Could a security professional explain in non-domain-expert terms why this practice isn't simply adopted everywhere?
1. User support. How willing are you to deal with increased need for customer support when they start locking themselves out of their accounts after a dozen failed attempts?
2. How do you keep track of the number of failed attempts? Another column in your database? I don't run any big websites, but it seems to me that if an attacker can cause a write to your DB for every POST he can throw at you, your website performance will suffer.
3. If it takes a dozen (or a hundred (or a thousand)) failed logins to lock an account, it would be trivial for an attacker to lock users out of their accounts, DOSing your site in a different way.
4. Ok, so we block IP addresses instead of accounts? Now we have to deal with issues of shared or easily changed IP addresses (or botnets that can afford to have hundreds of thousands of IPs blacklisted from a site and still keep brute forcing).
Maybe you decide to focus on preventing from attackers coming from one IP from slamming your site, so you keep an in-memory table of number of recent failed logins and perform temporary bans. It wont protect against botnets, but hopefully you are paying attention to what is happening on your site, and can make changes if that becomes an issue.
> yet most password security guidelines still warn against what they consider brute-forceable passwords.
Your password should be hard to brute force, regardless of whether or not the site protects itself from brute forced logins. The other big danger is that someone hacks the site and gets a dump of password hashes. Then, it doesn't matter what anti-brute force techniques the website is using if the attacker can perform an offline brute force attack against your hashes.
Not too inconvenient for legitimate users trying to remember their passwords, but it surely makes bruteforcing impossible (if by the 1,000th attempt they're having to wait an hour between attempts).
* Phone/number that is redirecting a call pays for the redirected leg of the call
This leads to a lot of creative hacking on trying to program a phone to redirect calls to expensive service numbers or foreign numbers. And many operators lets you administer call redirection on their website
It's no less secure than a password reset and would mean that legitimate account owners can't be locked out of their accounts by attackers.
There's not anything wrong with that either. As humans, we have limited available attention. You and I might argue that security is critical, but even thinking about everything that is reasonably deemed critical is paralyzing. Statistically organizations are just not going to take security seriously on the whole until they get pwned to the tune of billions.
Oh, and DDOS has nothing to do with rate limiting. If you fill up a pipe with incoming packets it's going to become unresponsive. There's no real way to stop it, but multi-homing, global distribution and some tricks administered by DDOS mitigation companies can help.
The greater the restrictions on the account lockout policy, the more personnel you need to hire (salary, health benefits, pension, 401k) to deal with people who manage to lock their accounts out.
I think it's especially important that Virgin Mobile resolves this, since the market share is basically theirs for the taking.
Their basic $35/mo. plan, which includes text and data, is great for my needs, so I called AT&T and told them I was thinking of switching, but because I'd been an AT&T customer for years, I was giving them a chance to match that kind of offer. Not only did the rep basically say, "Nope, we can't come close to matching that," but -- more surprisingly -- he had no script to say, "Here's why you shouldn't switch to Virgin." Which says to me that AT&T isn't taking Virgin seriously yet.
If Virgin Mobile can get its account security act together, I think it can make pretty good in-roads against the bigger carriers.
Still a good deal if the Sprint network is enough coverage.
Why didn't the author also mention that since there's no e-mail address associated with new prepaid accounts you can specify any e-mail you want the first time you try to sign into the website? Seems like an easier exploit to me.
Their network ACLs and support web apps are also swiss cheese. I wouldn't really rely on a VM account for security.
Be grateful they haven't reduced it further. If runs and sequences of length 3 were also banned, only 904728 would remain.
She couldn't open the page on her mobile browser. She said it said something like "Restricted by Virgin."
Seems a bit strange. I will ask her to try again later.
EDIT: Kevin is actually talking about Virgin Mobile in the US. His domain, however, is inaccessible to my partner who uses Virgin Mobile UK ("adult restriction").
She couldn't access the article or your homepage. I just asked her to try again and it's being caught in their adult content filters or something. False positive? Maybe there is some adult content on the site?
Maybe another Virgin Mobile UK user can try it. They presumably would still have to have their content filters active.
I have yet to see an outcry.
If you want to try to break into your voicemail (or speed up guessing of PINs for the website), use one of the 20 most commonly-used PINs on either of these pages. One list even has 6-digit pins. Happy hacking!
http://www.datagenetics.com/blog/september32012/index.html http://wiki.docdroppers.org/index.php?title=Breaking_into_ce... http://amitay.us/blog/files/most_common_iphone_passcodes.php https://docs.google.com/viewer?a=v&q=cache:w8orMsrdbScJ:...
While I'm a strong supporter of full disclosure, I'm iffy about this "hack" because hitting any web site in an automated fashion approximately a million times in one day is firmly in the very dark shade of gray areas.
I was contacted to ask about how customer services dealt with me and I stated how unbelievably insecure their (my!) data must be. This was the straw that finally broke my password insecurity camel's back - I now use KeePass to generate all my passwords.
I wonder if any big telcos actually treat customer data appropriately?
AFAIK you don't need a password to access the internet , just plug the cable modem in.
There is a password that you create which is used to call customer support, but AFAIK it's only used by the callcenter.
It's also worth noting that Virgin Media is nothing to do with virgin mobile, Virgin Media is still operated by the old telewest/NTL but they bought the Virgin branding.
Yes, by password for their service I mean the password chosen for my @virginmedia.com login where I can access/pay bills, look at phone calls made etc. I imagine if I had a TV package with them there would be other things I could do via their website.
I was pretty shocked that anyone - staff or otherwise - had access to my password.
After a few attempts you can no longer use a PIN and must call in or use your security question.
I'd post my code, but that would let any idiot figure out how to replicate this attack. Try including a user agent, and not using the same cookies every time.
> any word on supporting longer passwords eventually?
> Nothing as of right now but it's something we may definitely look into in the future. Thanks, Shane.
Any person nefarious enough to perform the attack is probably smart enough to figure it out anyway.
It should be trivial for anyone who understands HTTP and threads to reimplement.
It would be nice if the writer of the article would have said that they where talking about Virgin Mobile US, as Virgin Mobile are a multi national company.
However, I'm not sure it's the apocalypse on wheels. Plausible deniability is nice. Sometimes.
I find it more irritating how nearly everything on my phone is tied to a Google account.
Virgin Atlantic requires your password to be between 5-8 characters (including symbols) and Virgin Trains allows a maximum of 10 alphanumeric characters (no symbols).
Both sites allow you to store sensitive data like passport numbers, phone numbers, addresses, etc.
They need to turn on ip rate limiting to stop brute force attacks or make them impractical. At least that's my understanding of the purpose of rate limiting.
I know I shouldn't reply to a troll, but I'm curious about this one.
Or better yet, I like this chick, so I hack into her Virgin Mobile account and track down her SMS correspondence to realize that she calls the local Pizza Hut a lot. So I show up at her door with a pizza before he usual time of call, and she says, "how do you know I like pizza?" And I say, "Baby, it's because I have a radar for chubby girls" and we eat pizza and make out with our greasy lips and do the deed. And later she says, "so how was it?" And I'd say "It was great, like a virgin." <eom>
If we'd start to report all such vulnerabilities, we can fill up three pages of news with it every day...