6 Million Virgin Mobile Users Vulnerable To Brute-Force Attacks

An anonymous reader writes "'If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn't like you.' The Hacker News describes how the username and password system used by Virgin Mobile to let users access their account information is inherently weak and open to abuse." Computerworld also describes the problem: essentially, hard-coded, brute-force guessable passwords, coupled with an inadequate mechanism for reacting to failed attempts to log on.

Doesn't surprise me.

[lattyware]

I'm not surprised security isn't strong - given the Virgin Media (ISP) account puts a 10 character limit on your password. Seriously. 10 is woefully short as a maximum.

Re:Doesn't surprise me.

It's even worse when financial institutions don't allow passwords that are more than x characters or can't have special characters.

Re:Doesn't surprise me.

[lattyware]

The way passwords are handled in general is appalling - a major supermarket here in the UK emails you your password in plaintext if you say you forgot it. The fact they have it in plaintext is disgusting.

Re:Doesn't surprise me.

[newcastlejon]

The way passwords are handled in general is appalling - a major supermarket here in the UK emails you your password in plaintext if you say you forgot it. The fact they have it in plaintext is disgusting.

Out with it then. Name and shame.

Re:Doesn't surprise me.

[lattyware]

My CompSci department at Uni has an online hand-in system - when I registered, it wouldn't let me log in with the details I had entered. I did the recover my password link, and it sent me my password, truncated to 12 characters, in plaintext. So not only did they not limit the text field or warn me about the over-length password, but then they stored it in plain text. A Computer Science department made this. Isn't that encouraging? (Disclaimer: They have changed the system now).

Re:Doesn't surprise me.

[lattyware]

Actually, I may have lied - Tesco or Asda (couldn't remember which) definitely used to do it, but just tested and Asda now resets your password to a temporary one which it emails to you, while Tesco sends you a reset link. Maybe it's a sign things are improving a little.

Re:Doesn't surprise me.

[Jeng]

emails you your password in plaintext if you say you forgot it.

Ok, call me stupid, but what are the alternatives to sending the password as text in an email?

Also, what would be the best method?

The company I work for isn't very tech literate and could probably use some pointers.

Re:Doesn't surprise me.

[Neil_Brown]

what are the alternatives to sending the password as text in an email?

I am no expert in the field, but I would have thought that the password should be stored in salted and hashed, form. Anyone compromising that database gets a list of encrypted passwords — it does not help them determine the characters which need to be entered into the system to gain access, unless the algorithm and salt is compromised too.

Instead of sending the user a password, the user should be emailed a link to an online portal for creating a new password, which gets salted and hashed, and this resulting hash stored in the password database.

Re:Doesn't surprise me.

[LunaticTippy]

Password should never be stored as text. Hash only, so nobody can know what it is, only if it matches.
If you forget, you answer secret questions and a one-time password is emailed to your registered email address.

Re:Doesn't surprise me.

[SolitaryMan]

Ok, call me stupid, but what are the alternatives to sending the password as text in an email?

First, the password should not be stored on their servers as plain text in the first place. Salted hashed should.

Also, what would be the best method?

The company I work for isn't very tech literate and could probably use some pointers.

Back when I was developing something like this, the "best by consensus" thing was to send some kind of one time password. We generated these passwords like encrypt_with_company_current_private_key(USER_ID + TIMESTAMP + GIBBERISH). USER_ID allows you to identify the user, timestamp allows you to limit how long this thing can be used and GIBBERISH is just to add some noise (not sure it is helpful though, I'm not a cryptography expert).

Re:Doesn't surprise me.

[firex726]

I wish I had that, my CC company has a max of 6 characters.
I assume someone sent the design doc to the developer and mixed up MINIMUM and MAXIMUM.

Re:Doesn't surprise me.

[lattyware]

The basic idea is knowing your user's password is bad. The reality is users use the same passwords in multiple places, and if your site is comprimised in any way, you don't want to leak those passwords. Fortunately, we don't actually need to know the user's password - all we need to do is know if it's the same each time. This is where hashes come in - we store a hash (a one way function that gives us the same result each time for the same input, but doesn't tell you what the input was) of the password, and then hash their attempts and compare. Strong hashes and salts are a good idea to defend against many attacks, but the short answer is, use BCrypt.

As to forgetting their password - again, we don't actually need to tell them it, just to give them access to their account back. We can do this by generating a one-time-password (a random UUID, for example) and then emailing them a link to reset their password using this. This allows them to access their account, without sending a password in plaintext.

Re:Doesn't surprise me.

[sjames]

The complaint isn't that they sent a password in email, the problem is that they send you your original password and to do that they must have it stored in plain text in the database.

The correct way to do it is store passwords as a hash and if you forget it, they set a temporary password and email that to you (or a password reset link).

Re:Doesn't surprise me.

