Tags: 8-letter, AT&T, Attacks, combinations, customer, Defense, hack, Hijacking, Kevin Burke, password, password security, passwords, PIN, program, Sprint, T-Mobile, usernames, verizon, Virgin Mobile.
Posted 09/20/2012 at 9:53 AM
Posted 5 years ago
If you have been keeping a close eye on mobile tech news this week, you will have probably heard about Virgin Mobile being taken to task over their handling of customer usernames and passwords.
Software developer Kevin Burke wrote a post on his personal blog describing how Virgin’s current password system was “horribly insecure;” this is because of users only being allowed to use their phone numbers as usernames and a six-digit number as a password. What this means is anyone with access to brute-force guessing tools can easily solve passwords of Virgin customers and hack accounts at will.
“Compare a 6-digit number with a randomly generated 8-letter password containing uppercase letters, lowercase letters, and digits — the latter has 218,340,105,584,896 possible combinations. It is trivial to write a program that checks all million possible password combinations, easily determining anyone’s PIN inside of one day,” said Burke in his blog post after he managed to break into his own account.
To add to the shambolic password security, the usual method of freezing accounts after several failed attempts at logging in was also exposed by Burke, who discovered that a simple clearing of browser cookies was enough to get around that security method.
Burke has said that he only decided to reveal his discovery after Sprint failed to rectify the problem after he had notified them of the flaw. The story has since spread across the web and resulted in a bit of a PR disaster for both Sprint and Virgin Mobile. Of course, after the blog post was picked upon and published by various tech news sites, Sprint were forced to react. In an article published by Computerworld, Sprint has denied that its subscribers of Virgin Mobile were at risk of account hacks, saying that there are numerous safeguards to protect accounts.
“It’s important to note that there are many different overlapping safeguards in place to ensure our customers’ privacy and security, and we have taken steps to further prevent intrusions and spoofing. While we maintain confidentiality about our security measures, our customer accounts are monitored constantly for several types of activity that would indicate if something illegal or inappropriate may be taking place,” Sprint spokeswoman Stephanie Vinge Walsh said in email comments published in the Computerworld article.
She also goes on to say, “We have had no unusual reports of fraud incidents or adverse consequences to our customers and believe that the total security measures in place prevent vulnerability of their accounts.”
Regardless of whether there have been any instances of hacked accounts or not, the fact that Kevin Burke managed to do what he did is a blow to Sprint and Virgin Mobile and will concern current customers and those looking to choose a new carrier. One thing is certain; Verizon, AT&T and T-Mobile are all likely to be pretty smug about the news right now.