Smartphone Hijack: Virgin Mobile Users Vulnerable

Software developer Kevin Burke claims Virgin Mobile customers face an unacceptable risk of falling prey to hackers. Unlike many security issues, this isn't an unexpected bug that's produced by an oversight during the coding process.

Burke says weak security within that system might allow hackers to hijack a user's phone number.

According to Burke, he reported the problem a month ago but has not yet seen any sign that the firm is taking steps to fix it. He is now publicizing the issue in the hope of forcing Virgin Mobile into action.

Six Digit Pin Insufficient

The weakness stems from Virgin Mobile forcing its customers to use their phone numbers as their user names when logging into their accounts. Instead of a freeform password, customers must use a six digit numerical PIN code. There's no other option.

As a result, there are only a million possible passwords (000000 through 999999) on the Virgin Mobile system. The total is further reduced because Virgin bans using the same digit four or mores times consecutively (for example, 001111) and four or more sequential numbers (such as 001234).

According to Burke, this makes it significantly easier to guess a password. He tested this theory by writing software that guessed his own password in less than a day.

Burke says allowing eight-character passwords with upper and lower case letters would allow as many as 218 trillion different passwords. (Source: inburke.com)

Virgin Mobile Users Could Lose Privacy, Cash

Once a hacker guesses a PIN, he can read the customer's call logs, change the PIN, and alter the email and home addresses associated with the account.

Worse still, a successful hacker could buy a new handset using the Virgin Mobile customer's money and even start receiving the unsuspecting user's calls and messages.

Virgin hasn't publicly addressed Burke's complaints, but has changed its policies to lock accounts after four failed PIN attempts.

However, Burke asserts that this measure is also flawed because a simple technical workaround could prevent Virgin from properly recognizing each attempted break-in. (Source: computerworld.com)