Virgin Mobile customers beware: Your phone number is the key to your personal information. According to independent developer Kevin Burke, who warned Virgin Mobile USA customers about a glaring security hole in the phone company's account login protocol said, "If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn't like you."
Virgin Mobile USA users manage their account by logging in through an online portal, which requires a mobile number and a 6-digit pin. Once inside, customers can check their call records, change the handset associated with their number, and update their personal details.
In a blog post on Monday, Kevin Burke detailed how the username and password system used by Virgin Mobile to let users access their account information, is inherently weak and open to abuse.
"It is trivial to write a program that checks all million possible password combinations, easily determining anyone's PIN inside of one day," Burke said in a blog post. "I verified this by writing a script to 'brute force' the PIN number of my own account." For comparison, an 8-letter password with uppercase letters, lowercase letters, and digits has 218,340,105,584,896 possible combinations, Burke said.
Burke said that after several phone and email exchanges with parent company Sprint in which he attempted to warn them about the exploit, he was ignored and his concern was dismissed. That's when he decided to expose the flaw to the public.
"We greatly appreciate Mr. Burke's outreach to the company and are reaching out to him as well," she said. "His inquiry did enable us to even further secure our customers' accounts."
Virgin Mobile USA's Manage My Account portal is down as of Wednesday, September 19, 3:34 p.m. AEST (Tuesday, September 18, 11:34 p.m. PT). Virgin Mobile Australia also uses a 6-digit PIN system for customers to access their account online. It stressed that while both companies operate under the Virgin Brand, Virgin Mobile Australia is a completely separate entity to Virgin Mobile USA.Virgin Mobile Australia claimed that its customers are not affected by the security flaw in question.