Virgin Mobile fails web security 101, leaves six million subscriber accounts wide open

Update: Virgin fixed the issue Tuesday night after taking their login page down for four hours. Please see my update at the bottom of this post.

The first sentence of Virgin Mobile USA’s privacy policy announces that “We [Virgin] are strongly committed to protecting the privacy of our customers and visitors to our websites at www.virginmobileusa.com.” Imagine my surprise to find that pretty much anyone can log into your Virgin Mobile account and wreak havoc, as long as they know your phone number.

I reported the issue to Virgin Mobile USA a month ago and they have not taken any action, nor informed me of any concrete steps to fix the problem, so I am disclosing this issue publicly.

The vulnerability

Virgin Mobile forces you to use your phone number as your username, and a 6-digit number as your password. This means that there are only one million possible passwords you can choose.

Screenshot of Virgin Mobile login screen

This is horribly insecure. Compare a 6-digit number with a randomly generated 8-letter password containing uppercase letters, lowercase letters, and digits - the latter has 218,340,105,584,896 possible combinations. It is trivial to write a program that checks all million possible password combinations, easily determining anyone’s PIN inside of one day. I verified this by writing a script to “brute force” the PIN number of my own account.

The scope

Once an attacker has your PIN, they can take the following actions on your behalf:

  • Read your call and SMS logs, to see who’s been calling you and who you’ve been calling

  • Change the handset associated with an account, and start receiving calls/SMS that are meant for you. They don’t even need to know what phone you’re using now. Possible scenarios: $5/minute long distance calls to Bulgaria, texts to or from lovers or rivals, “Mom I lost my wallet on the bus, can you wire me some money?”

  • Purchase a new handset using the credit card you have on file, which may result in $650 or more being charged to your card

  • Change your PIN to lock you out of your account

  • Change the email address associated with your account (which only texts your current phone, instead of sending an email to the old address)

  • Change your mailing address

  • Make your life a living hell

How to protect yourself

There is currently no way to protect yourself from this attack. Changing your PIN doesn’t work, because the new one would be just as guessable as your current PIN. If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn’t like you. For the moment I suggest vigilance, deleting any credit cards you have stored with Virgin, and considering switching to another carrier.

What Virgin should do to fix the issue

There are a number of steps Virgin could take to resolve the immediate, gaping security issue. Here are a few:

  • Allow people to set more complex passwords, involving letters, digits, and symbols.

  • Freezing your account after 5 failed password attempts, and requiring you to identify more personal information before unfreezing the account.

  • Requiring both your PIN, and access to your handset, to log in. This is known as two-step verification.

In addition, there are a number of best practices Virgin should implement to protect against bad behavior, even if someone knows your PIN:

  • Provide the same error message when someone tries to authenticate with an invalid phone number, as when they try to authenticate with a good phone number but an invalid PIN. Based on the response to the login, I can determine whether your number is a Virgin number or not, making it easy to find targets for this attack.

  • Any time an email or mailing address is changed, send a mail to the old address informing them of the change, with a message like “If you did not request this change, contact our help team.”

  • Require a user to enter their current ESN, or provide information in addition to their password, before changing the handset associated with an account.

  • Add a page to their website explaining their policy for responsible security disclosure, along with a contact email address for security issues.

History of my communication with Virgin Mobile

I tried to reach out to Virgin and tell them about the issue before disclosing it publicly. Here is a history of my correspondence with them.

  • August 15 – Reach out on Twitter to ask if there is any other way to secure my account. The customer rep does not fully understand the problem.

  • August 16 – Brute force access to my own account, validating the attack vector.

  • August 15-17 – Reach out to various customer support representatives, asking if there is any way to secure accounts besides the 6-digit PIN. Mostly confused support reps tell me there is no other way to secure my account. I am asked to always include my phone number and PIN in replies to Virgin.

    Email screenshot of Virgin asking me to include my PIN

  • August 17 – Support rep Vanessa H escalates the issue to headquarters after I explain I’ve found a large vulnerability in Virgin’s online account security. Steven from Sprint Executive and Regulatory Services gives me his phone number and asks me to call.

