Forgot your password?
typodupeerror
Cellphones Handhelds Networking Security Wireless Networking Hardware

6 Million Virgin Mobile Users Vulnerable To Brute-Force Attacks 80

Posted by timothy
from the see-also-bank-of-france dept.
An anonymous reader writes "'If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn't like you.' The Hacker News describes how the username and password system used by Virgin Mobile to let users access their account information is inherently weak and open to abuse." Computerworld also describes the problem: essentially, hard-coded, brute-force guessable passwords, coupled with an inadequate mechanism for reacting to failed attempts to log on.
This discussion has been archived. No new comments can be posted.

6 Million Virgin Mobile Users Vulnerable To Brute-Force Attacks

Comments Filter:
  • Doesn't surprise me. (Score:3, Informative)

    by lattyware (934246) <gareth@lattyware.co.uk> on Thursday September 20, 2012 @03:12PM (#41403241) Homepage Journal
    I'm not surprised security isn't strong - given the Virgin Media (ISP) account puts a 10 character limit on your password. Seriously. 10 is woefully short as a maximum.
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      It's even worse when financial institutions don't allow passwords that are more than x characters or can't have special characters.
      • by lattyware (934246) <gareth@lattyware.co.uk> on Thursday September 20, 2012 @03:27PM (#41403425) Homepage Journal
        The way passwords are handled in general is appalling - a major supermarket here in the UK emails you your password in plaintext if you say you forgot it. The fact they have it in plaintext is disgusting.
        • The way passwords are handled in general is appalling - a major supermarket here in the UK emails you your password in plaintext if you say you forgot it. The fact they have it in plaintext is disgusting.

          Out with it then. Name and shame.

          • by lattyware (934246)
            Actually, I may have lied - Tesco or Asda (couldn't remember which) definitely used to do it, but just tested and Asda now resets your password to a temporary one which it emails to you, while Tesco sends you a reset link. Maybe it's a sign things are improving a little.
        • by Jeng (926980)

          emails you your password in plaintext if you say you forgot it.

          Ok, call me stupid, but what are the alternatives to sending the password as text in an email?

          Also, what would be the best method?

          The company I work for isn't very tech literate and could probably use some pointers.

          • what are the alternatives to sending the password as text in an email?

            I am no expert in the field, but I would have thought that the password should be stored in salted and hashed, form. Anyone compromising that database gets a list of encrypted passwords — it does not help them determine the characters which need to be entered into the system to gain access, unless the algorithm and salt is compromised too.

            Instead of sending the user a password, the user should be emailed a link to an online portal for creating a new password, which gets salted and hashed, and this

          • Password should never be stored as text. Hash only, so nobody can know what it is, only if it matches.
            If you forget, you answer secret questions and a one-time password is emailed to your registered email address.
          • Ok, call me stupid, but what are the alternatives to sending the password as text in an email?

            First, the password should not be stored on their servers as plain text in the first place. Salted hashed should.

            Also, what would be the best method?

            The company I work for isn't very tech literate and could probably use some pointers.

            Back when I was developing something like this, the "best by consensus" thing was to send some kind of one time password. We generated these passwords like encrypt_with_company_current_private_key(USER_ID + TIMESTAMP + GIBBERISH). USER_ID allows you to identify the user, timestamp allows you to limit how long this thing can be used and GIBBERISH is just to add some noise (not sure it is helpful t

          • by lattyware (934246)

            The basic idea is knowing your user's password is bad. The reality is users use the same passwords in multiple places, and if your site is comprimised in any way, you don't want to leak those passwords. Fortunately, we don't actually need to know the user's password - all we need to do is know if it's the same each time. This is where hashes come in - we store a hash (a one way function that gives us the same result each time for the same input, but doesn't tell you what the input was) of the password, and

          • by sjames (1099)

            The complaint isn't that they sent a password in email, the problem is that they send you your original password and to do that they must have it stored in plain text in the database.

            The correct way to do it is store passwords as a hash and if you forget it, they set a temporary password and email that to you (or a password reset link).

    • by firex726 (1188453)

      I wish I had that, my CC company has a max of 6 characters.
      I assume someone sent the design doc to the developer and mixed up MINIMUM and MAXIMUM.

