
Virgin Mobile leaves six million subscriber accounts wide open - stanleydrew
http://kev.inburke.com/kevin/open-season-on-virgin-mobile-customer-data/?
======
mortenjorck
I simply don't understand how brute-forcing can remain a problem today. It
seems like such a trivial implementation detail to freeze account access after
a certain number of incorrect attempts – and yet most password security
guidelines still warn against what they consider brute-forceable passwords.

Could a security professional explain in non-domain-expert terms why this
practice isn't simply adopted everywhere?

~~~
colonelxc
I think that one of the reasons it is not implemented is because it is a
problem that isn't purely technical in nature. So you want to lock people's
accounts to prevent brute forcing? There are still a bunch of decisions (both
business and technical) before you can move forward.

    
    
      1. User support.  How willing are you to deal with increased need for customer support when they start locking themselves out of their accounts after a dozen failed attempts?
      2. How do you keep track of the number of failed attempts?  Another column in your database?  I don't run any big websites, but it seems to me that if an attacker can cause a write to your DB for every POST he can throw at you, your website performance will suffer.
      3. If it takes a dozen (or a hundred (or a thousand)) failed logins to lock an account, it would be trivial for an attacker to lock users out of their accounts, DOSing your site in a different way.
      4. Ok, so we block IP addresses instead of accounts?  Now we have to deal with issues of shared or easily changed IP addresses (or botnets that can afford to have hundreds of thousands of IPs blacklisted from a site and still keep brute forcing).
    

A lot of these issues are surmountable, but not until you do some basic threat
modeling to decide what you want to protect against.

Maybe you decide to focus on preventing from attackers coming from one IP from
slamming your site, so you keep an in-memory table of number of recent failed
logins and perform temporary bans. It wont protect against botnets, but
hopefully you are paying attention to what is happening on your site, and can
make changes if that becomes an issue.

> yet most password security guidelines still warn against what they consider
> brute-forceable passwords.

Your password should be hard to brute force, regardless of whether or not the
site protects itself from brute forced logins. The other big danger is that
someone hacks the site and gets a dump of password hashes. Then, it doesn't
matter what anti-brute force techniques the website is using if the attacker
can perform an offline brute force attack against your hashes.

~~~
robmil
Instead of freezing the account until it's unlocked by customer service, why
not just lock it for increasingly longer periods of time? 2 seconds after the
third failed attempt, 3 after the fourth, 5 after the sixth, 10 after the
seventh, etc.

Not too inconvenient for legitimate users trying to remember their passwords,
but it surely makes bruteforcing impossible (if by the 1,000th attempt they're
having to wait an hour between attempts).

~~~
tomp
That would still enable someone to DOS your website. A better way IMHO is to
limit the maximum timeout - say 1 or 10 seconds. This, compared with even
simple passwords that have slighlty more than 1 000 000 combinations, would
mean hackers need days or weeks to crack passwords, in this time you should be
able to notice the attack.

~~~
jiggy2011
You would only be able to DOS a individual accounts, rather than the whole
website. Do it by IP address, sure at some point someone with a huge enough
botnet will be able to crack an account. But is it likely that someone will
use their entire botnet to crack a single user's password on some consumer
service?

~~~
noselasd
Depends on what you can do on that site. Around my part of the world:

* Phone/number that is redirecting a call pays for the redirected leg of the call

This leads to a lot of creative hacking on trying to program a phone to
redirect calls to expensive service numbers or foreign numbers. And many
operators lets you administer call redirection on their website

------
jawns
My wife has Virgin Mobile and is happy with it, and I am (or was?) planning to
switch in a couple of months, once my AT&T contract runs out, so I really hope
they fix this pronto.

I think it's especially important that Virgin Mobile resolves this, since the
market share is basically theirs for the taking.

Their basic $35/mo. plan, which includes text and data, is great for my needs,
so I called AT&T and told them I was thinking of switching, but because I'd
been an AT&T customer for years, I was giving them a chance to match that kind
of offer. Not only did the rep basically say, "Nope, we can't come close to
matching that," but -- more surprisingly -- he had no script to say, "Here's
why you shouldn't switch to Virgin." Which says to me that AT&T isn't taking
Virgin seriously yet.

If Virgin Mobile can get its account security act together, I think it can
make pretty good in-roads against the bigger carriers.

~~~
thekillingtree
the only problem i ever had with VM (recently switched to StraightTalk) was
the phone selection. phones are getting better but you can't buy a different
phone and just use it on VM. at least sticking with sim card phones you have
other options.

~~~
goggles99
This is not really a problem. Just pay a few bucks to someone off of Craigs
List (or spend a little time learning to do it yourself) to clone one of their
cheaper phones to one you buy (get one with a bad ESN cause they are cheaper)
off of eBay or CL. It is really pretty easy.

------
peterwwillis
"Wide open" is factually incorrect if they still require you to guess the pin.

Why didn't the author also mention that since there's no e-mail address
associated with new prepaid accounts you can specify any e-mail you want the
first time you try to sign into the website? Seems like an easier exploit to
me.

Their network ACLs and support web apps are also swiss cheese. I wouldn't
really rely on a VM account for security.

