6 Million Virgin Mobile Users Vulnerable To Brute-Force Attacks

← Back to Stories (view on slashdot.org)

6 Million Virgin Mobile Users Vulnerable To Brute-Force Attacks

Posted by timothy on Thursday September 20, 2012 @07:09AM from the see-also-bank-of-france dept.

An anonymous reader writes "'If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn't like you.' The Hacker News describes how the username and password system used by Virgin Mobile to let users access their account information is inherently weak and open to abuse." Computerworld also describes the problem: essentially, hard-coded, brute-force guessable passwords, coupled with an inadequate mechanism for reacting to failed attempts to log on.

80 comments

Min score:

Reason:

Sort:

Doesn't surprise me. by lattyware · 2012-09-20 07:12 · Score: 2, Informative

I'm not surprised security isn't strong - given the Virgin Media (ISP) account puts a 10 character limit on your password. Seriously. 10 is woefully short as a maximum.

--
-- Lattyware (www.lattyware.co.uk)
1. Re:Doesn't surprise me. by Anonymous Coward · 2012-09-20 07:24 · Score: 2, Insightful
  
  It's even worse when financial institutions don't allow passwords that are more than x characters or can't have special characters.
2. Re:Doesn't surprise me. by lattyware · 2012-09-20 07:27 · Score: 3, Interesting
  
  The way passwords are handled in general is appalling - a major supermarket here in the UK emails you your password in plaintext if you say you forgot it. The fact they have it in plaintext is disgusting.
  
  --
  -- Lattyware (www.lattyware.co.uk)
3. Re:Doesn't surprise me. by Anonymous Coward · 2012-09-20 07:33 · Score: 0
  
  The fact they have it in plaintext is disgusting.
  One of my classes requires the use of Pearson Education's My IT Lab, which is an web-based tool for tests and some coursework. I had forgotten my password and clicked on reset password only to have "password sent to email account" appear on screen. Sure enough, my plaintext password was in my inbox.
4. Re:Doesn't surprise me. by newcastlejon · 2012-09-20 07:36 · Score: 1
  
  The way passwords are handled in general is appalling - a major supermarket here in the UK emails you your password in plaintext if you say you forgot it. The fact they have it in plaintext is disgusting.
  Out with it then. Name and shame.
  
  --
  If God forks the Universe every time you roll a die, he'd better have a damned good memory.
5. Re:Doesn't surprise me. by lattyware · 2012-09-20 07:46 · Score: 2
  
  My CompSci department at Uni has an online hand-in system - when I registered, it wouldn't let me log in with the details I had entered. I did the recover my password link, and it sent me my password, truncated to 12 characters, in plaintext. So not only did they not limit the text field or warn me about the over-length password, but then they stored it in plain text. A Computer Science department made this. Isn't that encouraging? (Disclaimer: They have changed the system now).
  
  --
  -- Lattyware (www.lattyware.co.uk)
6. Re:Doesn't surprise me. by lattyware · 2012-09-20 07:52 · Score: 1
  
  Actually, I may have lied - Tesco or Asda (couldn't remember which) definitely used to do it, but just tested and Asda now resets your password to a temporary one which it emails to you, while Tesco sends you a reset link. Maybe it's a sign things are improving a little.
  
  --
  -- Lattyware (www.lattyware.co.uk)
7. Re:Doesn't surprise me. by Jeng · 2012-09-20 08:19 · Score: 1
  
  emails you your password in plaintext if you say you forgot it.
  
  Ok, call me stupid, but what are the alternatives to sending the password as text in an email?
  Also, what would be the best method?
  The company I work for isn't very tech literate and could probably use some pointers.
  
