BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Virgin Mobile Shrugs as Coder Warns Accounts Are Easily Hijacked

From: security curmudgeon <jericho () attrition org>
Date: Tue, 18 Sep 2012 00:16:39 -0500 (CDT)


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.wired.com/threatlevel/2012/09/virgin-mobile/

By Ryan Singel
Threat Level
Wired.com
09.17.12

Virgin Mobile U.S. promises its customers that it uses ?standard industry 
practices? to protect its customers? personal data -- but according to a 
Silicon Valley web developer, any first-year coder can bust into a 
subscriber?s account, see who they call and text, register a different 
phone on the account and even purchase a new iPhone.

That?s according to developer Kevin Burke, who discovered the flaws on his 
own account in August and notified the company, only to be told that the 
company had no intention of fixing its systems. Virgin Mobile U.S. serves 
millions of customers through pre-paid plans and is a wholly owned 
subsidiary of Sprint.

Virgin Mobile U.S. account security uses a customer?s phone number as the 
account name, which is very guessable, and then requires a 6-digit PIN as 
the password -- which only provides a million possible passwords. Even 
worse, the site allows as many password guesses as one likes ? something 
Burke confirmed by writing a short script to guess his own password in a 
day.

Once an unauthorized user is in, they can change read a customer?s 
communication logs, register a different phone to lock the customer out 
and read their text messages, change their address and order a new phone 
with the credit card on file. They can also lock a user out by changing 
the PIN and e-mail address on the account -- without notification to the 
previous address.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.
Previous By Date Next
Previous By Thread Next

Current thread: