Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

6 Million Virgin Mobile Users Vulnerable To Brute-Force Attacks

timothy posted about 2 years ago | from the see-also-bank-of-france dept.

Cellphones 80

An anonymous reader writes "'If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn't like you.' The Hacker News describes how the username and password system used by Virgin Mobile to let users access their account information is inherently weak and open to abuse." Computerworld also describes the problem: essentially, hard-coded, brute-force guessable passwords, coupled with an inadequate mechanism for reacting to failed attempts to log on.

cancel ×

80 comments

Sorry! There are no comments related to the filter you selected.

Doesn't surprise me. (2, Informative)

lattyware (934246) | about 2 years ago | (#41403241)

I'm not surprised security isn't strong - given the Virgin Media (ISP) account puts a 10 character limit on your password. Seriously. 10 is woefully short as a maximum.

Re:Doesn't surprise me. (2, Insightful)

Anonymous Coward | about 2 years ago | (#41403389)

It's even worse when financial institutions don't allow passwords that are more than x characters or can't have special characters.

Re:Doesn't surprise me. (3, Interesting)

lattyware (934246) | about 2 years ago | (#41403425)

The way passwords are handled in general is appalling - a major supermarket here in the UK emails you your password in plaintext if you say you forgot it. The fact they have it in plaintext is disgusting.

Re:Doesn't surprise me. (0)

Anonymous Coward | about 2 years ago | (#41403499)

The fact they have it in plaintext is disgusting.

One of my classes requires the use of Pearson Education's My IT Lab, which is an web-based tool for tests and some coursework. I had forgotten my password and clicked on reset password only to have "password sent to email account" appear on screen. Sure enough, my plaintext password was in my inbox.

Re:Doesn't surprise me. (2)

lattyware (934246) | about 2 years ago | (#41403651)

My CompSci department at Uni has an online hand-in system - when I registered, it wouldn't let me log in with the details I had entered. I did the recover my password link, and it sent me my password, truncated to 12 characters, in plaintext. So not only did they not limit the text field or warn me about the over-length password, but then they stored it in plain text. A Computer Science department made this. Isn't that encouraging? (Disclaimer: They have changed the system now).

Re:Doesn't surprise me. (1)

makomk (752139) | about 2 years ago | (#41409877)

They probably got some CS undergrad to develop it for them for free.

Re:Doesn't surprise me. (1)

Forty Two Tenfold (1134125) | about 2 years ago | (#41412803)

A Computer Science department made this. Isn't that encouraging?

Those who can, do. Whose who can't, teach. Those who can't teach, manage.

Re:Doesn't surprise me. (1)

newcastlejon (1483695) | about 2 years ago | (#41403539)

The way passwords are handled in general is appalling - a major supermarket here in the UK emails you your password in plaintext if you say you forgot it. The fact they have it in plaintext is disgusting.

Out with it then. Name and shame.

Re:Doesn't surprise me. (1)

lattyware (934246) | about 2 years ago | (#41403765)

Actually, I may have lied - Tesco or Asda (couldn't remember which) definitely used to do it, but just tested and Asda now resets your password to a temporary one which it emails to you, while Tesco sends you a reset link. Maybe it's a sign things are improving a little.

Re:Doesn't surprise me. (1)

Bill, Shooter of Bul (629286) | about 2 years ago | (#41407419)

Why do you have a password with your grocery store? For coupon offers? Online shopping? newsletters?

Re:Doesn't surprise me. (1)

lattyware (934246) | about 2 years ago | (#41412119)

Online shopping.

Re:Doesn't surprise me. (1)

Jeng (926980) | about 2 years ago | (#41404043)

emails you your password in plaintext if you say you forgot it.

Ok, call me stupid, but what are the alternatives to sending the password as text in an email?

Also, what would be the best method?

The company I work for isn't very tech literate and could probably use some pointers.

Re:Doesn't surprise me. (1)

Neil_Brown (1568845) | about 2 years ago | (#41404219)

what are the alternatives to sending the password as text in an email?

I am no expert in the field, but I would have thought that the password should be stored in salted and hashed, form. Anyone compromising that database gets a list of encrypted passwords — it does not help them determine the characters which need to be entered into the system to gain access, unless the algorithm and salt is compromised too.

Instead of sending the user a password, the user should be emailed a link to an online portal for creating a new password, which gets salted and hashed, and this resulting hash stored in the password database.

Re:Doesn't surprise me. (2)

LunaticTippy (872397) | about 2 years ago | (#41404241)

Password should never be stored as text. Hash only, so nobody can know what it is, only if it matches.
If you forget, you answer secret questions and a one-time password is emailed to your registered email address.