  --
  Don't know something? Look it up. Still don't know? Then ask.
8. Re:Doesn't surprise me. by Neil_Brown · 2012-09-20 08:34 · Score: 1
  
  what are the alternatives to sending the password as text in an email?
  I am no expert in the field, but I would have thought that the password should be stored in salted and hashed, form. Anyone compromising that database gets a list of encrypted passwords — it does not help them determine the characters which need to be entered into the system to gain access, unless the algorithm and salt is compromised too.
  Instead of sending the user a password, the user should be emailed a link to an online portal for creating a new password, which gets salted and hashed, and this resulting hash stored in the password database.
9. Re:Doesn't surprise me. by LunaticTippy · 2012-09-20 08:37 · Score: 2
  
  Password should never be stored as text. Hash only, so nobody can know what it is, only if it matches.
  If you forget, you answer secret questions and a one-time password is emailed to your registered email address.
  
  --
  Man, you really need that seminar!
10. Re:Doesn't surprise me. by SolitaryMan · 2012-09-20 08:38 · Score: 2
  
  Ok, call me stupid, but what are the alternatives to sending the password as text in an email?
  First, the password should not be stored on their servers as plain text in the first place. Salted hashed should.
  
  Also, what would be the best method?
  The company I work for isn't very tech literate and could probably use some pointers.
  Back when I was developing something like this, the "best by consensus" thing was to send some kind of one time password. We generated these passwords like encrypt_with_company_current_private_key(USER_ID + TIMESTAMP + GIBBERISH). USER_ID allows you to identify the user, timestamp allows you to limit how long this thing can be used and GIBBERISH is just to add some noise (not sure it is helpful though, I'm not a cryptography expert).
  
  --
  May Peace Prevail On Earth
11. Re:Doesn't surprise me. by firex726 · 2012-09-20 08:49 · Score: 1
  
  I wish I had that, my CC company has a max of 6 characters.
  I assume someone sent the design doc to the developer and mixed up MINIMUM and MAXIMUM.
12. Re:Doesn't surprise me. by Anonymous Coward · 2012-09-20 08:58 · Score: 0
  
  Santander in Brazil limits their Internet passwords to 8 alphanumeric characteres. How about that?
13. Re:Doesn't surprise me. by lattyware · 2012-09-20 09:06 · Score: 1
  
  The basic idea is knowing your user's password is bad. The reality is users use the same passwords in multiple places, and if your site is comprimised in any way, you don't want to leak those passwords. Fortunately, we don't actually need to know the user's password - all we need to do is know if it's the same each time. This is where hashes come in - we store a hash (a one way function that gives us the same result each time for the same input, but doesn't tell you what the input was) of the password, and then hash their attempts and compare. Strong hashes and salts are a good idea to defend against many attacks, but the short answer is, use BCrypt.
  As to forgetting their password - again, we don't actually need to tell them it, just to give them access to their account back. We can do this by generating a one-time-password (a random UUID, for example) and then emailing them a link to reset their password using this. This allows them to access their account, without sending a password in plaintext.
  
  --
  -- Lattyware (www.lattyware.co.uk)
14. Re:Doesn't surprise me. by sjames · 2012-09-20 11:13 · Score: 1
  
  The complaint isn't that they sent a password in email, the problem is that they send you your original password and to do that they must have it stored in plain text in the database.
  The correct way to do it is store passwords as a hash and if you forget it, they set a temporary password and email that to you (or a password reset link).
15. Re:Doesn't surprise me. by Anonymous Coward · 2012-09-20 11:22 · Score: 0
  
  Um in Australia Virgin lock the account on the third failed attempt, and require a phone call
16. Re:Doesn't surprise me. by Anonymous Coward · 2012-09-20 12:13 · Score: 0
  
  I wish my credit card company allows 6 digits. They imposed a 4 digits limit!
17. Re:Doesn't surprise me. by Bill,+Shooter+of+Bul · 2012-09-20 15:23 · Score: 1
  
  Why do you have a password with your grocery store? For coupon offers? Online shopping? newsletters?
  