[Bill,+Shooter+of+Bul]

Why do you have a password with your grocery store? For coupon offers? Online shopping? newsletters?

Re:Doesn't surprise me.

[firex726]

I assume you meant pin?
This is for their online payment site.

Re:Doesn't surprise me.

[makomk]

They probably got some CS undergrad to develop it for them for free.

Re:Doesn't surprise me.

[alvarogmj]

Same in Uruguay. They changed their system a few years back, and when they changed it, the password for the new system was the same as the old one, truncated to 8 characters. Both systems allowed only certain characters, but at least the old one allowed me to have longer passwords.

Let me repeat in case the horror was not clear enough: they migrated the accounts to the new system, they reduced the maximum password length, and automatically set the passwords in the new system to the first 8 characters of the old system's password

Re:Doesn't surprise me.

[halcyon1234]

I'm not surprised security isn't strong - given the Virgin Media (ISP) account puts a 10 character limit on your password. Seriously. 10 is woefully short as a maximum.

You think that's sad? Go to their mobile phone account site. You know how you log in? Enter your phone number (public information), followed by a FOUR DIGIT PIN . Yes, I used bold, italic, and underlined for that. The ONLY thing standing between you and someone with your phone number being an asshole is, at most, 10,000 possible numbers. Surely no one could brute force 10,000 numbers!!!!

Re:Doesn't surprise me.

[lattyware]

Online shopping.

Re:Doesn't surprise me.

[Forty+Two+Tenfold]

A Computer Science department made this. Isn't that encouraging?

Those who can, do. Whose who can't, teach. Those who can't teach, manage.

The Title

Its a shame we cant mod the title funny innit?

Virgins?

[bhagwad]

I read this as "Six million virgins vulnerable to brute force attack :D"

Re:Virgins?

[colesw]

And on that note

http://www.viruscomix.com/page462.html

Re:Virgins?

[Robert+Zenz]

I like how her belt-snake falls asleep...neat little subtlety.

Re:Virgins?

[Larryish]

You know, those 72 virgins weren't female, right?

Re:Virgins?

[kiriath]

Doh!

Re:Virgins?

[SternisheFan]

who ever said it'd be "different" 72 virgins for each martyrs? The untold secret around the virgins in heaven is, they stay virgin for eternity :P

The word "virgins" may be a mis-translation, I've read. The actual word may actually be "raisens". Blow yourself up in a terror attack, and all you'll get for it in the next life is 72 raisens. That sounds about right.

Re:Virgins?

[galanom]

They can keep their virginity after sex? How? Oral?

Penetration Testing?

[InvisibleClergy]

I would have thought that Virgin would be less vulnerable to penetration.

Re:Penetration Testing?

[judoguy]

Not less vulnerable, just less experienced.

Re:Penetration Testing?

[marcello_dl]

Like a Virgin,
Hacked for the very first time,

Like a Viiiiirgin
Feel your host ping
next tooooo miiiiine....

Re:Penetration Testing?

[al.caughey]

I expect that anything that is mobile is more difficult to penetrate... virgin or otherwise

Re:Penetration Testing?

I expect that anything that is mobile is more difficult to penetrate... virgin or otherwise

Although rolling donuts have often been targeted.

They used cookies

[Spy+Handler]

for failed login attempt checks. This can be bypassed simply by using a different cookie each time, and brute-forcing can take place.

They should've used an IP-based check maybe?

Re:They used cookies

[skids]

Having been in the recesses of their website as a customer, this does not surprise me at all. The deeper past the front page you go, the more the whole thing has the feel of something somebody's cousin "who's good with computers" threw together.

Re:They used cookies

[skids]

Their support line can tell if you are calling from one of their phones. They could just put an "unlock my account" button in their account maintainance menu on the phone.

Re:They used cookies

[Spy+Handler]

yeah those are pretty common. But personally they annoy me because anyone can DOS your account.

This is what happened to me: somebody tried to log into my online game account (called MapleSEA) and failed multiple times, so my account got locked down automatically. I had to call them on the phone (they're located in Singapore) and try to convince them that I'm the real owner and that they should open my account again. Which was not easy because they wanted my national ID number, which I don't have because I'm not a Singaporean... (when I initially registered, I just made up a fake one which I couldn't remember).

I think an IP-based login tracking system would be better to prevent this type of a hassle. Every time a failed login attempt takes place, system keeps track of the IP address. After X number of failed logins from that IP address, system bans that IP address for, say, 60 minutes.

Re:They used cookies

[galanom]

There is no need to permanently lock it. An hour would be enough.

This is fixed now

[diversiform]

according to Kevin Burke who originally found the issue (scroll down to "Wednesday morning").

Re:This is fixed now

[140Mandak262Jamuna]

Apparently the fix was to lock the user out after four failed login attempts. But they relied on cookies to count the number of failed log ins. So all you have to do is to clear the cookies and you can make four more attempts. It is worse than stupid. Looks like these clowns have no clue about how the real world works. Their CIO should be fired.