    • I'm not surprised security isn't strong - given the Virgin Media (ISP) account puts a 10 character limit on your password. Seriously. 10 is woefully short as a maximum.

      You think that's sad? Go to their mobile phone account site [virginmobile.ca]. You know how you log in? Enter your phone number (public information), followed by a FOUR DIGIT PIN . Yes, I used bold, italic, and underlined for that. The ONLY thing standing between you and someone with your phone number being an asshole is, at most, 10,000 possible numbers. S

  • The Title (Score:2, Funny)

    by Anonymous Coward

    Its a shame we cant mod the title funny innit?

  • Virgins? (Score:5, Funny)

    by bhagwad (1426855) on Thursday September 20, 2012 @03:19PM (#41403327) Homepage
    I read this as "Six million virgins vulnerable to brute force attack :D"
  • by InvisibleClergy (1430277) on Thursday September 20, 2012 @03:23PM (#41403371)

    I would have thought that Virgin would be less vulnerable to penetration.

  • by Spy Handler (822350) on Thursday September 20, 2012 @03:28PM (#41403439) Homepage Journal

    for failed login attempt checks. This can be bypassed simply by using a different cookie each time, and brute-forcing can take place.

    They should've used an IP-based check maybe?

    • by skids (119237)

      Having been in the recesses of their website as a customer, this does not surprise me at all. The deeper past the front page you go, the more the whole thing has the feel of something somebody's cousin "who's good with computers" threw together.

  • This is fixed now (Score:4, Informative)

    by diversiform (1085477) on Thursday September 20, 2012 @03:32PM (#41403481)
    according to Kevin Burke [inburke.com] who originally found the issue (scroll down to "Wednesday morning").
    • Re:This is fixed now (Score:4, Informative)

      by 140Mandak262Jamuna (970587) on Thursday September 20, 2012 @04:11PM (#41403949) Journal
      Apparently the fix was to lock the user out after four failed login attempts. But they relied on cookies to count the number of failed log ins. So all you have to do is to clear the cookies and you can make four more attempts. It is worse than stupid. Looks like these clowns have no clue about how the real world works. Their CIO should be fired.
    • according to Kevin Burke [inburke.com] who originally found the issue (scroll down to "Wednesday morning").

      So now a hacker will get a pop 404 page after 20 successful attempts, according to the updated info. My question: Will Virgin Mobile be sending the intended victim's phone a text alerting them that these attempts were made?

  • Last time it was tried.

    • i have to disagree with you there, Its 6 months or longer of hand holding , cuttleing, spooning, excessive making out, then when you finality get to penetrating its "slow down" or "ouch" and just unpleasant for both parties. that's how i remember it.
      • by Jeng (926980)

        Yea, hooking up with someone who knows what they're doing is a good thing.

        And it's a good thing that she knew what she was doing, cause I sure as hell didn't.

    • by Sulphur (1548251)

      Last time it was tried.

      Great in rehersal.

  • Quick poll, is vulnerable to brute-force attacks better or worse than T-Mobile's "email me my existing password in plaintext" forgot-password feature? (Yes, T-Mobile uses your phone number as your username too.)
  • Forget VM, Boost Mobile forces the username to be your 10-digit mobile number and the password to a 4-digit number that you select.
  • Where am i, is this not slashdot?

  • Apparently they used passwords that are super strong and was guaranteed by a French bank, Swype account administrator. So this story is pure fiction. I tell you no one would believe what that password is if someone told them "this is the password for the french bank swype account portal." It was that incredible.
  • When asked about their vulnerability to brute force attacks, the six million people said, "This must be what the Slashdot people felt like in high school."

  • I guessed this when I first started using their service late last year. Your account "login" information is simply your real 10-digit phone number, and your "password" is just a 6-digit PIN. Everything you need to enter it is right there, on the numpad (with the exception of Tab). SMS spammers guess people's phone numbers and carriers to successfully send unwanted messages through e-mail; surely if they wanted to bad enough it wouldn't be too difficult to guess or do a brute-force attack on the six-digit

  • Isn't the entire modern world vulnerable to brute force attacks? Isn't that the definition of what to do when you can't reasonably narrow down the choices?

  • To Sprint's horrendously bad network.

He keeps differentiating, flying off on a tangent.

Working...