Hacker News new | past | comments | ask | show | jobs | submit login
Virgin Mobile leaves six million subscriber accounts wide open (inburke.com)
156 points by stanleydrew on Sept 18, 2012 | hide | past | favorite | 79 comments

I simply don't understand how brute-forcing can remain a problem today. It seems like such a trivial implementation detail to freeze account access after a certain number of incorrect attempts – and yet most password security guidelines still warn against what they consider brute-forceable passwords.

Could a security professional explain in non-domain-expert terms why this practice isn't simply adopted everywhere?

I think that one of the reasons it is not implemented is because it is a problem that isn't purely technical in nature. So you want to lock people's accounts to prevent brute forcing? There are still a bunch of decisions (both business and technical) before you can move forward.

  1. User support.  How willing are you to deal with increased need for customer support when they start locking themselves out of their accounts after a dozen failed attempts?
  2. How do you keep track of the number of failed attempts?  Another column in your database?  I don't run any big websites, but it seems to me that if an attacker can cause a write to your DB for every POST he can throw at you, your website performance will suffer.
  3. If it takes a dozen (or a hundred (or a thousand)) failed logins to lock an account, it would be trivial for an attacker to lock users out of their accounts, DOSing your site in a different way.
  4. Ok, so we block IP addresses instead of accounts?  Now we have to deal with issues of shared or easily changed IP addresses (or botnets that can afford to have hundreds of thousands of IPs blacklisted from a site and still keep brute forcing).
A lot of these issues are surmountable, but not until you do some basic threat modeling to decide what you want to protect against.

Maybe you decide to focus on preventing from attackers coming from one IP from slamming your site, so you keep an in-memory table of number of recent failed logins and perform temporary bans. It wont protect against botnets, but hopefully you are paying attention to what is happening on your site, and can make changes if that becomes an issue.

> yet most password security guidelines still warn against what they consider brute-forceable passwords.

Your password should be hard to brute force, regardless of whether or not the site protects itself from brute forced logins. The other big danger is that someone hacks the site and gets a dump of password hashes. Then, it doesn't matter what anti-brute force techniques the website is using if the attacker can perform an offline brute force attack against your hashes.

Instead of freezing the account until it's unlocked by customer service, why not just lock it for increasingly longer periods of time? 2 seconds after the third failed attempt, 3 after the fourth, 5 after the sixth, 10 after the seventh, etc.

Not too inconvenient for legitimate users trying to remember their passwords, but it surely makes bruteforcing impossible (if by the 1,000th attempt they're having to wait an hour between attempts).

That would still enable someone to DOS your website. A better way IMHO is to limit the maximum timeout - say 1 or 10 seconds. This, compared with even simple passwords that have slighlty more than 1 000 000 combinations, would mean hackers need days or weeks to crack passwords, in this time you should be able to notice the attack.

You would only be able to DOS a individual accounts, rather than the whole website. Do it by IP address, sure at some point someone with a huge enough botnet will be able to crack an account. But is it likely that someone will use their entire botnet to crack a single user's password on some consumer service?

Depends on what you can do on that site. Around my part of the world:

* Phone/number that is redirecting a call pays for the redirected leg of the call

This leads to a lot of creative hacking on trying to program a phone to redirect calls to expensive service numbers or foreign numbers. And many operators lets you administer call redirection on their website

An alternative might be for the user to be able to request that the block is cleared, and for that process to send out an automated email; if the user clicks the link in the email, the block is cleared.

It's no less secure than a password reset and would mean that legitimate account owners can't be locked out of their accounts by attackers.

This. Instead of having a timeout after n-number of passwords, have a random timeout after each one (between 1 and 3 seconds). Not really a big deal for a user (you can hold the connection open, so the browser looks like it's waiting for a response, or put up a loading spinner) but makes brute forcing infeasible.

Because the people who implement the login systems aren't always security professionals. Sometimes they're random, mediocre, software engineers who don't really care about security, but their boss put them in charge of the website.

And the boss isn't a security professional (or even a software engineer, half the time) so he doesn't care. In fact, there's commonly an entire culture all the way up the ladder where nobody gives a shit about security, so terrible holes stay wide open for years.

This is where the Anonymouses of the world are doing a real service for the world. People need to forced by real consequences to take security seriously.

There's not anything wrong with that either. As humans, we have limited available attention. You and I might argue that security is critical, but even thinking about everything that is reasonably deemed critical is paralyzing. Statistically organizations are just not going to take security seriously on the whole until they get pwned to the tune of billions.

