Given the news lately of how customers’ personal data is handled and hacked, this development is not so refreshing. Using an “online attack” model, a developer was able to hack into his own account, and then later log-in as a customer with no lock-outs.
The issue is the authentication that Virgin Mobile USA uses. First, Virgin requires that you use your phone number as your username. Second, your password must be a 6-digit number, which means there are only one million possible combinations.
Kevin Burke is the developer who was able to force his way into his own account by writing a simple script, and have it hammer away at the Virgin Mobile site. He was successful in just a few hours.
Customers that log in are able to view call and SMS log data, change ESNs, purchase equipment, change personal data and PINs. Due to the nature of the passwords involved, there is no surefire way to protect against these kinds of forced entry attacks.
To keep it in perspective though, because the attack must happen online, it is comparatively time consuming and therefore may not be a priority exercise for the “money-hungry” hacker. However, it is certainly not a pleasant possibility if the attacker has a more personal motivation. Sprint owns Virgin Mobile USA and stated that it is conducting audits to see if everything is working as designed, and later indicated to Burke that appropriate people have been notified with no further action expected.
Even if everything is working though, it seems pretty antiquated to have such a predictable log-in design and low-tech 6-digit PIN for password protection.
sources: Ars Technica, Kevin Burke via The Verge