  • August 17 – I call Steven and explain the issue, who can see the problem and promises to forward the issue on to the right team, but will not promise any more than that. I ask to be kept in the loop as Virgin makes progress investigating the issue. In a followup email I provide a list of actions Virgin could take to mitigate the issue, mirroring the list above.

  • August 24 – Follow up with Steven, asking if any progress has been made. No response.

  • August 30 – Email Steven again. Steven writes that my feedback “has been shared with the appropriate managerial staff” and “the matter is being looked into”.

  • September 4 – I email Steven again explaining that this response is unacceptable, considering this attack may be in use already in the wild. I tell him I am going to disclose the issue publicly and receive no response.

  • September 13 – I follow up with Steven again, informing him that I am going to publish details of the attack in 24 hours, unless I have more concrete information about Virgin’s plans to resolve the issue in a timely fashion.

  • September 14 – Steven calls back to tell me to expect no further action on Virgin Mobile’s end. Time to go public.

Update, Monday night

  • Sprint PR has been emailing reporters telling them that Sprint/Virgin have fixed the issue by locking people out after 4 failed attempts. However, the fix relies on cookies in the user’s browser. This is like Virgin asking me to tell them how many times I’ve failed to log in before, and using that information to lock me out. They are still vulnerable to an attack from anyone who does not use the same cookies with each request. (ed: This issue has been fixed as of Tuesday night)

  • News coverage:

  • This vulnerability only affects Virgin USA, to my knowledge; their other international organizations appear to only share the brand name, not the same code base.

Update, Tuesday night

Virgin’s login page was down for four hours from around 5:30 PDT to 9:30 PDT. I tried my brute force script again after the page came back up. Where before I was getting 200 OK’s with every request, now about 25% of the authentication requests return 503 Service Unavailable, and 25% return 404 Not Found.

Wednesday morning

Virgin took down their login page for 4 hours Tuesday night to deploy new code. Now, after about 20 incorrect logins from one IP address, every further request to their servers returns 404 Not Found. This fixes the main vulnerability I disclosed Monday.

I just got off the phone with Sprint PR representatives. They apologized and blamed a breakdown in the escalation process. I made the case that this is why they need a dedicated page for reporting security and privacy issues, and an email address where security researchers can report problems like this, and know that they will be heard.

I gave the example of Google, who says “customer service doesn’t scale” for many products, but will respond to any security issue sent to security@google.com in a timely fashion, and in many cases award cash bounties to people who find issues. Sprint said they’d look into adding a page to their site.

Even though they’ve fixed the brute force issue, I raised issues with PIN based authentication. No matter how many automated fraud checks they have in place, PIN’s for passwords are a bad idea because:

  • people can’t use their usual password, so they might try something more obvious like their birthday, to remember it.

  • Virgin’s customer service teams ask for it in emails and over the phone, so if an attacker gains access to someone’s email, or is within earshot of someone on a call to customer service, they have the PIN right there.

  • If I get access to your PIN through any means, I can do all of the stuff mentioned above – change your handset, read your call logs, etc. That’s not good and it’s why even though Google etc. allow super complex passwords, they allow users to back it up with another form of verification.

I also said that they should clarify their policy around indemnification. I never actually brute forced an account where I didn’t know the pin, or issue more than one request per second to Virgin’s servers, because I was worried about being arrested or sued for DOSing their website. Fortunately I could prove this particular flaw was a problem by dealing only with my own account. But what if I found an attack where I could change a number in a URL, and access someone else’s account? By definition, to prove the bug exists I’d have to break their terms of service, and there’s no way to know how they would respond.

They said they valued my feedback but couldn’t commit to anything, or tell me about whether they can fix this in the future. At least they listened and will maybe fix it, which is about as good as you can hope for.

75 thoughts on “Virgin Mobile fails web security 101, leaves six million subscriber accounts wide open

  1. Ryan

    This is just unbelievable. I also noticed that it says the PIN cannot contain 3 identical/sequential numbers. In what way does this make the password stronger? All that does is reduce the keyspace even further!

    Reply
    1. Neil Smithline

      This is a trade-off between reducing the total number of passwords and allowing passwords that are “111111″ or such.

      Considering the number of recent articles discussing the poor quality of users’ passwords, I would imagine that they have probably made the correct decision.