Re:Doesn't surprise me. (2)

SolitaryMan (538416) | about 2 years ago | (#41404245)

Ok, call me stupid, but what are the alternatives to sending the password as text in an email?

First, the password should not be stored on their servers as plain text in the first place. Salted hashed should.

Also, what would be the best method?

The company I work for isn't very tech literate and could probably use some pointers.

Back when I was developing something like this, the "best by consensus" thing was to send some kind of one time password. We generated these passwords like encrypt_with_company_current_private_key(USER_ID + TIMESTAMP + GIBBERISH). USER_ID allows you to identify the user, timestamp allows you to limit how long this thing can be used and GIBBERISH is just to add some noise (not sure it is helpful though, I'm not a cryptography expert).

Re:Doesn't surprise me. (1)

lattyware (934246) | about a year ago | (#41404573)

The basic idea is knowing your user's password is bad. The reality is users use the same passwords in multiple places, and if your site is comprimised in any way, you don't want to leak those passwords. Fortunately, we don't actually need to know the user's password - all we need to do is know if it's the same each time. This is where hashes come in - we store a hash (a one way function that gives us the same result each time for the same input, but doesn't tell you what the input was) of the password, and then hash their attempts and compare. Strong hashes and salts are a good idea to defend against many attacks, but the short answer is, use BCrypt [wikipedia.org] .

As to forgetting their password - again, we don't actually need to tell them it, just to give them access to their account back. We can do this by generating a one-time-password (a random UUID, for example) and then emailing them a link to reset their password using this. This allows them to access their account, without sending a password in plaintext.

Re:Doesn't surprise me. (1)

sjames (1099) | about a year ago | (#41405883)

The complaint isn't that they sent a password in email, the problem is that they send you your original password and to do that they must have it stored in plain text in the database.

The correct way to do it is store passwords as a hash and if you forget it, they set a temporary password and email that to you (or a password reset link).

Re:Doesn't surprise me. (0)

Anonymous Coward | about a year ago | (#41404487)

Santander in Brazil limits their Internet passwords to 8 alphanumeric characteres. How about that?

Re:Doesn't surprise me. (1)

alvarogmj (1679584) | about 2 years ago | (#41410347)

Same in Uruguay. They changed their system a few years back, and when they changed it, the password for the new system was the same as the old one, truncated to 8 characters. Both systems allowed only certain characters, but at least the old one allowed me to have longer passwords.

Let me repeat in case the horror was not clear enough: they migrated the accounts to the new system, they reduced the maximum password length, and automatically set the passwords in the new system to the first 8 characters of the old system's password

Re:Doesn't surprise me. (0)

Anonymous Coward | about a year ago | (#41405965)

Um in Australia Virgin lock the account on the third failed attempt, and require a phone call

Re:Doesn't surprise me. (1)

firex726 (1188453) | about a year ago | (#41404367)

I wish I had that, my CC company has a max of 6 characters.
I assume someone sent the design doc to the developer and mixed up MINIMUM and MAXIMUM.

Re:Doesn't surprise me. (0)

Anonymous Coward | about 2 years ago | (#41406419)

I wish my credit card company allows 6 digits. They imposed a 4 digits limit!

Re:Doesn't surprise me. (1)

firex726 (1188453) | about 2 years ago | (#41408987)

I assume you meant pin?
This is for their online payment site.

Re:Doesn't surprise me. (1)

halcyon1234 (834388) | about 2 years ago | (#41411933)

I'm not surprised security isn't strong - given the Virgin Media (ISP) account puts a 10 character limit on your password. Seriously. 10 is woefully short as a maximum.

You think that's sad? Go to their mobile phone account site [virginmobile.ca] . You know how you log in? Enter your phone number (public information), followed by a FOUR DIGIT PIN . Yes, I used bold, italic, and underlined for that. The ONLY thing standing between you and someone with your phone number being an asshole is, at most, 10,000 possible numbers. Surely no one could brute force 10,000 numbers!!!!

Hard-Coded password? (0)

Anonymous Coward | about 2 years ago | (#41403283)

There is nothing about hard coded password on the news release:
http://kev.inburke.com/kevin/open-season-on-virgin-mobile-customer-data/

It's all about short numeric only password with no attempt limitation.

The Title (2, Funny)

Anonymous Coward | about 2 years ago | (#41403317)

Its a shame we cant mod the title funny innit?

