Slashdot Mirror

← Back to Stories (view on slashdot.org)

6 Million Virgin Mobile Users Vulnerable To Brute-Force Attacks

Posted by timothy on from the see-also-bank-of-france dept.

An anonymous reader writes "'If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn't like you.' The Hacker News describes how the username and password system used by Virgin Mobile to let users access their account information is inherently weak and open to abuse." Computerworld also describes the problem: essentially, hard-coded, brute-force guessable passwords, coupled with an inadequate mechanism for reacting to failed attempts to log on.

21 of 80 comments (clear)

  1. Doesn't surprise me. by lattyware · · Score: 2, Informative

    I'm not surprised security isn't strong - given the Virgin Media (ISP) account puts a 10 character limit on your password. Seriously. 10 is woefully short as a maximum.

    --
    -- Lattyware (www.lattyware.co.uk)
    1. Re:Doesn't surprise me. by Anonymous Coward · · Score: 2, Insightful

      It's even worse when financial institutions don't allow passwords that are more than x characters or can't have special characters.

    2. Re:Doesn't surprise me. by lattyware · · Score: 3, Interesting

      The way passwords are handled in general is appalling - a major supermarket here in the UK emails you your password in plaintext if you say you forgot it. The fact they have it in plaintext is disgusting.

      --
      -- Lattyware (www.lattyware.co.uk)
    3. Re:Doesn't surprise me. by lattyware · · Score: 2

      My CompSci department at Uni has an online hand-in system - when I registered, it wouldn't let me log in with the details I had entered. I did the recover my password link, and it sent me my password, truncated to 12 characters, in plaintext. So not only did they not limit the text field or warn me about the over-length password, but then they stored it in plain text. A Computer Science department made this. Isn't that encouraging? (Disclaimer: They have changed the system now).

      --
      -- Lattyware (www.lattyware.co.uk)
    4. Re:Doesn't surprise me. by LunaticTippy · · Score: 2

      Password should never be stored as text. Hash only, so nobody can know what it is, only if it matches.
      If you forget, you answer secret questions and a one-time password is emailed to your registered email address.

      --
      Man, you really need that seminar!
    5. Re:Doesn't surprise me. by SolitaryMan · · Score: 2

      Ok, call me stupid, but what are the alternatives to sending the password as text in an email?

      First, the password should not be stored on their servers as plain text in the first place. Salted hashed should.

      Also, what would be the best method?

      The company I work for isn't very tech literate and could probably use some pointers.

      Back when I was developing something like this, the "best by consensus" thing was to send some kind of one time password. We generated these passwords like encrypt_with_company_current_private_key(USER_ID + TIMESTAMP + GIBBERISH). USER_ID allows you to identify the user, timestamp allows you to limit how long this thing can be used and GIBBERISH is just to add some noise (not sure it is helpful though, I'm not a cryptography expert).

      --
      May Peace Prevail On Earth
  2. The Title by Anonymous Coward · · Score: 2, Funny

    Its a shame we cant mod the title funny innit?

  3. Virgins? by bhagwad · · Score: 4, Funny

    I read this as "Six million virgins vulnerable to brute force attack :D"

    1. Re:Virgins? by colesw · · Score: 2

      And on that note

      http://www.viruscomix.com/page462.html

    2. Re:Virgins? by kiriath · · Score: 2

      Doh!

    3. Re:Virgins? by SternisheFan · · Score: 2

      who ever said it'd be "different" 72 virgins for each martyrs? The untold secret around the virgins in heaven is, they stay virgin for eternity :P

      The word "virgins" may be a mis-translation, I've read. The actual word may actually be "raisens". Blow yourself up in a terror attack, and all you'll get for it in the next life is 72 raisens. That sounds about right.

  4. Penetration Testing? by InvisibleClergy · · Score: 5, Funny

    I would have thought that Virgin would be less vulnerable to penetration.

    1. Re:Penetration Testing? by judoguy · · Score: 4, Funny

      Not less vulnerable, just less experienced.

      --
      Peace is easy to achieve, just surrender. Liberty is much harder get/keep.
    2. Re:Penetration Testing? by marcello_dl · · Score: 4, Funny

      Like a Virgin,
      Hacked for the very first time,

      Like a Viiiiirgin
      Feel your host ping
      next tooooo miiiiine....

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
    3. Re:Penetration Testing? by al.caughey · · Score: 2

      I expect that anything that is mobile is more difficult to penetrate... virgin or otherwise

  5. They used cookies by Spy+Handler · · Score: 2

    for failed login attempt checks. This can be bypassed simply by using a different cookie each time, and brute-forcing can take place.

    They should've used an IP-based check maybe?

    1. Re:They used cookies by skids · · Score: 2

      Having been in the recesses of their website as a customer, this does not surprise me at all. The deeper past the front page you go, the more the whole thing has the feel of something somebody's cousin "who's good with computers" threw together.

      --
      Someone had to do it.
  6. This is fixed now by diversiform · · Score: 4, Informative

    according to Kevin Burke who originally found the issue (scroll down to "Wednesday morning").

    1. Re:This is fixed now by 140Mandak262Jamuna · · Score: 3, Informative

      Apparently the fix was to lock the user out after four failed login attempts. But they relied on cookies to count the number of failed log ins. So all you have to do is to clear the cookies and you can make four more attempts. It is worse than stupid. Looks like these clowns have no clue about how the real world works. Their CIO should be fired.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  7. Re:Virgin Penetration is Easy by Sulphur · · Score: 2

    Last time it was tried.

    Great in rehersal.

  8. We're guessing, no one's got their phone numbers. by Impy+the+Impiuos+Imp · · Score: 2

    When asked about their vulnerability to brute force attacks, the six million people said, "This must be what the Slashdot people felt like in high school."

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.