      Reply
      1. Santosh

        Not allowing easy to guess combinations are defenses against dictionary attacks, used when the space to brute force over is too large. They make brute-forcing easier, and here the space is ridiculously small. It looks like a case of someone misunderstanding what those restrictions are used for.

        Reply
  2. Adam

    Sadly, they have a recommendation for the 6 digit code – the user’s date of birth (mmddyy). If it’s someone you even know on a casual basis, you can likely get in without even brute forcing the PIN.

    Reply
  3. ObligatoryResponse

    It seems they may have rate limited it.

    Trying my account 5 or 6 times incorrectly resulted in “This isn’t working. Why don’t you try your security question instead.” My pin still works via phone if I call, but doesn’t seem to let me log into the website, even though I’m now typing it correctly.

    Reply
    1. kevin Post author

      Hi, if you aren’t frozen out of your account, then no they’re not rate limiting it. I just tried 100 failed logins with a Python script, then logged in using Chrome without any problems.

      Reply
      1. ObligatoryResponse

        Well, I was locked out of my account, just not if I called the 800 number. So I guess I assumed I was locked out of the web interface entirely. I don’t think they have to completely lock users out of their accounts, but they should certainly put in a large (5 or 10 minute delay) on web access.

        But someone pointed out I merely had to clear my cookies. So… yeah; not a proper lock.

        Reply
  4. Pingback: Virgin Mobile Shrugs as Coder Warns Accounts Are Easily Hijacked

    1. kevin Post author

      Well, somewhere between one and a million. I’d tell you but then you might be able to guess my PIN :)

      I limited the requests to one per second, to make sure I wasn’t overloading their servers.

      Reply
      1. Wojtek

        With 1 req/s it’s some 10 days to go through whole password spectrum. They might as well replace it with a checkbox labelled “I’m really person X. Trust me.”

        Reply
  5. Charles

    Virgin Mobile ex staff from Australia here but I do know the current Virgin systems in Australia do have a similar setup where you are required to have the mobile number and PIN but after 3 failed attempts the user is locked out and requires a call to customer service to resolve

    Reply
    1. kevin Post author

      Not as far as I can tell. I tried thousands of HTTP requests per hour, all using the same username, without any issues

      Reply
  6. Pingback: Virgin Mobile User Account Security Flaw « A Game Coder

  7. Gary

    I’m curious if you’ve had a look at the security at http://www.virgin.com? I gave up on that site due to a huge cluster fuck of bugs a year ago. I wouldn’t be surprised if they used the same company to build it. I wish there were laws to prevent companies for this kind of negligence.

    Reply
    1. Neil Smithline

      There are many laws regarding this. Laws related to negligence and identity theft come to mind immediately.

      If you can prove that Virgin’s negligence allowed confidential medical or financial information to leak then HIPPA and SOX may become relevant.

      Reply
    1. kevin Post author

      Depends on whether they lock you out after incorrect login attempts. Even so, 5 out of 10000 chance of guessing someone’s PIN is not good, also not great that anyone can lock you out, for fun.

      Reply
      1. JeeBee

        This gross negligence would be hilarious if it wasn’t so sad and risky for the inevitable victims.

        There should be laws about the minimum security a website should implement for consumer accounts, especially ones with personal information and credit cards on file. Four digit pins, infinite retries, etc, just shouldn’t be allowed.

        I actually thought that credit card companies made requirements against merchants for data security…

        Reply
        1. Neil Smithline

          They do. PCI-DSS is the credit card industry’s standard. While it doesn’t seem that Virgin is leaking credit card numbers, if an attacker can make purchases on someone else’s credit card then PCI-DSS comes into play.

          In either case, Virgin will likely end up eating any purchases made on a hijacked account.

          Reply
  8. JadedEvan

    As a new Virgin Mobile customer, privacy and security advocate I find this extremely disturbing. Thanks for going public with this and showing how easily this exploit can be achieved.

    Is there anything I can do to help put the heat on Virgin to get them to fix this flaw? I’d like to help put the pressure on and get the word out.

    Reply
  9. Pat Hyatt

    “August 15 – Reach out on Twitter to ask if there is any other way to secure my account. The customer rep does not fully understand the problem.”

