In a recent blog post, developer Kevin Burke warned of a significant problem with Virgin Mobile's account security.
"Burke said the vulnerability stems from the fact that the wireless carrier requires subscribers to use their phone numbers as their username and a 6-digit number as their password," writes The Huffington Post's Gerry Smith. "Burke said this is 'horribly insecure' compared with a randomly generated 8-letter password containing uppercase letters, lowercase letters, and digits. He warned a hacker could determine a Virgin Mobile subscriber’s PIN 'inside of one day.'"
"What can be accessed through this exploit? Everything a user might be able to access in their Virgin Mobile account," writes Geekosystem's Rollin Bishop. "Malicious hackers can view the call history, change the handset tied to the account, purchase an entirely new handset, and cause the typical damage of resetting any information associated with the account. You know, just a few minor things."
"There is currently no way to protect yourself from this attack," Burke wrote. "Changing your PIN doesn’t work, because the new one would be just as guessable as your current PIN. If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn’t like you. For the moment I suggest vigilance, deleting any credit cards you have stored with Virgin, and considering switching to another carrier."
"Burke said he contacted the company and its parent, Sprint, in August to alert them to the issue but became frustrated with the pace of the investigation and lack of communication," writes Threatpost's Anne Saita. "After several emails back and forth with a Sprint official, Burke was told Sept. 14 the company did not plan further action on Virgin Mobile's end. That's when he decided to go public since he thought the vulnerability might already be exploited in the wild."