I can't think of an example i've seen where Anonymous-like breaches caused anyone but the actually breached companies to reflect on their security (Sony didn't even react immediately, they got pwnd three times). Releasing personal information just isn't a threat to companies in the era of Facebook.

How would such an example be visible to you?

Does it really matter that they are/are not security professionals? Virgin Mobile is a major corporation, and (if I understand the vulnerability correctly) are willing to let a unique IP ping their server 1MM times in a day. Rate limiting software is open-source and easy to come by. How does Virgin mobile prevent DDOS attacks if this vulnerability exists?

Just because they're a major corporation doesn't mean anyone with any clout gives a shit about whether or not customer logins are being brute forced, or if their servers can be DDOS'd. Even if somebody cared to mention it, somebody else would mention that it's too expensive, they're not getting attacked right now, and there's more important problems to worry about, so it gets ignored. This is not just cynicism on my part - this is how most companies operate. When they start losing money they'll start caring about security.

Oh, and DDOS has nothing to do with rate limiting. If you fill up a pipe with incoming packets it's going to become unresponsive. There's no real way to stop it, but multi-homing, global distribution and some tricks administered by DDOS mitigation companies can help.

Automatically freezing an account makes it easy for an attacker to denial-of-service an account. Just try to login as many times as it takes to freeze the account, and then it's not available anymore to the legitimate user.

Simple answer:

The greater the restrictions on the account lockout policy, the more personnel you need to hire (salary, health benefits, pension, 401k) to deal with people who manage to lock their accounts out.

Or just outsource it to the lowest bidder, or better yet an automated system.

But how much does it cost them when these problems arise?

Pick a random PIN - say, 197326 - and try it against a lot of account (phone) numbers. Skirt IP-restrictions by renting a botnet for 15 minutes.

WTH, that's my pwd! :-)

My wife has Virgin Mobile and is happy with it, and I am (or was?) planning to switch in a couple of months, once my AT&T contract runs out, so I really hope they fix this pronto.

I think it's especially important that Virgin Mobile resolves this, since the market share is basically theirs for the taking.

Their basic $35/mo. plan, which includes text and data, is great for my needs, so I called AT&T and told them I was thinking of switching, but because I'd been an AT&T customer for years, I was giving them a chance to match that kind of offer. Not only did the rep basically say, "Nope, we can't come close to matching that," but -- more surprisingly -- he had no script to say, "Here's why you shouldn't switch to Virgin." Which says to me that AT&T isn't taking Virgin seriously yet.

If Virgin Mobile can get its account security act together, I think it can make pretty good in-roads against the bigger carriers.

The big blocker for Virgin Mobile is that the phones only talk to Sprint owned towers. Sprint's Sprint branded phones have a pretty good network because they roam on Verizon. Virgin, not so much.

Still a good deal if the Sprint network is enough coverage.

I've been using VM for a few years now and overall have been very happy. Sprint coverage sucks in some areas but for the most part is fine. Being half the price of other providers makes up for it. My phone came with tethering enabled which I used a lot before getting a Clear access point.

the only problem i ever had with VM (recently switched to StraightTalk) was the phone selection. phones are getting better but you can't buy a different phone and just use it on VM. at least sticking with sim card phones you have other options.

This is not really a problem. Just pay a few bucks to someone off of Craigs List (or spend a little time learning to do it yourself) to clone one of their cheaper phones to one you buy (get one with a bad ESN cause they are cheaper) off of eBay or CL. It is really pretty easy.

"Wide open" is factually incorrect if they still require you to guess the pin.

Why didn't the author also mention that since there's no e-mail address associated with new prepaid accounts you can specify any e-mail you want the first time you try to sign into the website? Seems like an easier exploit to me.

Their network ACLs and support web apps are also swiss cheese. I wouldn't really rely on a VM account for security.

That doesn't make me feel great about two-factor authentication through my VM phone.

Good! This is just a better example of why SMS and non-encrypted-and-authenticated connections for two factor are silly. If you use an HTTPS web app for two-factor (or a pin-generating app, no network required) you should be reasonably secure - unless some Android malware is in your phone.

In case you're curious, the limitations around runs and sequences reduces the keyspace to 993240 possibilities - that's assuming sequences both upwards and downwards.

Be grateful they haven't reduced it further. If runs and sequences of length 3 were also banned, only 904728 would remain.

"I have altered our deal. Pray I do not alter it further."

It's true. I just wrote some NodeJS code iterating pins 000000 through 999999 and it got into my account. (If anyone wants the code...)