Virgins? (4, Funny)

bhagwad (1426855) | about 2 years ago | (#41403327)

I read this as "Six million virgins vulnerable to brute force attack :D"

Re:Virgins? (0)

Anonymous Coward | about 2 years ago | (#41403485)

That's only enough for 83333 Islamic Jihadist martyrs

Re:Virgins? (2)

colesw (951825) | about 2 years ago | (#41403599)

And on that note

http://www.viruscomix.com/page462.html [viruscomix.com]

Re:Virgins? (1)

Robert Zenz (1680268) | about 2 years ago | (#41404173)

I like how her belt-snake falls asleep...neat little subtlety.

Re:Virgins? (1)

Larryish (1215510) | about 2 years ago | (#41404193)

You know, those 72 virgins weren't female, right?

Re:Virgins? (2)

kiriath (2670145) | about a year ago | (#41404273)

Doh!

Re:Virgins? (0)

Anonymous Coward | about 2 years ago | (#41404209)

who ever said it'd be "different" 72 virgins for each martyrs?
The untold secret around the virgins in heaven is, they stay virgin for eternity :P

Re:Virgins? (2)

SternisheFan (2529412) | about a year ago | (#41404499)

who ever said it'd be "different" 72 virgins for each martyrs? The untold secret around the virgins in heaven is, they stay virgin for eternity :P

The word "virgins" may be a mis-translation, I've read. The actual word may actually be "raisens". Blow yourself up in a terror attack, and all you'll get for it in the next life is 72 raisens. That sounds about right.

Re:Virgins? (1)

galanom (1021665) | about 2 years ago | (#41414489)

They can keep their virginity after sex? How? Oral?

Legitimate Brute Force Attack (-1)

Anonymous Coward | about 2 years ago | (#41403347)

My republican friends tell me that if it's a legitimate brute force attack, women's bodies have ways to shut the whole thing down.

I'm not sure why republicans are so insistent that women be blamed for a rape in which she is impregnated, and then forced by Mitt Romney and Paul Ryan to give birth to the rapist's baby... but there it is....

Re:Legitimate Brute Force Attack (0)

who_stole_my_kidneys (1956012) | about 2 years ago | (#41403923)

ill re-write that for ya.... My republican friends tell me that if it's a legitimate brute force attack,women's bodies have ways to shut the whole thing down. But as a man i have not way to shutdown the bruit force attack of stupidity when i hear Romney speak.

Re:Legitimate Brute Force Attack (1)

mcgrew (92797) | about a year ago | (#41404257)

ill re-write that for ya

Agreed, if you rewrote it it would indeed be ill. Can't you fucking kids follow conventions for the sake of clear communications, or are you doing like Microsoft does and making up your own "standards"? Not capitalizing the "I" wasnt the only thing about the way you wrote your comment that made you look like a retarded ten year old.

Get your GED, kid, so you don't come across as such a moron.

Brute Force... (-1)

Anonymous Coward | about 2 years ago | (#41403359)

I thought all cell phones were vulnerable to brute force attacks. This is easily verifyable by throwing any cell phone on the ground then hitting the cell phone repeatedly with a sledgehammer.

No, I didn't read the summary, nor TFA.

Re:Brute Force... (1)

Jeng (926980) | about 2 years ago | (#41404081)

You will not get any data that way.

Yes, you may DOS the phone, but what good does that do you?

Penetration Testing? (5, Funny)

InvisibleClergy (1430277) | about 2 years ago | (#41403371)

I would have thought that Virgin would be less vulnerable to penetration.

Re:Penetration Testing? (0)

Anonymous Coward | about 2 years ago | (#41403487)

Ghost mod points to you, good sir.

Re:Penetration Testing? (4, Funny)

judoguy (534886) | about 2 years ago | (#41403643)

Not less vulnerable, just less experienced.

Re:Penetration Testing? (4, Funny)

marcello_dl (667940) | about 2 years ago | (#41403645)

Like a Virgin,
Hacked for the very first time,

Like a Viiiiirgin
Feel your host ping
next tooooo miiiiine....

Re:Penetration Testing? (2)

al.caughey (1426989) | about 2 years ago | (#41403953)

I expect that anything that is mobile is more difficult to penetrate... virgin or otherwise

Re:Penetration Testing? (1)

Anonymous Coward | about a year ago | (#41404577)

I expect that anything that is mobile is more difficult to penetrate... virgin or otherwise

Although rolling donuts have often been targeted.

They used cookies (2)

Spy Handler (822350) | about 2 years ago | (#41403439)

for failed login attempt checks. This can be bypassed simply by using a different cookie each time, and brute-forcing can take place.

They should've used an IP-based check maybe?

Re:They used cookies (0)

Anonymous Coward | about 2 years ago | (#41403463)

What about locking the account until the client calls user support if there is more that 5 failures?

