Virgin Mobile U.S. promises its customers that it uses “standard industry practices” to protect its customers’ personal data – but according to a Silicon Valley web developer, any first-year coder can bust into a subscriber’s account, see who they call and text, register a different phone on the account and even purchase a new iPhone.
That’s according to developer Kevin Burke, who discovered the flaws on his own account in August and notified the company, only to be told that the company had no intention of fixing its systems. Virgin Mobile U.S. serves millions of customers through pre-paid plans and is a wholly owned subsidiary of Sprint.
Virgin Mobile U.S. account security uses a customer’s phone number as the account name, which is very guessable, and then requires a 6-digit PIN as the password — which only provides a million possible passwords. Even worse, the site allows as many password guesses as one likes — something Burke confirmed by writing a short script to guess his own password in a day.
Once an unauthorized user is in, they can change read a customer’s communication logs, register a different phone to lock the customer out and read their text messages, change their address and order a new phone with the credit card on file. They can also lock a user out by changing the PIN and e-mail address on the account — without notification to the previous address.
Burke, who works as a developer at Twilio, says he’s used to looking at security issues thanks to his day job, and noticed how weak the authentication system was. Once he proved to himself that anyone could bust in with a few lines of code, he contacted the company.
“I tried to escalate it following responsible disclosure principles,” Burke said. After eventually finding someone who understood the problem, Burke repeatedly followed up, only to eventually be told not to expect any change.
He then decided to go public so that people would know they were at risk — though there’s nothing users can do to protect themselves, except not use Virgin Mobile.
In a response to a tweet from Burke on Monday, Virgin Mobile U.S. directed Burke to a section of their Terms of Service agreement.
@ekrubnivek Hello, please go to bit.ly/OAubLE and review the Authentication and Contact policy. We only have two ways of protection.
— VirginMobileUSA Care (@VMUcare) September 17, 2012
That document says, in part: “You further agree that Virgin Mobile may, in our sole discretion, treat any person who presents your credentials that we deem sufficient for account access as you or an authorized user on the account for disclosure of information or changes in Service.”
UPDATE 8:27 PM PST: Sprint spokeswoman Stephanie Vinge responded to Wired’s earlier inquiries, saying that “A lockout feature for multiple password attempts is part of Sprint’s standard procedures. We are reviewing the systems we have in place and conducting audits to ensure our standards are being met, including for Virgin Mobile.”
Virgin’s website says it protects users, but can’t be responsible in the case of hacks.
Virgin Mobile uses standard industry practices to safeguard the confidentiality of your personally identifiable information. Virgin Mobile treats data as an asset that must be protected against loss and unauthorized access. We employ many different security techniques to protect such data from unauthorized access by users inside and outside the company.
Unfortunately, perfect security does not exist on the Internet, and therefore, Virgin Mobile makes no representations or warranties with regard to the sufficiency of our security measures. Virgin Mobile shall not be responsible for any damages that result from a lapse in compliance with this Privacy Policy because of a security breach, technical malfunction or similar problem. Always be careful and responsible regarding your personal information.
The fixes, according to Burke, start with allowing more complex passwords and locking down accounts after a few failed attempts.
While Virgin Mobile may consider its insecure system to be “standard industry practice,” Twitter ended up signing a 20-year consent decree with federal regulators over its shoddy security practices. One key element in the FTC’s action? Twitter didn’t prevent rapid guessing of passwords.