  --
  Well.. maybe. Or Maybe not. But Definitely not sort of.
18. Re:Doesn't surprise me. by firex726 · 2012-09-20 22:28 · Score: 1
  
  I assume you meant pin?
  This is for their online payment site.
19. Re:Doesn't surprise me. by makomk · 2012-09-21 01:13 · Score: 1
  
  They probably got some CS undergrad to develop it for them for free.
20. Re:Doesn't surprise me. by alvarogmj · 2012-09-21 01:51 · Score: 1
  
  Same in Uruguay. They changed their system a few years back, and when they changed it, the password for the new system was the same as the old one, truncated to 8 characters. Both systems allowed only certain characters, but at least the old one allowed me to have longer passwords.
  Let me repeat in case the horror was not clear enough: they migrated the accounts to the new system, they reduced the maximum password length, and automatically set the passwords in the new system to the first 8 characters of the old system's password
21. Re:Doesn't surprise me. by halcyon1234 · 2012-09-21 03:55 · Score: 1
  
  I'm not surprised security isn't strong - given the Virgin Media (ISP) account puts a 10 character limit on your password. Seriously. 10 is woefully short as a maximum.
  
  You think that's sad? Go to their mobile phone account site. You know how you log in? Enter your phone number (public information), followed by a FOUR DIGIT PIN . Yes, I used bold, italic, and underlined for that. The ONLY thing standing between you and someone with your phone number being an asshole is, at most, 10,000 possible numbers. Surely no one could brute force 10,000 numbers!!!!
  
  --
  UTF-8: There and Back Again
22. Re:Doesn't surprise me. by lattyware · 2012-09-21 04:09 · Score: 1
  
  Online shopping.
  
  --
  -- Lattyware (www.lattyware.co.uk)
23. Re:Doesn't surprise me. by Forty+Two+Tenfold · 2012-09-21 05:09 · Score: 1
  
  A Computer Science department made this. Isn't that encouraging?
  Those who can, do. Whose who can't, teach. Those who can't teach, manage.
  
  --
  Upward mobility is a slippery slope - the higher you climb the more you show your ass.
Hard-Coded password? by Anonymous Coward · 2012-09-20 07:15 · Score: 0

There is nothing about hard coded password on the news release:
http://kev.inburke.com/kevin/open-season-on-virgin-mobile-customer-data/
It's all about short numeric only password with no attempt limitation.
The Title by Anonymous Coward · 2012-09-20 07:17 · Score: 2, Funny

Its a shame we cant mod the title funny innit?
Virgins? by bhagwad · 2012-09-20 07:19 · Score: 4, Funny

I read this as "Six million virgins vulnerable to brute force attack :D"
1. Re:Virgins? by Anonymous Coward · 2012-09-20 07:32 · Score: 0
  
  That's only enough for 83333 Islamic Jihadist martyrs
2. Re:Virgins? by colesw · 2012-09-20 07:41 · Score: 2
  
  And on that note
  
  http://www.viruscomix.com/page462.html
3. Re:Virgins? by Robert+Zenz · 2012-09-20 08:30 · Score: 1
  
  I like how her belt-snake falls asleep...neat little subtlety.
4. Re:Virgins? by Larryish · 2012-09-20 08:32 · Score: 1
  
  You know, those 72 virgins weren't female, right?
5. Re:Virgins? by Anonymous Coward · 2012-09-20 08:33 · Score: 0
  
  who ever said it'd be "different" 72 virgins for each martyrs?
  The untold secret around the virgins in heaven is, they stay virgin for eternity :P
6. Re:Virgins? by kiriath · 2012-09-20 08:42 · Score: 2
  
  Doh!
7. Re:Virgins? by SternisheFan · 2012-09-20 08:59 · Score: 2
  
  who ever said it'd be "different" 72 virgins for each martyrs? The untold secret around the virgins in heaven is, they stay virgin for eternity :P
  The word "virgins" may be a mis-translation, I've read. The actual word may actually be "raisens". Blow yourself up in a terror attack, and all you'll get for it in the next life is 72 raisens. That sounds about right.
8. Re:Virgins? by galanom · 2012-09-21 07:33 · Score: 1
  
  They can keep their virginity after sex? How? Oral?
Penetration Testing? by InvisibleClergy · 2012-09-20 07:23 · Score: 5, Funny

I would have thought that Virgin would be less vulnerable to penetration.
1. Re:Penetration Testing? by Anonymous Coward · 2012-09-20 07:32 · Score: 0
  
  Ghost mod points to you, good sir.
2. Re:Penetration Testing? by judoguy · 2012-09-20 07:46 · Score: 4, Funny
  
  Not less vulnerable, just less experienced.
  
