Kevin Burke, an independent developer, has warned Virgin Mobile USA customers about a serious security issue in the phone company's account login protocol.
"If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn’t like you,” he stated. “There is no way to defend against this attack."
Burke explains on his blog that there are only one million passwords available since Virgin Mobile requires all users to log in with their phone number and a six-digit PIN. To easily check all million possible password combinations and determine anyone’s PIN within 24 hours, it’s trivial to write a program.
Burke used this brute force method to easily hack into his own account.
"Anyone who knows your Virgin Mobile USA phone number can: see who you’ve been calling and texting, change the handset associated with your number, change your address, your e-mail address or your password [or] purchase a handset on your behalf," the post announced.
Burke raised these issues with parent company Sprint by phone and e-mail exchanges, but he was reportedly ignored and his concern was dismissed. He therefore decided to expose the flaw to the public.
Image via Shutterstock
Burke first warned Virgin Mobile about the problem on August 17. He believes this method of account hacking is already being employed. Upon publicizing the seriousness of this issue, Virgin Mobile will likely be forced to change its login procedure.
In the meantime, Burke suggests users take all necessary precautions to protect themselves from account intruders. It is recommended that they delete all credit cards on file and switch to another phone service. The issue appears to primarily affect logins on company site virginmobileusa.com.
Virgin Mobile has yet to respond to the requests made, nor has the company come up with a security update.
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO West 2012, taking place Oct. 2-5, in Austin, TX. Stay in touch with everything happening at ITEXPO (News - Alert). Follow us on Twitter.
Edited by Braden Becker