Re:This is fixed now

[SternisheFan]

according to Kevin Burke who originally found the issue (scroll down to "Wednesday morning").

So now a hacker will get a pop 404 page after 20 successful attempts, according to the updated info. My question: Will Virgin Mobile be sending the intended victim's phone a text alerting them that these attempts were made?

Security is a big problem in this industry

[geekfarmer]

Quick poll, is vulnerable to brute-force attacks better or worse than T-Mobile's "email me my existing password in plaintext" forgot-password feature? (Yes, T-Mobile uses your phone number as your username too.)

Re:Security is a big problem in this industry

[reve_etrange]

But can your password be something other than 6 numbers? Because that's how VM works.

VM Not the Worst By Any Shot

[mk1004]

Forget VM, Boost Mobile forces the username to be your 10-digit mobile number and the password to a 4-digit number that you select.

Re:VM Not the Worst By Any Shot

[reve_etrange]

The only difference is two digits (VM passwords are 6 numbers).

Re:VM Not the Worst By Any Shot

[WinstonWolfIT]

A hundred times harder to brute force says it'll take 100 seconds rather than one. That's 100 times better right.

Re:VM Not the Worst By Any Shot

[reve_etrange]

More like 100 times 0, in terms of "better."

Re:Virgin Penetration is Easy

[who_stole_my_kidneys]

i have to disagree with you there, Its 6 months or longer of hand holding , cuttleing, spooning, excessive making out, then when you finality get to penetrating its "slow down" or "ouch" and just unpleasant for both parties. that's how i remember it.

Re:virgins? Brute force?

[rbrausse]

this is the NEW /. - Dice is digging (ha!) up new revenue sources

Re:Brute Force...

[Jeng]

You will not get any data that way.

Yes, you may DOS the phone, but what good does that do you?

Re:Virgin Penetration is Easy

[Jeng]

Yea, hooking up with someone who knows what they're doing is a good thing.

And it's a good thing that she knew what she was doing, cause I sure as hell didn't.

Re:Virgin Penetration is Easy

[Sulphur]

Last time it was tried.

Great in rehersal.

Re:Legitimate Brute Force Attack

[mcgrew]

ill re-write that for ya

Agreed, if you rewrote it it would indeed be ill. Can't you fucking kids follow conventions for the sake of clear communications, or are you doing like Microsoft does and making up your own "standards"? Not capitalizing the "I" wasnt the only thing about the way you wrote your comment that made you look like a retarded ten year old.

Get your GED, kid, so you don't come across as such a moron.

We're guessing, no one's got their phone numbers.

[Impy+the+Impiuos+Imp]

When asked about their vulnerability to brute force attacks, the six million people said, "This must be what the Slashdot people felt like in high school."

I figured that.

[UltraZelda64]

I guessed this when I first started using their service late last year. Your account "login" information is simply your real 10-digit phone number, and your "password" is just a 6-digit PIN. Everything you need to enter it is right there, on the numpad (with the exception of Tab). SMS spammers guess people's phone numbers and carriers to successfully send unwanted messages through e-mail; surely if they wanted to bad enough it wouldn't be too difficult to guess or do a brute-force attack on the six-digit string of digits protecting it.

Seriously, I was (and still am) shocked how such a poor system could be put into place in 2011/2012. They could at least set up two-factor authentication if they're going to have such a piss-poor username/password system, and require their primary authentication phone number to be another phone line so, you know... if the phone connected to the account is lost and/or stolen no one can get into your account before you do. And the secondary authenticator could optionally be the phone number of the account/phone in question to make personally logging into your account and checking your info easier--but as soon as the phone is labeled missing, it would be immediately be rendered useless for receiving any codes to log in. Virgin Mobile already nags you with text messages and e-mails constantly as your month of service comes to an end; sending an occasional text message with an account authentication code shouldn't hurt too badly.

Really though... the whole system needs rethought. At the very least, allow lowercase letters and more than six characters in the password. And while they're at it, why not allow capital letters and a few special characters? Of course, the problem then would be that when you call customer support, "verifying" that you're you wouldn't be as simple as asking "What's your phone number and your 6-digit account PIN?"

I just think it's funny that the guy who blogged about it had to write a script to brute-force his own account to "verify" that he was right, then finally call Sprint, and publicly write about it when they didn't do anything about it. Do you REALLY need to verify that a 6-digit PIN attached to a phone number is easily guessable? And as scummy as telecommunications companies are, does anyone really expect to get to someone who will actually forward the message over to someone else higher up who might potentially actually *do* something?

Confused

[WinstonWolfIT]

Isn't the entire modern world vulnerable to brute force attacks? Isn't that the definition of what to do when you can't reasonably narrow down the choices?

All Sprint users are vulnerable

[gelfling]

To Sprint's horrendously bad network.