  --
  Peace is easy to achieve, just surrender. Liberty is much harder get/keep.
3. Re:Penetration Testing? by marcello_dl · 2012-09-20 07:46 · Score: 4, Funny
  
  Like a Virgin,
  Hacked for the very first time,
  Like a Viiiiirgin
  Feel your host ping
  next tooooo miiiiine....
  
  --
  ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
4. Re:Penetration Testing? by al.caughey · 2012-09-20 08:11 · Score: 2
  
  I expect that anything that is mobile is more difficult to penetrate... virgin or otherwise
5. Re:Penetration Testing? by Anonymous Coward · 2012-09-20 09:06 · Score: 1
  
  I expect that anything that is mobile is more difficult to penetrate... virgin or otherwise
  Although rolling donuts have often been targeted.
They used cookies by Spy+Handler · 2012-09-20 07:28 · Score: 2

for failed login attempt checks. This can be bypassed simply by using a different cookie each time, and brute-forcing can take place.
They should've used an IP-based check maybe?
1. Re:They used cookies by Anonymous Coward · 2012-09-20 07:30 · Score: 0
  
  What about locking the account until the client calls user support if there is more that 5 failures?
2. Re:They used cookies by skids · 2012-09-20 07:51 · Score: 2
  
  Having been in the recesses of their website as a customer, this does not surprise me at all. The deeper past the front page you go, the more the whole thing has the feel of something somebody's cousin "who's good with computers" threw together.
  
  --
  Someone had to do it.
3. Re:They used cookies by skids · 2012-09-20 08:00 · Score: 1
  
  Their support line can tell if you are calling from one of their phones. They could just put an "unlock my account" button in their account maintainance menu on the phone.
  
  --
  Someone had to do it.
4. Re:They used cookies by Spy+Handler · 2012-09-20 08:02 · Score: 1
  
  yeah those are pretty common. But personally they annoy me because anyone can DOS your account.
  This is what happened to me: somebody tried to log into my online game account (called MapleSEA) and failed multiple times, so my account got locked down automatically. I had to call them on the phone (they're located in Singapore) and try to convince them that I'm the real owner and that they should open my account again. Which was not easy because they wanted my national ID number, which I don't have because I'm not a Singaporean... (when I initially registered, I just made up a fake one which I couldn't remember).
  I think an IP-based login tracking system would be better to prevent this type of a hassle. Every time a failed login attempt takes place, system keeps track of the IP address. After X number of failed logins from that IP address, system bans that IP address for, say, 60 minutes.
5. Re:They used cookies by Anonymous Coward · 2012-09-20 10:24 · Score: 0
  
  Nowadays, botnets make IP-based blocks somewhat useless. Most sites just lock the account if there are too many failed password attempts. An alternative is to have an increasing cool-down time after each failed attempt.
6. Re:They used cookies by galanom · 2012-09-21 07:36 · Score: 1
  
  There is no need to permanently lock it. An hour would be enough.
This is fixed now by diversiform · 2012-09-20 07:32 · Score: 4, Informative

according to Kevin Burke who originally found the issue (scroll down to "Wednesday morning").
1. Re:This is fixed now by 140Mandak262Jamuna · 2012-09-20 08:11 · Score: 3, Informative
  