    Not surprised, I’ve given up on calling when I have an issue solely due to the fact that 98% of the time their customer service does not understand what I am talking about.

    Good post and one I can back. Their PIN requirements are the prequel to financial firms that have a 14 character password requirements.

    Reply
  10. William L. Dye

    Thanks for taking the time to pursue this matter. My guess is that the vulnerabilities simply haven’t been enough of a problem so far for VM to bother closing them. Many years ago I briefly had a job trying to get the major credit card companies to buy into a proposed smart-card system. The system would effectively use a new card number with each transaction, so stealing credit card numbers wouldn’t be a problem anymore. Their response was that even if a smart card cost only a few cents more, it wouldn’t be worth it. They lose very little money to stolen credit card numbers, so they were unwilling to spend much money on a hypothetical threat.

    If that sounds stupid, remember that this was many years ago. Stolen credit card numbers have become an increasing problem, but even today the average cost of stolen numbers per card is still pretty small. In other words, when they bet that an extremely vulnerable system simply wouldn’t be broken into very often, their bet paid off.

    To be clear, I’m NOT saying that Virgin Mobile made the right choice. I’m only passing along a story about big companies that have knowingly left the back door wide open for years at a time, and profited as a result. One of my objections to the practice is that while the average costs of break-ins might be small to the company, the cost to the individual can be devastating. I do hope that VM gives people at least the option of putting their phone under tighter security.

    Reply
  11. Pete

    Rate limiting or freezing accounts won’t be enough.
    a) “please include my phone number and PIN in replies to Virgin” – they request people to send both ‘username’ and ‘password’ to be sent in a plain e-mail, so there’s a clear vulnerability in exploiting anyones account by intercepting the email data;
    b) If you want financial gain instead of a specific account – then you can just pick a single PIN and try a million phone numbers from a botnet, then use them to funnel cash by calling overseas premium numbers owned by you, or by ordering new cellphones to sell on ebay. Account locking won’t help there – they either need secure passwords instead of small PIN’s, or make any “financial impact” transactions unavailable through that channel.

    Reply
  12. Moveitmobile

    I directed a tweet at Richard Branson and I am keen to see if his hands on approach will extend itself to addressing this issue. It is simply astonishing that they can have such a lackadaisical attitude to something so very critical to a modern day mobile lifestyle.

    Reply
  13. James Cohen

    Adding a CAPTCHA or similar to ensure that the user is a real user and not an automated script would be a good additional step for Virgin Mobile to apply. It’s a nice step to introduce at an earlier stage before an account lockout.

    Reply
  14. ImThatGuy

    Well you have a fairly high ranking official’s phone number, who I can only assume would be on Virgin. Do your thing, and then inform them that you have access to this guy’s account, and then something will probably be done.

    Reply
  15. Pingback: Developer highlights weaknesses in Virgin Mobile account security, 6m customers at risk | t1u

  16. Paul A

    Hi,

    Thanks for this very interesting post.

    Just so you know, I just tried on the french Virgin Mobile system, and they locked the account after 10 incorrect attempts.

    Reply
    1. Neil Smithline

      This information makes Virgin look worse. There should be corporate standards. One commenter mentioned 5 bad attempts before a lockout in Australia, you say 10 in France, apparently more than 1,000,000 in the US (likely infinite).

      This speaks very poorly of Virgin.

      Reply
  17. Jamie

    Whilst brute forcing all possible combinations will work you could make optimisations based on the above comments such as;
    - Start with possible birth days (mmddyy) 1-12, 1-31, 00-99 is about ~37k possible combinations
    - Do the same but reorder month and day (not sure how likely non-US users are)
    - Ignore anything with 3 consecutive digits

    Reply
  18. Pingback: Security Vulnerability Found On Website Of Virgin Mobile USA | TheTechJournal

  19. Robert

    I am a virgin mobile user and this has always rubbed me the wrong way. I am going to place a write up on my site as well to help push the word publicly. Although it sounds like they could care less of the public exposure concerning this issue, but it can only help put more heat on them whether they care or not. I’m hoping eventually they may take action! Thanks for the article of awareness.

