Virgin Mobile account security a joke? Concerned Developer reveals major security flaw.
How important is your phone carrier’s security to you? If you are saying to yourself “very important,” we have bad news for those that were considering getting Virgin’s Samsung Galaxy Reverb on September 19th, or any other device from the same operator for that matter. According to Twilio developer Kevin Burke, Virgin’s login system has one huge security flaw that makes it vulnerable to attacks. All you need is a 6-pin numerical password, and an account number to get into your account.
This might seem convenient, but it also means that there are only a million different combinations for getting into your account. For a hacker, this could make breaking in a cinch. The fact that it’s a six digit number also means many naive account holders likely use their date of birth as the pin. These types of users are just begging to get hacked.
What happens if someone forces their way into your account? They could charge an expensive phone to your account, read your texts and previous calls and even lock you out of your account by changing the pin.
Kevin Burke claims he reached out to Virgin Mobile repeatedly about the vulnerability, but after realizing that they didn’t take the problem seriously, he went public with the information. Burke’s recommendation is simply to delete credit charge information stored on your account and watch out. Even better, he suggests a change to a different carrier.
That being said, Virgin Mobile has now responded. The carrier has changed its policy to lock you out after just four attempts. There is one big problem with this system, though. The lockout uses cookie information and so any good hacker could easily clear the data and continue attempting long after the fourth try.
We live in a world where online exploits and hacks are very much a common reality for many people. Most carriers are requiring alphanumerical passwords, or even a two-method authentication to make life more secure.
Meanwhile, Virgin Mobile does virtually nothing to help keep users secure, at least in the U.S. What’s your take on the situation?