Mobile USA users manage their account by logging in through an online portal, which requires a mobile number and a 6-digit pin. Once inside, customers can check their call records, change the handset associated with their number, and update their personal details.

A 6-digit pin only results in around 1 million possible combinations, and the system does not freeze the account after a certain number of failed password attempts. Hackers can therefore easily use brute-force hacking methods to access a customer's account, as long as they know the mobile phone number.

The vulnerability was raised by Virgin Mobile USA customer Kevin Burke, who successfully hacked his own account to prove that there is indeed a security issue. He pointed out that there is no way to avoid this vulnerability, and said that he informed Virgin Mobile USA of the issue over a month ago, but that the company has yet to take any action.

Virgin Mobile USA's Manage My Account portal is down as of Wednesday, September 19, 3:34 p.m. AEST (Tuesday, September 18, 11:34 p.m. PT).

Virgin Mobile Australia also uses a 6-digit PIN system for customers to access their account online. It stressed that while both companies operate under the Virgin Brand, Virgin Mobile Australia is a completely separate entity to Virgin Mobile USA.

Virgin Mobile Australia claimed that its customers are not affected by the security flaw in question.

"We have a raft of security measures in place to safeguard our customers' personal information, including a formal identification process consistent with the Privacy Act and Telecommunications Act," Virgin Mobile Australia told ZDNet. "For added security, Virgin Mobile customers cannot use a PIN consisting of sequential numbers or the same number repeated, and will receive only three attempts to log in to My Account prior to being locked out of the system."