virgin mobile usa 540x331[1] Virgin Mobile customers vulnerable to possible exploit

According to Virgin Mobile customer and independent software developer Kevin Burke, subscribers to Sprint's subsidiary Virgin Mobile are at risk of being hijacked, due to the service's system of easily vulnerable passcodes.

According to Virgin Mobile customer and independent software developer Kevin Burke, subscribers to Sprint's subsidiary Virgin Mobile are at risk of being hijacked, due to the service's system of easily vulnerable passcodes.

virgin mobile usa 540x331 Virgin Mobile customers vulnerable to possible exploit

In order for a user to login to his account on the Virgin Mobile website, he must enter his phone number along with a six digit passcode. According to Burke, the six-digit passcode means that for every account, there is only 1,000,000 different passcodes which could belong to it.

Of course, to most people, 'vulnerable' isn't the first word that they would associate with such odds. However, the amount of possibilities for a simple 8-character password, which could include uppercase/lowercase letters and numbers, skyrockets to 218,340,105,584,896.

So, Burke says, it’s actually very easy to guess anybody's passcode on the Virgin Mobile network by using a computer program that randomly guesses until it hits on the right combination. This method, known as "brute forcing" is a common way that hackers try to figure out passwords.

"It is trivial to write a program that checks all million possible password combinations, easily determining anyone's PIN inside of one day," wrote Burke in a blog post. "I verified this by writing a script to 'brute force' the PIN number of my own account."

A hacker gaining access to your account could, in the opinion of Burke, do quite a bit of damage. Once in, they could change personal information related to the user, including what phone the number is related to. Additionally, they could view any call and text history, and even buy a new handset on the customer’s account.

"Changing your PIN doesn't work, because the new one would be just as guessable as your current PIN," said Burke. "If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn't like you."

In the opinion of this writer, Burke is going a little over the top. While it may be a simple task for him to brute force a Virgin Mobile account, not everybody is skilled enough to write the right kinds of scripts to implement the attack. Therefore, “anyone who doesn’t like you”, isn’t a likely candidate for the number of people who could end up pulling this off.

But his concern is understandable, and a Sprint spokeswoman writing in regards to the new concerns about security said to PCMag, “It's important to note that there are many different overlapping safeguards in place to ensure our customers' privacy and security, and we have taken steps to further prevent intrusions and spoofing.”

She went on to include, “We greatly appreciate Mr. Burke's outreach to the company and are reaching out to him as well. His inquiry did enable us to even further secure our customers' accounts."

Source: PCMag