Virgin mobile fails security 101, leaves 6 million accounts vulnerable

[koopakid08]

I was reading around the net today and found this http://kev.inburke.com/kevin/open-season-on-virgin-mobile-customer-data/

Virgin mobiles 6 digit pin is beyond easy to hack via brute force, taking a day at most.

Once an attacker has your PIN, they can take the following actions on your behalf:

Read your call and SMS logs, to see who

 

[imabitfighty]

yes, big problem.

I change mine once in awhile and have no reason to share it with anyone.

but i DO know of some times where a friend or family member had to see something, maybe if someone called someone else who they were not supposed to, or to get a number they lost when they reset a phone.

its always been between people close enough to know their birthday, and the password in all cases HAS been the birthday.... thats also why i never put my real birthday online and dont tell anyone it either.

anyways, yes, i have seen virgin mobile accounts gone into VERY easily. scarily easily. and I think something needs to be done about it.

 

[Nesdroid]

Look at this article I just found.
http://news.cnet.com/8301-1009_3-57...astised-for-pin-authentication-vulnerability/

 

[koopakid08]

Here is another article from wired:

http://www.wired.com/threatlevel/2012/09/virgin-mobile/

 

[diemerm]

I completely agree the pin system is pretty unsecure and should be changed. But, I dont understand why Virgin Mobile is getting all the blame for it. Sprint does the exact same thing.. I had them before I got Virgin.

I actually assumed the reason Virgin did the pin thing is because that's what Sprint does, and they run off Sprint's network.

 

[Jargin]

I'm just glad their lack of security goes both ways and you can change back to the $25 plans.

 

[harvickchick]

How are you able to change back to the 25 plan?

6 digit pin? Mine is 4...that's even worse!

 

[koopakid08]

How are you able to change back to the 25 plan?

6 digit pin? Mine is 4...that's even worse!

It doesn't work on the evo, only older phones.

 

[ZAXIS]

Virgin Mobile USA customers vulnerable to password security flaw | ZDNet

how vulnerable are we really? noticed this when i was trying to top up and couldnt as the my account portion of the website was down

 

[Mobstergunz]

This part is what really stood out to me

A 6-digit pin only results in around 1 million possible combinations, and the system does not freeze the account after a certain number of failed password attempts. Hackers can therefore easily use brute-force hacking methods to access a customer's account, as long as they know the mobile phone number.

IMO this makes the system very easy to hack since just about anyone can with a bit of tech knowledge can do this

 

[ninite]

Also being that Virgin Mobile defaults your pin as your birth day, there are way less than 1 million combinations for those right?

digit 1= 0 or 1 for the first number of the month
digit 2= 1-9 and 10 11 12 for the other half of the month (probably have this one wrong)
digit 3= 0-3 for the days in a month
digit 4= 0-9 second half of the days
digit 5= 0-9
digit 6=0-9

So that is 2x12x4x10x10x10=~ 96,000 or possibly less if I calculated wrong.

 

[Mobstergunz]

Also being that Virgin Mobile defaults your pin as your birth day, there are way less than 1 million combinations for those right?

digit 1= 0 or 1 for the first number of the month
digit 2= 1-9 and 10 11 12 for the other half of the month (probably have this one wrong)
digit 3= 0-3 for the days in a month
digit 4= 0-9 second half of the days
digit 5= 0-9
digit 6=0-9

So that is 2x12x4x10x10x10=~ 96,000 or possibly less if I calculated wrong.

Well if your thinking in terms of Combinations and Permutations the max is literally 1,000,000 and the absolute minimum is 5,005 (assuming all you know is the phone number and not the 6 digit V-Key)

- Its been awhile since i've had math class so im not entirely sure how accurate i am either

you can find an explanation of the formulas i used here: Combinations and Permutations

 

[koopakid08]

The Verge

http://t.co/LALsZZ5l

 

[Jargin]

You might be correct. I've had the same account since the Optimus, maybe it was marked as grandfathered and I was able to rollback, where as a brand new account with the Evo doesn't have that status.

 

[OverByter]

Why is this in ATR, when it's already posted in the main forum?

 

[koopakid08]

I already posted this...

http://androidforums.com/showthread.php?t=618831

It is completely ridiculous that they are doing nothing to fix this.

 

[ZAXIS]

Hadn't noticed, forgiveness pleeez

 

[XAL2]

Hadn't noticed, forgiveness pleeez

Honestly not a big deal for posting this here

 

[ZAXIS]

Yeah I was exaggerating, thanks tho lol

 

[OverByter]

I don't think that it's an attractive target for a random hacker, not much to be gained monetarily however a pissed off ex could definitely be problematic both knowing your phone number plus possibly able to make a very educated guess on what your pin might be. Just to stir up crap or possibly spy on your communications.

 

[koopakid08]

I don't think that it's an attractive target for a random hacker, not much to be gained monetarily however a pissed off ex could definitely be problematic both knowing your phone number plus possibly able to make a very educated guess on what your pin might be. Just to stir up crap or possibly spy on your communications.

If someone finds out that your number is in virgin, they could brute force your pin, get a cheap optimus v, change the phone on your account and impersonate you through text and listen to your voicemail, and make calls.

This is a huge security threat and I'm not sure virgin would even do anything about it.

 

[OverByter]

If someone finds out that your number is in virgin, they could brute force your pin, get a cheap optimus v, change the phone on your account and impersonate you through text and listen to your voicemail, and make calls.

This is a huge security threat and I'm not sure virgin would even do anything about it.

That's true but as I posted previously for the majority of black hats I just don't see them getting involved because of the relatively slim pickings. I realize that when it's your/my account it makes it seem drastic but this vulnerability has existed for over 5 years including Sprint itself without any notice of it occurring in the wild let alone it being widespread. Again I really believe that we have more to worry about with this issue from an aquantance seeking revenge rather than a bunch of script kiddies.

 

[jerofld]

I merged two threads together. One was in the All Things Root subforum, so that all the conversations will be in one thread. Thanks for understanding!

 

[OverByter]

I merged two threads together. One was in the All Things Root subforum, so that all the conversations will be in one thread. Thanks for understanding!

Thanks

 

[KryptoNyte]

If someone finds out that your number is in virgin...

I think that's a fairly important statement. How exactly would someone know you were a Virgin Mobile customer, and have your phone number? Unless they were a personal friend, or you were silly and posted this information somewhere on the Internet.

I'd have to agree with a previous post, unless the hacker was just interested in screwing with something, I'm struggling to see a serious risk here - it's basically security by obscurity, and the payoff for all that work is so poor.

I see things like Facebook, and the amount of personal information (about you) that they harbor and can use as they please at any point in the future as something that is far more dangerous than the situation mentioned in this post, yet folks turn a blind eye towards it.