tl;dr Anyone who knows your Virgin Mobile phone number can:
- see who you’ve been calling and texting,
- change the handset associated with your number,
- change your address, your email address, or your password,
- purchase a handset on your behalf
There is no way to defend against this attack.
The first sentence of Virgin Mobile’s privacy policy announces that “We [Virgin] are strongly committed to protecting the privacy of our customers and visitors to our websites at www.virginmobileusa.com.” Imagine my surprise to find that pretty much anyone can log into your Virgin Mobile account and wreak havoc, as long as they know your phone number.
I reported the issue to Virgin Mobile a month ago and they have not taken any action, nor informed me of any concrete steps to fix the problem, so I am disclosing this issue publicly.
The vulnerability
Virgin Mobile forces you to use your phone number as your username, and a 6-digit number as your password. This means that there are only one million possible passwords you can choose.
This is horribly insecure. Compare a 6-digit number with a randomly generated 8-letter password containing uppercase letters, lowercase letters, and digits - the latter has 218,340,105,584,896 possible combinations. It is trivial to write a program that checks all million possible password combinations, easily determining anyone’s PIN inside of one day. I verified this by writing a script to “brute force” the PIN number of my own account.
The scope
Once an attacker has your PIN, they can take the following actions on your behalf:
Read your call and SMS logs, to see who’s been calling you and who you’ve been calling
Change the handset associated with an account, and start receiving calls/SMS that are meant for you. They don’t even need to know what phone you’re using now. Possible scenarios: long distance calls to Bulgaria, texts to or from lovers or rivals, “Mom I lost my wallet on the bus, can you wire me some money?”
Purchase a new handset using the credit card you have on file, which may result in $650 or more being charged to your card
Change your PIN to lock you out of your account
Change the email address associated with your account (which only texts your current phone, instead of sending an email to the old address)
Change your mailing address
Make your life a living hell
How to protect yourself
There is currently no way to protect yourself from this attack. Changing your PIN doesn’t work, because the new one would be just as guessable as your current PIN. If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn’t like you. For the moment I suggest vigilance, deleting any credit cards you have stored with Virgin, and considering switching to another carrier.
What Virgin should do to fix the issue
There are a number of steps Virgin could take to resolve the immediate, gaping security issue. Here are a few:
- Allow people to set more complex passwords, involving letters, digits, and symbols.
- Freezing your account after 5 failed password attempts, and requiring you to identify more personal information before unfreezing the account.
- Requiring both your PIN, and access to your handset, to log in. This is known as two-step verification.
In addition, there are a number of best practices Virgin should implement to protect against bad behavior, even if someone knows your PIN:
- Provide the same error message when someone tries to authenticate with an invalid phone number, as when they try to authenticate with a good phone number but an invalid PIN. Based on the response to the login, I can determine whether your number is a Virgin number or not, making it easy to find targets for this attack.
- Any time an email or mailing address is changed, send a mail to the old address informing them of the change, with a message like “If you did not request this change, contact our help team.”
- Require a user to enter their current ESN, or provide information in addition to their password, before changing the handset associated with an account.
History of my communication with Virgin Mobile
I tried to reach out to Virgin and tell them about the issue before disclosing it publicly. Here is a history of my correspondence with them.
August 15 – Reach out on Twitter to ask if there is any other way to secure my account. The customer rep does not fully understand the problem.
August 16 – Brute force access to my own account, validating the attack vector.
August 15-17 – Reach out to various customer support representatives, asking if there is any way to secure accounts besides the 6-digit PIN. Mostly confused support reps tell me there is no other way to secure my account. I am asked to always include my phone number and PIN in replies to Virgin.
August 17 – Support rep Vanessa H escalates the issue to headquarters after I explain I’ve found a large vulnerability in Virgin’s online account security. Steven from Sprint Executive and Regulatory Services gives me his phone number and asks me to call.
August 17 – I call Steven and explain the issue, who can see the problem and promises to forward the issue on to the right team, but will not promise any more than that. I ask to be kept in the loop as Virgin makes progress investigating the issue. In a followup email I provide a list of actions Virgin could take to mitigate the issue, mirroring the list above.
August 24 – Follow up with Steven, asking if any progress has been made. No response.
August 30 – Email Steven again. Steven writes that my feedback “has been shared with the appropriate managerial staff” and “the matter is being looked into”.
September 4 – I email Steven again explaining that this response is unacceptable, considering this attack may be in use already in the wild. I tell him I am going to disclose the issue publicly and receive no response.
September 13 – I follow up with Steven again, informing him that I am going to publish details of the attack in 24 hours, unless I have more concrete information about Virgin’s plans to resolve the issue in a timely fashion.
September 14 – Steven calls back to tell me to expect no further action on Virgin Mobile’s end. Time to go public.
via Kevin Burke http://kev.inburke.com/kevin/open-season-on-virgin-mobile-customer-data/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+kburke+%28Kevin+Burke%29
Ingen kommentarer:
Legg inn en kommentar