~~~
BadassFractal
That doesn't make me feel great about two-factor authentication through my VM
phone.

~~~
peterwwillis
Good! This is just a better example of why SMS and non-encrypted-and-
authenticated connections for two factor are silly. If you use an HTTPS web
app for two-factor (or a pin-generating app, no network required) you should
be reasonably secure - unless some Android malware is in your phone.

------
barrkel
In case you're curious, the limitations around runs and sequences reduces the
keyspace to 993240 possibilities - that's assuming sequences both upwards and
downwards.

Be grateful they haven't reduced it further. If runs and sequences of length 3
were also banned, only 904728 would remain.

~~~
mattdeboard
"I have altered our deal. Pray I do not alter it further."

------
Xcelerate
It's true. I just wrote some NodeJS code iterating pins 000000 through 999999
and it got into my account. (If anyone wants the code...)

~~~
klinquist
I'd like to compare it (speed) to my version using python+mechanize..

~~~
VBprogrammer
I'm intrigued as to why you think there would be a speed difference. If your
language of choice can't iterate around a loop faster than your network card
can push out a couple of network packets then I think you have some issues.

~~~
flatline3
Factor in RTT/latency and concurrency. There's no reason multiple requests
can't be in-flight at once, up to the point where you're overloading your
uplink or the server.

------
ryankask
I just sent this link to my partner who is a Virgin Mobile customer.

She couldn't open the page on her mobile browser. She said it said something
like "Restricted by Virgin."

Seems a bit strange. I will ask her to try again later.

EDIT: Kevin is actually talking about Virgin Mobile in the US. His domain,
however, is inaccessible to my partner who uses Virgin Mobile UK ("adult
restriction").

~~~
kevinburke
Wait. My website is blocked/censored in the UK? Can you email me with details?

~~~
RossM
It works for me on a non-Virgin IP. It may be Virgin Media (home broadband),
or Virgin Mobile (mobile internet) that blocks it.

~~~
kevinburke
On what grounds? Can you provide more detail? Would rather not have the site
be blocked if I can help it..

~~~
RossM
Sorry, I meant to point out that there are two possible ISPs that the user
might have trouble accessing it on. To my knowledge, no UK ISP blocks content
by an automatic or specific filter, aside from the Pirate Bay of course.

------
peterwwillis
If you all think this is a horrible breach of security, keep in mind that
voicemail systems usually let you keep guessing forever. (And usually let you
in with a spoofed caller-id number, but that's slightly less trivial)

If you want to try to break into your voicemail (or speed up guessing of PINs
for the website), use one of the 20 most commonly-used PINs on either of these
pages. One list even has 6-digit pins. Happy hacking!

<http://www.datagenetics.com/blog/september32012/index.html>
[http://wiki.docdroppers.org/index.php?title=Breaking_into_ce...](http://wiki.docdroppers.org/index.php?title=Breaking_into_cellphone_VMBs)
<http://amitay.us/blog/files/most_common_iphone_passcodes.php>
[https://docs.google.com/viewer?a=v&q=cache:w8orMsrdbScJ:...](https://docs.google.com/viewer?a=v&q=cache:w8orMsrdbScJ:www.cl.cam.ac.uk/~jcb82/doc/BPA12-FC-
banking_pin_security.pdf+&hl=en&gl=us&pid=bl&srcid=ADGEESjyqDEAMqEBpa0gkXXjOrs9frLLx1yWb_dIEXTcPkBdNqlIl10WSbGARExJDMP5ot9AMoJx7IAn-T8xHldp4AEBu3mBIhyJ4xPSfnsOvm0k3Ueb6bHSVQuLgI7r3z0w15MXMj0l&sig=AHIEtbTcQN9Ha8f3WaDtq4SOuLG9Qi9M5g&pli=1)

------
georgemcbay
The login page on Virgin Mobile's USA site is totally non-functional right
now. I wonder if all the curious people trying to recreate this brute force
hack DDoSed the site.

While I'm a strong supporter of full disclosure, I'm iffy about this "hack"
because hitting any web site in an automated fashion approximately a million
times in one day is firmly in the very dark shade of gray areas.

------
lifebeyondfife
I'm a Virgin Media customer in the UK. My home internet connection stopped
working recently and (long story short) in dealing with trying to fix it, it
turns out my main login password for their service can be accessed by support
staff. This means the password is being stored in plaintext.

I was contacted to ask about how customer services dealt with me and I stated
how unbelievably insecure their (my!) data must be. This was the straw that
finally broke my password insecurity camel's back - I now use KeePass to
generate all my passwords.

I wonder if _any_ big telcos actually treat customer data appropriately?

~~~
jiggy2011
I use Virgin Media, but I'm not sure what you mean by 'password for the
service'.

AFAIK you don't need a password to access the internet , just plug the cable
modem in.

There is a password that you create which is used to call customer support,
but AFAIK it's only used by the callcenter.

