"If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn’t like you."
That's according to independent developer Kevin Burke, who warned Virgin Mobile USA customers about a glaring security hole in the phone company's account login protocol.
On his blog, Burke explains that since Virgin Mobile requires all users to log in with their phone number and a six-digit PIN, there are only one million passwords available.
[pullquote]
"It is trivial to write a program that checks all million possible password combinations, easily determining anyone’s PIN inside of one day," Burke wrote. He said he used this brute force method to easily hack into his own account.
"Anyone who knows your Virgin Mobile USA phone number can: see who you’ve been calling and texting, change the handset associated with your number, change your address, your email address or your password [or] purchase a handset on your behalf," the post announced in bulleted form. "There is no way to defend against this attack."
Burke said that after several phone and email exchanges with parent company Sprint in which he attempted to warn them about the exploit, he was ignored and his concern was dismissed. That's when he decided to expose the flaw to the public.
Burke said he first warned Virgin Mobile about the problem on Aug. 17 and is concerned that this method of account hacking is already being employed. Now that the hack has been widely publicized, Virgin Mobile will likely be forced to change their login procedure.
In the meantime though, Burke suggests users take several steps to protect themselves from account intruders, including deleting all credit cards on file and switching to another phone service.
The issue appears to primarily affect logins on company site virginmobileusa.com
Virgin Mobile has not yet responded to a request for comment. We will update this post if the company responds.
- The 10 Most Dangerous Women Online
- 9 Ways to Stay Safe Using PayPal
- 10 Best Identity Theft Protection Services
Copyright 2012 SecurityNewsDaily, a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.