  Apparently the fix was to lock the user out after four failed login attempts. But they relied on cookies to count the number of failed log ins. So all you have to do is to clear the cookies and you can make four more attempts. It is worse than stupid. Looks like these clowns have no clue about how the real world works. Their CIO should be fired.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
2. Re:This is fixed now by SternisheFan · 2012-09-20 08:50 · Score: 1
  
  according to Kevin Burke who originally found the issue (scroll down to "Wednesday morning").
  So now a hacker will get a pop 404 page after 20 successful attempts, according to the updated info. My question: Will Virgin Mobile be sending the intended victim's phone a text alerting them that these attempts were made?
3. Re:This is fixed now by Anonymous Coward · 2012-09-20 10:42 · Score: 0
  
  That was only the initial "fix." Apparently their later fix didn't depend on cookies. Burke's latest update says "This fixes the main vulnerability I disclosed Monday."
Virgin Penetration is Easy by BoRegardless · 2012-09-20 07:32 · Score: 0

Last time it was tried.
1. Re:Virgin Penetration is Easy by who_stole_my_kidneys · 2012-09-20 08:03 · Score: 1
  
  i have to disagree with you there, Its 6 months or longer of hand holding , cuttleing, spooning, excessive making out, then when you finality get to penetrating its "slow down" or "ouch" and just unpleasant for both parties. that's how i remember it.
2. Re:Virgin Penetration is Easy by Jeng · 2012-09-20 08:30 · Score: 1
  
  Yea, hooking up with someone who knows what they're doing is a good thing.
  And it's a good thing that she knew what she was doing, cause I sure as hell didn't.
  
  --
  Don't know something? Look it up. Still don't know? Then ask.
3. Re:Virgin Penetration is Easy by Sulphur · 2012-09-20 08:36 · Score: 2
  
  Last time it was tried.
  Great in rehersal.
Security is a big problem in this industry by geekfarmer · 2012-09-20 07:35 · Score: 1

Quick poll, is vulnerable to brute-force attacks better or worse than T-Mobile's "email me my existing password in plaintext" forgot-password feature? (Yes, T-Mobile uses your phone number as your username too.)
1. Re:Security is a big problem in this industry by reve_etrange · 2012-09-20 09:14 · Score: 1
  
  But can your password be something other than 6 numbers? Because that's how VM works.
  
  --
  .: Semper Absurda :.
VM Not the Worst By Any Shot by mk1004 · 2012-09-20 07:48 · Score: 1

Forget VM, Boost Mobile forces the username to be your 10-digit mobile number and the password to a 4-digit number that you select.

--
I can mend the break of day, heal a broken heart, and provide temporary relief to nymphomaniacs.
1. Re:VM Not the Worst By Any Shot by reve_etrange · 2012-09-20 09:15 · Score: 1
  
  The only difference is two digits (VM passwords are 6 numbers).
  
  --
  .: Semper Absurda :.
2. Re:VM Not the Worst By Any Shot by WinstonWolfIT · 2012-09-20 11:08 · Score: 1
  
  A hundred times harder to brute force says it'll take 100 seconds rather than one. That's 100 times better right.
3. Re:VM Not the Worst By Any Shot by reve_etrange · 2012-09-20 19:59 · Score: 1
  
  More like 100 times 0, in terms of "better."
  
  --
  .: Semper Absurda :.
virgins? Brute force? by nurb432 · 2012-09-20 07:59 · Score: 0

Where am i, is this not slashdot?

--
---- Booth was a patriot ----
1. Re:virgins? Brute force? by rbrausse · 2012-09-20 08:18 · Score: 1
  
  this is the NEW /. - Dice is digging (ha!) up new revenue sources
No way. They used strong password. by 140Mandak262Jamuna · 2012-09-20 08:06 · Score: 0

Apparently they used passwords that are super strong and was guaranteed by a French bank, Swype account administrator. So this story is pure fiction. I tell you no one would believe what that password is if someone told them "this is the password for the french bank swype account portal." It was that incredible.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Re:Legitimate Brute Force Attack by who_stole_my_kidneys · 2012-09-20 08:07 · Score: 0

ill re-write that for ya.... My republican friends tell me that if it's a legitimate brute force attack,women's bodies have ways to shut the whole thing down. But as a man i have not way to shutdown the bruit force attack of stupidity when i hear Romney speak.
Re:Brute Force... by Jeng · 2012-09-20 08:21 · Score: 1

You will not get any data that way.
Yes, you may DOS the phone, but what good does that do you?