It's also worth noting that Virgin Media is nothing to do with virgin mobile,
Virgin Media is still operated by the old telewest/NTL but they bought the
Virgin branding.

~~~
lifebeyondfife
I know the branding can act as a mask over different companies e.g. Sony VAIOs
[http://www.pcpro.co.uk/news/357289/sony-announces-
division-t...](http://www.pcpro.co.uk/news/357289/sony-announces-division-two-
vaio-laptops). As you point out we're going from US mobile to UK broadband.
But the point of the brand is to give consumers confidence in a consistent
level of service and I thought it vaguely relevant to mention my experience.

Yes, by password for their service I mean the password chosen for my
@virginmedia.com login where I can access/pay bills, look at phone calls made
etc. I imagine if I had a TV package with them there would be other things I
could do via their website.

I was pretty shocked that anyone - staff or otherwise - had access to my
password.

------
dsl
The title and article are hyperbole. I tried it myself, as did a few other
people who commented on the article.

After a few attempts you can no longer use a PIN and must call in or use your
security question.

~~~
kevinburke
Not sure what you tried, but they haven't fixed the problem. I just tried 100
different random 6-digit passwords using a python script over a one minute
interval, then logged in to my account just fine using the web interface.

I'd post my code, but that would let any idiot figure out how to replicate
this attack. Try including a user agent, and not using the same cookies every
time.

~~~
phildeschaine
It appears they are still clueless about how the internet works.
[https://twitter.com/VirginMobileAus/status/24795811996620800...](https://twitter.com/VirginMobileAus/status/247958119966208000)

~~~
ZoFreX
This is perhaps the best false promise corp-speak I've heard in relation to an
exploit:

> any word on supporting longer passwords eventually?

> Nothing as of right now but it's something we may definitely look into in
> the future. Thanks, Shane.

"May definitely"?

------
jpxxx
So unaccountable nation-states have access to anything you say or do on a
network, and random strangers have access to your account and billing details.
Is there anything left standing here?

~~~
ktizo
In those terms, it is the same as it ever was, just with different tech.

------
bobbles
Wow the comments on the site there make this even more concerning.. rules on
that limited set of numbers and even recommending to users that they should
use their birthday as their PIN...

~~~
damian2000
I've been with someone when they signed up for a virgin mobile account
(instore), and the rep specifically asked for a new password - and did not
prompt with using the birthdate for example. That was in august last year.
That said, I distinctly remember the process being somehow a bit wrong - e.g.
having to handwrite the 6 digit PIN on some signup form. Once you've got the
initial PIN, you can however change it on the website.

------
armored_mammal
I noticed this when I signed up with them, but don't consider it the end of
the world -- when I switched my number from AT&T, is was obvious anybody who
had a little of my personal information and phone number could have done the
same thing.

However, I'm not sure it's the apocalypse on wheels. Plausible deniability is
nice. Sometimes.

I find it more irritating how nearly everything on my phone is tied to a
Google account.

------
gregsq
Relevant here is that Virgin Mobile USA is a completely different business to
Virgin UK. Virgin USA is an MVNO on the Sprint network. As a joint venture
between Virgin and Sprint, I wonder what actual involvement Virgin has in this
area. Ensuring standards and oversight certainly isn't part if that
involvement.

~~~
maxerickson
Sprint bought Virgin out a few years ago. They license the branding.

------
ryankask
Many of the Virgin Group's web properties have weak password requirements.

Virgin Atlantic requires your password to be between 5-8 characters (including
symbols) and Virgin Trains allows a maximum of 10 alphanumeric characters (no
symbols).

Both sites allow you to store sensitive data like passport numbers, phone
numbers, addresses, etc.

------
rohansingh
I wonder if the form is susceptible to timing attacks. That could make
identifying a user's PIN even faster.

------
jebblue
>> I verified this by writing a script to “brute force” the PIN number of my
own account.

They need to turn on ip rate limiting to stop brute force attacks or make them
impractical. At least that's my understanding of the purpose of rate limiting.

------
Cyranix
Are the Virgin Mobile gateways for other countries affected, or is this US-
only? AFAICT online access to my Canadian account is still using a run-of-the-
mill user-defined password.

------
KeyBoardG
Virgin Mobile outsources everything to IBM. It'll be months before the
paperwork and red tape get done to allow them a fix.

~~~
damian2000
If/when the media coverage ramps up, this will be done quickly, believe me.
Not to would be corporate suicide.

------
superkvn
Amazing that a company of this stature and size doesn't have proper security
in place. They deserved to get fired.

------
antidoh
I think some people are about to lose their virginity.

~~~
jiggy2011
What?

I know I shouldn't reply to a troll, but I'm curious about this one.

~~~
jrockway
I think he intended it to mean, "some people are about to be fucked," as in
"fucked over."

~~~
carlsednaoui
Or refers to Richard Branson's Book "Losing my virginity":
[http://www.amazon.com/Losing-My-Virginity-Survived-
Business/...](http://www.amazon.com/Losing-My-Virginity-Survived-
Business/dp/0307720748)

------
bashzor
You can brute-force everything, and since usernames are public and passwords
often guessable, I bet you can hack some accounts on most websites. Also I'd
be surprised if they didn't ratelimit you in a way that make such bruteforce
attacks infeasible.

If we'd start to report all such vulnerabilities, we can fill up three pages
of news with it every day...

