Thursday, September 27, 2012

Virgin Mobile Flaw Fixed

If you or a friend/family member of yours uses Virgin Mobile, their personal information is at risk, but the good news is that the problem is fixed already.

When you are using a phone company, your actual phone number is one of the most valuable pieces of personal information. Trust me, you don't want your phone number out there. If you get telemarketers and other "idiots" calling you, then you never want to have your number out.

Virgin Mobile USA members can manage their account by using an online portal, which requires a phone number and a six-digit pin. With that information, they can access call records, manage phone numbers, and change personal info. I'm sure you can do more with the interface, but this is all of the details that I am getting.

Kevin Burke as the person who found the flaw, and the one who eventually released the flaw to the public after Virgin Mobile's failure to fix the issue while the flaw was not released, or not publicly known if someone was abusing the flaw in the past. You can see his exact posting here.

Basically, the system has no system of denying access after too many attempts, also known as an anti theft system or something along those likes. The attacker could try as many pins as possible, and the system will never deny access. Note, that all of this is fixed now, but for the mean time, let me tell you what was going on.
Image Credit: Keven Burke
Burke decided to test how insecure a 6 digit pin was, especially under these flaws, by writing a simple script that "brute forced" his account. Brute force is when you use a program or something similar to try to guess all possible password combinations. Usually these programs fail when trying high security systems, such as a shutoff of services to that user's IP address after so many failed attempts. In this case, after 20 failed login attempts, the user's IP address is flagged, and the page is reported as a not found page. I do not know how long the DoS lasts though.

The bottom line is that the issues are now fixed, and if you are interested in viewing the full article direct from the reporter, then click here. Let me know of your thoughts on this if you have any.