    Reply
  20. Pingback: Virgin Mobile is indifferent to its gaping security holes, says developer | VentureBeat

  21. Mark D. Adams

    I can’t agree with freezing someone’s account after 5 (or any number) of failed login attempts. Or you’re just turning an authentication problem into a DoS problem. Additionally, I think you mean “two-factor authentication”, which is a security mechanism, not “two-step”, which is a dance.

    Anyway, I hope you didn’t violate their terms and lose your phone, but otherwise, good job.

    Reply
    1. kevin Post author

      I agree. It also allows anyone to freeze you out of your account by DOSing the login page. However, it does 90% of the job, and is much easier to implement than longer PIN’s. Given the time constraints it’s probably the best solution for now.

      I only call it two-step verification because that’s the term Google uses.

      Reply
    2. Neil Smithline

      I can’t think of an authentication system I’ve seen that does not eventually resort to lockout. And, while I can’t say that user lockout is a good thing, I do think that “user lockout” is better than “attacker break-in”.

      Out of accessibility, confidentiality, and integrity, typically losing accessibility is considered the least damaging. The current system loses both confidentiality (privacy of messages, personal information) and integrity (changing account details, ringing up equipment charges).

      I think lockout is the better way to go.

      Neil

      Reply
  22. ABS

    Well, one way to make sure you get their attention is to brute force the number of someone working at Virgin, on a position high enough to take this kind of decision.
    Then either send them the info: hey, look, John’s account is xxxx and his password is yyyy, or just mess up his account.
    Then they’ll give this issue high priority :)

    Reply
  23. Pingback: Virgin Mobile user accounts are easily hacked, developer claims | Security & Privacy - CNET News

  24. Pingback: Virgin Mobile accounts are vulnerable to hack

  25. Cooper

    I’ve had my Virgin account hacked 3 times in the last 2 years. My account was drained once, and a phone bought with funds twice. There’s still an address in another state where the phone was shipped FedEx in my Purchase History!

    Virgin got everything straight but it was a hassle trying to convince them I owned the account when all my information had been changed each time. Since no other account of mine had been hacked I thought it was some sort of inside job social engineering. Turns out it might have been easier than that.

    Your conversation sounds familiar. Only after I got escalated to the Fraud Alerts department did anything get resolved. The people in the regular support department were useless.

    Reply
  26. Mike R.

    Only slightly less insecure than that, is how account verification is handled via phone by Wind Mobile here in Canada.

    You are required to say your PIN out loud. That’s ridiculous as it is, but to make matters worse, it’s a 4 digit pin.
    [a] that ain’t exactly ideal entropy wise but, more importantly,
    [b] it’s highly likely that people use that same 4-digit PIN as their banking 4-digit PIN.

    Why they’d have you state that out loud is beyond my comprehension.

    Reply
  27. TerribleSpy

    The customer web site is currently down for maintenance or overloaded. Guess this page did it’s job. I’ll post this as a support question as soon as it comes back on line. If enough people overload their CS people, maybe they’ll get a clue and fix it.

    Reply
  28. Joe

    I’ve been a VM subscriber for since, very nearly, the outset (back when their phones were total garbage, but the price was right) and I have to say, my VKey has always been 8 characters long.

    Are we sure this isn’t simply a case of poor wording on their part? Instead of the six character limit they have expressed, perhaps they meant to convey a six character minimum.

    I’d hate to think I’d have to settle for a less secure VKey if ever I sought to change it.

    Reply
    1. kevin Post author

      Yes. I signed up for an account recently, tried to set a longer password, and their password setting function does not let you do so.

      Reply
    2. Daniel

      Yeah, I also have a longer PIN. I guess they lowered the limit to six characters at some point in the past but didn’t force all of us who had longer ones from back in the day to change (I’ve been with them for about 8 years I believe). I’m assuming they reduced the requirement expressly so that people can use their birthday because it’s easier to remember…. :(

      Reply
  29. Pingback: Virgin Mobile Uses “Draconian” Password System Primed for Hackers | SiliconANGLE

  30. TTFK

    I have always had a password longer than 6 characters with Virgin Mobile. I just changed it as well, and had no problems making a longer one.

