Sprint says Virgin Mobile users are safe from account hijacks

Downplays report by developer that accounts are easily hackable

Sprint today denied that subscribers of its Virgin Mobile subsidiary were wide open to account hijacking attacks as claimed by an independent software developer this week.

In emailed comments, Sprint spokeswoman Stephanie Vinge Walsh said the company has multiple safeguards to protect customer accounts from intrusion and tampering by unauthorized users.

"It's important to note that there are many different overlapping safeguards in place to ensure our customers' privacy and security, and we have taken steps to further prevent intrusions and spoofing," Walsh said. "While we maintain confidentiality about our security measures, our customer accounts are monitored constantly for several types of activity that would indicate if something illegal or inappropriate may be taking place."

Walsh was responding to questions that arose from a Monday blog post by developer Kevin Burke. In it, Burke detailed how the username and password system used by Virgin Mobile to let users access their accounts online was inherently weak and open to abuse.

Virgin forces subscribers to use their phone numbers as their username and a six-digit number as their password, Burke noted.

Because the password is just six digits long, it is relatively easy to guess using brute-force password guessing tools, Burke claimed. Burke authored a password-guessing tool to crack his own password to demonstrate how easy it is to defeat Virgin Mobile's authentication. The tool was designed to test different 6-digit password combinations until it discovered the right one.

With the password and phone number, an attacker would be able to get a user's entire call records and texting history, change the handset associated with the number and change service address and password to lock the actual user out of an account, Burke wrote.

Burke said he went public with his discovery because Sprint did not fix the vulnerability after being told how easy it was to exploit. He also noted in his blog that Virgin Mobile subscribers had no easy way to mitigate any exposure to account hijacks.

In response, Sprint said it implemented a new procedure to lock out users from their accounts after four failed attempts. Burke described that move as ineffective because hackers could bypass it by making login attempts without sending any cookie data with the requests.

In her comments today, Walsh did not specifically address Burke's claims. Instead, she said the company has not received any reports of fraud affecting Virgin Mobile customers.

"We have had no unusual reports of fraud incidents or adverse consequences to our customers and believe that the total security measures in place prevent vulnerability of their accounts," Walsh said. "Payment card data is not visible on an account and we have additional processes in place to monitor and limit balance transfers and correction of inappropriate charges."

Walsh offered no details on what those measures might be.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place