Re:They used cookies (1)

skids (119237) | about 2 years ago | (#41403841)

Their support line can tell if you are calling from one of their phones. They could just put an "unlock my account" button in their account maintainance menu on the phone.

Re:They used cookies (1)

Spy Handler (822350) | about 2 years ago | (#41403863)

yeah those are pretty common. But personally they annoy me because anyone can DOS your account.

This is what happened to me: somebody tried to log into my online game account (called MapleSEA) and failed multiple times, so my account got locked down automatically. I had to call them on the phone (they're located in Singapore) and try to convince them that I'm the real owner and that they should open my account again. Which was not easy because they wanted my national ID number, which I don't have because I'm not a Singaporean... (when I initially registered, I just made up a fake one which I couldn't remember).

I think an IP-based login tracking system would be better to prevent this type of a hassle. Every time a failed login attempt takes place, system keeps track of the IP address. After X number of failed logins from that IP address, system bans that IP address for, say, 60 minutes.

Re:They used cookies (1)

galanom (1021665) | about 2 years ago | (#41414515)

There is no need to permanently lock it. An hour would be enough.

Re:They used cookies (2)

skids (119237) | about 2 years ago | (#41403737)

Having been in the recesses of their website as a customer, this does not surprise me at all. The deeper past the front page you go, the more the whole thing has the feel of something somebody's cousin "who's good with computers" threw together.

Re:They used cookies (0)

Anonymous Coward | about a year ago | (#41405487)

Nowadays, botnets make IP-based blocks somewhat useless. Most sites just lock the account if there are too many failed password attempts. An alternative is to have an increasing cool-down time after each failed attempt.

This is fixed now (4, Informative)

diversiform (1085477) | about 2 years ago | (#41403481)

according to Kevin Burke [inburke.com] who originally found the issue (scroll down to "Wednesday morning").

Re:This is fixed now (3, Informative)

140Mandak262Jamuna (970587) | about 2 years ago | (#41403949)

Apparently the fix was to lock the user out after four failed login attempts. But they relied on cookies to count the number of failed log ins. So all you have to do is to clear the cookies and you can make four more attempts. It is worse than stupid. Looks like these clowns have no clue about how the real world works. Their CIO should be fired.

Re:This is fixed now (0)

Anonymous Coward | about a year ago | (#41405657)

That was only the initial "fix." Apparently their later fix didn't depend on cookies. Burke's latest update says "This fixes the main vulnerability I disclosed Monday."

Re:This is fixed now (1)

SternisheFan (2529412) | about a year ago | (#41404403)

according to Kevin Burke [inburke.com] who originally found the issue (scroll down to "Wednesday morning").

So now a hacker will get a pop 404 page after 20 successful attempts, according to the updated info. My question: Will Virgin Mobile be sending the intended victim's phone a text alerting them that these attempts were made?

Virgin Penetration is Easy (0)

BoRegardless (721219) | about 2 years ago | (#41403497)

Last time it was tried.

Re:Virgin Penetration is Easy (1)

who_stole_my_kidneys (1956012) | about 2 years ago | (#41403865)

i have to disagree with you there, Its 6 months or longer of hand holding , cuttleing, spooning, excessive making out, then when you finality get to penetrating its "slow down" or "ouch" and just unpleasant for both parties. that's how i remember it.

Re:Virgin Penetration is Easy (1)

Jeng (926980) | about 2 years ago | (#41404171)

Yea, hooking up with someone who knows what they're doing is a good thing.

And it's a good thing that she knew what she was doing, cause I sure as hell didn't.

Re:Virgin Penetration is Easy (2)

Sulphur (1548251) | about 2 years ago | (#41404229)

Last time it was tried.

Great in rehersal.

Security is a big problem in this industry (1)

geekfarmer (2076616) | about 2 years ago | (#41403523)

Quick poll, is vulnerable to brute-force attacks better or worse than T-Mobile's "email me my existing password in plaintext" forgot-password feature? (Yes, T-Mobile uses your phone number as your username too.)

Re:Security is a big problem in this industry (1)

reve_etrange (2377702) | about a year ago | (#41404677)

But can your password be something other than 6 numbers? Because that's how VM works.

Than you slashdot for warning. (-1)

Anonymous Coward | about 2 years ago | (#41403529)

I think I speak for most of slashdotters (Virgins and some mobile users), we will be aware of possible Brute-Force sexual attacks.
Guys, do not go out tonight, stay in your basements!

VM Not the Worst By Any Shot (1)

mk1004 (2488060) | about 2 years ago | (#41403693)

Forget VM, Boost Mobile forces the username to be your 10-digit mobile number and the password to a 4-digit number that you select.