    Reply
  31. JK

    As bad as the security is on the Virgin Mobile site (and it certainly is pretty bad), the United Airlines site has even worse security by allowing for access with a 4 digit PIN. When I requested that such access be turned off at least for my account, I was informed that such access could not be disabled and essentially told not to worry about it. It really is hard to believe that any entity, let alone a large corporate entity, would have such poor account security these days, especially when the accounts have credit card into and TSA-related personal info.

    Reply
  32. michael vilain

    I emailed the URL for this article and the CS person essentially said it was totally bogus. So Virgin is ignoring the problem rather than addressing it. I guess it will take a major incident and maybe a judge to make them fix things. Sigh.

    Reply
    1. kevin Post author

      Hi, They rolled out a fix to block more than ~20 requests from one IP address. See the update on the bottom of my post.

      Reply
  33. Mason

    Thanks for the writeup! As soon as I read this I started work on a script that automatically changes my account PIN to a random number every few minutes. I finally put the finishing touches on it: https://bitbucket.org/MasonM/vmpr/

    I’m going to have to disagree with you that the problem has been fixed. I think Virgin Mobile needs to do the following for this to be considered fixed:
    * Allow complex passwords. While the IP address ban system they have in place is a good idea, anyone with access to a few hundred IPs has a good shot at guessing the PIN via a dictionary attack along the lines of http://www.lightbluetouchpaper.org/2012/02/20/how-hard-are-pins-to-guess/
    * Stop requiring customers to supply the PIN in all support correspondence. Use other means of verifying identity.
    * Hash the password/pin. I know they don’t currently because their “Forgot Password” page sends you the plain-text PIN.

    Reply
    1. kevin Post author

      Hashing wouldn’t work against a brute force attack though, right? And it’s unlikely you’re reusing the PIN for another service.

      I agree there are still plenty of security problems with their service.

      Reply
      1. Mason

        A properly-chosen hash algorithm would protect customers in the event their database is compromised (e.g. via SQL injection), and judging by their attitude towards security, that’s not a far-fetched scenario. If Virgin Mobile’s account database were to show up on pastebin tomorrow, every account could (and probably would) be easily hijacked. If the PINs are hashed, however, it’d be much harder. Since the PINs are only 6 digits, Virgin Mobile would have to choose a really slow hashing algorithm, since otherwise the hashes could be easily reversed via brute force. Something like scrypt would work.

        Reply
  34. Pingback: Security News #0×21: IE 0-day Fallout; Passwords « CyberOperations

  35. Pingback: 6 Million Virgin Mobile users vulnerable to Hackers

  36. Robert Austin

    You seemed to have gotten a lot farther along in the process with VM than I got with Blackberry when I found out my wife and my phone’s were both hacked and were used to send out spam messages (I use GMail, which helped me deduce when/where it happened, and my wife uses Yahoo mail). I used GMails log file where it saves the IP of the device you use to log-in to their service, and using the date/time of the spam messages, I determined the IP used to log-in during that time was my Blackberry phone, and from that I determined we were at the local Wal-Mart store (the fact it was Wal-Mart has nothing really to do with it, but I was able to determine where we were, and that part of the city where we lived was kind of shady). This same thing (sending spam from our Blackberry phones using our registered email accounts) happened on multiple occasions, and in each occasion, it happened at the same place – Wal-Mart, in the city we lived in at the time. When I called T-Mobile support, and they forwarded me to Blackberry support, they completely denied the allegation I was making and was 100% completely unwilling to listen, despite having told them several times that I am an IT professional with over 10 years experience in the industry, including supporting a Microsoft Exchange Email server, and having worked for T-Mobile Tier 3 data tech support, Blackberry preferred (and probably still does) to bury their head in the sand and pretend that their email system on their devices are 100% secure and rather than fix a potential problem for others, believe in a lie.
    For that reason – and the fact that my wife and I EACH went through 6 (yes, that’s right SIX phones EACH) devices because they kept crashing and had to be sent in for replacement … I will never again use a Blackberry! (we had the Blackberry Curve, and after going through 3 of the original Curve that we owned, they “upgraded” our phones to the next generation Curve, and then they too went dead THREE TIMES!)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>