>A software developer, Kevin Burke, claims he has discovered a critical security flaw in virigin mobile websites that leaves six million subscriber accounts wide open to hackers.
Vulnerability: The website uses phone numbers as username and a six-digit PIN number as passwords. The problem with this authentication method is conditions in creating passwords. The website allows only 6-digit number as password, you shouldn't use 'letters', 'special characters', 'no more than 3 identical numbers in a row','no more than 3 sequential numbers'.
If a user create password with the above conditions, the password is very insecure. It only take few minutes or hours for a hacker to crack the password with brute-force attack. In fact, site does not restrict the number of repeated login attempts.
He verified this by writing a script to “brute force” the PIN number of his own account.
So , Anyone who knows your Virgin Mobile USA phone number can see who you’ve been calling and texting, change the handset associated with your number, change your address, your email address, or your password, and purchase a handset on your behalf.
"There is currently no way to protect yourself from this attack. Changing your PIN doesn’t work, because the new one would be just as guessable as your current PIN. " Burke said. " If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn’t like you. For the moment I suggest vigilance, deleting any credit cards you have stored with Virgin, and considering switching to another carrier."
