Virgin Mobile's password security rapped by researchers
Millions of subscribers to Virgin Mobile USA, the pay-as-you-go arm of Sprint in the United States, may be at risk to hacker attack due to its weak password scheme for accessing their online accounts, according to security researchers.
Virgin Mobile's password deficiencies were exposed by independent software developer Kevin Burke in a blog on Monday.
Burke explains that the carrier requires its subscribers to use their mobile phone number as their user name and a six digit number as their password when accessing their online accounts. That means there are only a million possible passwords available to a user, he wrote.
"This is horribly insecure," he asserts. By comparison, a randomly generated eight-character password containing upper and lower case letters and numbers creates more than 218 quadrillion combinations. (See also "Secure Your Life in 12 Steps.")
"It is trivial to write a program that checks all million possible password combinations, easily determining anyone’s PIN inside of one day," he says. "I verified this by writing a script to 'brute force' the PIN number of my own account."
What's worse, Virgin did not lock an account (website or phone) after a limited number of failed attempts, making it even easier to "brute force" a password. That flaw has apparently been cleaned up since Burke wrote his condemnation
However, Burke told Computerworld that the fix is ineffective. It will cut off a person logging into an account after four failed tries but only if the same cookie is used for each login attempt. By clearing cookies between tries or not using cookies while logging in at all, a lockout can be avoided.
Observes Stuart McClure, founder and CEO of Cylance: "The countermeasure they use to track logon attempts via cookies is preschool protection, not Fortune 500 Truly sad."
"There are many different overlapping safeguards in place to ensure our customers’ privacy and security, and we have taken steps to further prevent intrusions and spoofing," says Sprint spokesperson Stephanie Vinge.
"While we maintain confidentiality about our security measures, our customer accounts are monitored constantly for several types of activity that would indicate if something illegal or inappropriate may be taking place," she says.
She notes that payment card data is not visible when viewing an online account. Other processes are in place to monitor and limit balance transfers and correct inappropriate charge, she adds.
"We haven’t seen any reports of Virgin customers’ account being hacked, nor any unauthorized access," she adds.
Nevertheless, security experts found Virgin's procedures wanting.
"It seems pretty sloppy to me, and even though most users won't be at immediate risk—now the problem is known about, there will be surely some mischief-makers who will try to exploit it," says Sophos Senior Technology Consultant Graham Cluley.
"The current system Virgin are using would be embarrassing 20 years ago—let alone today," he adds. "It's no wonder that users' confidence may be rattled."
The original omission of a failed attempt limit puzzled some experts. "If an attacker has an unlimited number of opportunities to guess your password, it doesn't matter how complex the password policy is, eventually they can get in," says Marcus Carey, a security researcher at Rapid7.
Cylance's McClure, founder and CEO of Cylance, a stealth security company, notes: "Passwords are the scourge of the cyber earth. They simply don’t work to protect anything."
That doesn't forgive Virgin's security sins, he adds. "The problem with Virgin Mobile is a problem of barebones, basic, simple kindergarten security—or lack of it," he declares.
"If a website like Virgin Mobile wants to truly protect their customers they will require difficult passwords and ideally employ some form of two-factor authentication like a soft token, one-time password, or similar along with their passwords."
In his blog, Burke explains that he informed Virgin about its password deficiencies but after a month of silence from the company, he decided to make his security analysis public.
"We greatly appreciate Mr. Burke’s outreach to the company and are reaching out to him as well," Sprint's Vinge said on Wednesday. "His inquiry did enable us to even further secure our customers’ accounts."