--
Don't know something? Look it up. Still don't know? Then ask.
Re:Legitimate Brute Force Attack by mcgrew · 2012-09-20 08:40 · Score: 1

ill re-write that for ya
Agreed, if you rewrote it it would indeed be ill. Can't you fucking kids follow conventions for the sake of clear communications, or are you doing like Microsoft does and making up your own "standards"? Not capitalizing the "I" wasnt the only thing about the way you wrote your comment that made you look like a retarded ten year old.
Get your GED, kid, so you don't come across as such a moron.

--
Free Martian Whores!
We're guessing, no one's got their phone numbers. by Impy+the+Impiuos+Imp · 2012-09-20 08:47 · Score: 2

When asked about their vulnerability to brute force attacks, the six million people said, "This must be what the Slashdot people felt like in high school."

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
I figured that. by UltraZelda64 · 2012-09-20 10:23 · Score: 1

I guessed this when I first started using their service late last year. Your account "login" information is simply your real 10-digit phone number, and your "password" is just a 6-digit PIN. Everything you need to enter it is right there, on the numpad (with the exception of Tab). SMS spammers guess people's phone numbers and carriers to successfully send unwanted messages through e-mail; surely if they wanted to bad enough it wouldn't be too difficult to guess or do a brute-force attack on the six-digit string of digits protecting it.
Seriously, I was (and still am) shocked how such a poor system could be put into place in 2011/2012. They could at least set up two-factor authentication if they're going to have such a piss-poor username/password system, and require their primary authentication phone number to be another phone line so, you know... if the phone connected to the account is lost and/or stolen no one can get into your account before you do. And the secondary authenticator could optionally be the phone number of the account/phone in question to make personally logging into your account and checking your info easier--but as soon as the phone is labeled missing, it would be immediately be rendered useless for receiving any codes to log in. Virgin Mobile already nags you with text messages and e-mails constantly as your month of service comes to an end; sending an occasional text message with an account authentication code shouldn't hurt too badly.
Really though... the whole system needs rethought. At the very least, allow lowercase letters and more than six characters in the password. And while they're at it, why not allow capital letters and a few special characters? Of course, the problem then would be that when you call customer support, "verifying" that you're you wouldn't be as simple as asking "What's your phone number and your 6-digit account PIN?"
I just think it's funny that the guy who blogged about it had to write a script to brute-force his own account to "verify" that he was right, then finally call Sprint, and publicly write about it when they didn't do anything about it. Do you REALLY need to verify that a 6-digit PIN attached to a phone number is easily guessable? And as scummy as telecommunications companies are, does anyone really expect to get to someone who will actually forward the message over to someone else higher up who might potentially actually *do* something?
1. Re:I figured that. by Anonymous Coward · 2012-09-20 11:17 · Score: 0
  
  When I tried VM, the pin defaulted to the birthday you gave them when you signed up. That reduces the key space significantly. I set up a Perl script to brute force the account pin of a phone I bought on craigslist.
  As bad as the security was, I left because of the terrible call and data coverage.
Confused by WinstonWolfIT · 2012-09-20 11:05 · Score: 1

Isn't the entire modern world vulnerable to brute force attacks? Isn't that the definition of what to do when you can't reasonably narrow down the choices?
All Sprint users are vulnerable by gelfling · 2012-09-20 13:21 · Score: 1

To Sprint's horrendously bad network.
Passphrases by Anonymous Coward · 2012-09-25 19:54 · Score: 0

Believe me, I am not a computer wizard by any means, but when Virgin insisted on a 6 digit numeric only passphrase I was shocked. I have logged onto other sites and used passphrases that were commented as being very high as far as security, using both upper and lower case letters as well as numerals and symbols. I hope they change this soon; I will feel much better/safer.