Re:VM Not the Worst By Any Shot (1)

reve_etrange (2377702) | about a year ago | (#41404691)

The only difference is two digits (VM passwords are 6 numbers).

Re:VM Not the Worst By Any Shot (1)

WinstonWolfIT (1550079) | about a year ago | (#41405825)

A hundred times harder to brute force says it'll take 100 seconds rather than one. That's 100 times better right.

Re:VM Not the Worst By Any Shot (1)

reve_etrange (2377702) | about 2 years ago | (#41408461)

More like 100 times 0, in terms of "better."

Niggers (-1)

Anonymous Coward | about 2 years ago | (#41403809)

Only they are brutes enough to do this.

virgins? Brute force? (0)

nurb432 (527695) | about 2 years ago | (#41403831)

Where am i, is this not slashdot?

Re:virgins? Brute force? (1)

rbrausse (1319883) | about 2 years ago | (#41404039)

this is the NEW /. - Dice is digging (ha!) up new revenue sources

No way. They used strong password. (0)

140Mandak262Jamuna (970587) | about 2 years ago | (#41403899)

Apparently they used passwords that are super strong and was guaranteed by a French bank, Swype account administrator. So this story is pure fiction. I tell you no one would believe what that password is if someone told them "this is the password for the french bank swype account portal." It was that incredible.

modm up (-1)

Anonymous Coward | about 2 years ago | (#41404169)

We're guessing, no one's got their phone numbers. (2)

Impy the Impiuos Imp (442658) | about a year ago | (#41404345)

When asked about their vulnerability to brute force attacks, the six million people said, "This must be what the Slashdot people felt like in high school."

I figured that. (1)

UltraZelda64 (2309504) | about a year ago | (#41405477)

I guessed this when I first started using their service late last year. Your account "login" information is simply your real 10-digit phone number, and your "password" is just a 6-digit PIN. Everything you need to enter it is right there, on the numpad (with the exception of Tab). SMS spammers guess people's phone numbers and carriers to successfully send unwanted messages through e-mail; surely if they wanted to bad enough it wouldn't be too difficult to guess or do a brute-force attack on the six-digit string of digits protecting it.

Seriously, I was (and still am) shocked how such a poor system could be put into place in 2011/2012. They could at least set up two-factor authentication if they're going to have such a piss-poor username/password system, and require their primary authentication phone number to be another phone line so, you know... if the phone connected to the account is lost and/or stolen no one can get into your account before you do. And the secondary authenticator could optionally be the phone number of the account/phone in question to make personally logging into your account and checking your info easier--but as soon as the phone is labeled missing, it would be immediately be rendered useless for receiving any codes to log in. Virgin Mobile already nags you with text messages and e-mails constantly as your month of service comes to an end; sending an occasional text message with an account authentication code shouldn't hurt too badly.

Really though... the whole system needs rethought. At the very least, allow lowercase letters and more than six characters in the password. And while they're at it, why not allow capital letters and a few special characters? Of course, the problem then would be that when you call customer support, "verifying" that you're you wouldn't be as simple as asking "What's your phone number and your 6-digit account PIN?"

I just think it's funny that the guy who blogged about it had to write a script to brute-force his own account to "verify" that he was right, then finally call Sprint, and publicly write about it when they didn't do anything about it. Do you REALLY need to verify that a 6-digit PIN attached to a phone number is easily guessable? And as scummy as telecommunications companies are, does anyone really expect to get to someone who will actually forward the message over to someone else higher up who might potentially actually *do* something?

Re:I figured that. (0)

Anonymous Coward | about a year ago | (#41405933)

When I tried VM, the pin defaulted to the birthday you gave them when you signed up. That reduces the key space significantly. I set up a Perl script to brute force the account pin of a phone I bought on craigslist.

As bad as the security was, I left because of the terrible call and data coverage.

Confused (1)

WinstonWolfIT (1550079) | about a year ago | (#41405797)

Isn't the entire modern world vulnerable to brute force attacks? Isn't that the definition of what to do when you can't reasonably narrow down the choices?

All Sprint users are vulnerable (1)

gelfling (6534) | about 2 years ago | (#41406783)

To Sprint's horrendously bad network.

Passphrases (0)

Anonymous Coward | about 2 years ago | (#41461061)

Believe me, I am not a computer wizard by any means, but when Virgin insisted on a 6 digit numeric only passphrase I was shocked. I have logged onto other sites and used passphrases that were commented as being very high as far as security, using both upper and lower case letters as well as numerals and symbols. I hope they change this soon; I will feel much better/safer.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>