I'd like to compare it (speed) to my version using python+mechanize..

I'm intrigued as to why you think there would be a speed difference. If your language of choice can't iterate around a loop faster than your network card can push out a couple of network packets then I think you have some issues.

Factor in RTT/latency and concurrency. There's no reason multiple requests can't be in-flight at once, up to the point where you're overloading your uplink or the server.

like flatline said below, I was wondering if you did any concurrency. I recently scraped another site and I found a "sweet spot" of about 10 different sessions each trying different chunks... maxed out at about 200kb/s from the site.

I just sent this link to my partner who is a Virgin Mobile customer.

She couldn't open the page on her mobile browser. She said it said something like "Restricted by Virgin."

Seems a bit strange. I will ask her to try again later.

EDIT: Kevin is actually talking about Virgin Mobile in the US. His domain, however, is inaccessible to my partner who uses Virgin Mobile UK ("adult restriction").

Wait. My website is blocked/censored in the UK? Can you email me with details?

I sent your article to my partner this morning and she tried to access it on her phone on the Virgin Mobile UK network.

She couldn't access the article or your homepage. I just asked her to try again and it's being caught in their adult content filters or something. False positive? Maybe there is some adult content on the site?

Maybe another Virgin Mobile UK user can try it. They presumably would still have to have their content filters active.

It works for me on a non-Virgin IP. It may be Virgin Media (home broadband), or Virgin Mobile (mobile internet) that blocks it.

On what grounds? Can you provide more detail? Would rather not have the site be blocked if I can help it..

Sorry, I meant to point out that there are two possible ISPs that the user might have trouble accessing it on. To my knowledge, no UK ISP blocks content by an automatic or specific filter, aside from the Pirate Bay of course.

ISPS in the UK are blocking sites as "mature" when they are not.

I have yet to see an outcry.

If you all think this is a horrible breach of security, keep in mind that voicemail systems usually let you keep guessing forever. (And usually let you in with a spoofed caller-id number, but that's slightly less trivial)

If you want to try to break into your voicemail (or speed up guessing of PINs for the website), use one of the 20 most commonly-used PINs on either of these pages. One list even has 6-digit pins. Happy hacking!

http://www.datagenetics.com/blog/september32012/index.html http://wiki.docdroppers.org/index.php?title=Breaking_into_ce... http://amitay.us/blog/files/most_common_iphone_passcodes.php https://docs.google.com/viewer?a=v&q=cache:w8orMsrdbScJ:...

The login page on Virgin Mobile's USA site is totally non-functional right now. I wonder if all the curious people trying to recreate this brute force hack DDoSed the site.

While I'm a strong supporter of full disclosure, I'm iffy about this "hack" because hitting any web site in an automated fashion approximately a million times in one day is firmly in the very dark shade of gray areas.

I'm a Virgin Media customer in the UK. My home internet connection stopped working recently and (long story short) in dealing with trying to fix it, it turns out my main login password for their service can be accessed by support staff. This means the password is being stored in plaintext.

I was contacted to ask about how customer services dealt with me and I stated how unbelievably insecure their (my!) data must be. This was the straw that finally broke my password insecurity camel's back - I now use KeePass to generate all my passwords.

I wonder if any big telcos actually treat customer data appropriately?

I use Virgin Media, but I'm not sure what you mean by 'password for the service'.

AFAIK you don't need a password to access the internet , just plug the cable modem in.

There is a password that you create which is used to call customer support, but AFAIK it's only used by the callcenter.

It's also worth noting that Virgin Media is nothing to do with virgin mobile, Virgin Media is still operated by the old telewest/NTL but they bought the Virgin branding.

I know the branding can act as a mask over different companies e.g. Sony VAIOs http://www.pcpro.co.uk/news/357289/sony-announces-division-t.... As you point out we're going from US mobile to UK broadband. But the point of the brand is to give consumers confidence in a consistent level of service and I thought it vaguely relevant to mention my experience.

Yes, by password for their service I mean the password chosen for my @virginmedia.com login where I can access/pay bills, look at phone calls made etc. I imagine if I had a TV package with them there would be other things I could do via their website.

I was pretty shocked that anyone - staff or otherwise - had access to my password.

The title and article are hyperbole. I tried it myself, as did a few other people who commented on the article.

After a few attempts you can no longer use a PIN and must call in or use your security question.

Not sure what you tried, but they haven't fixed the problem. I just tried 100 different random 6-digit passwords using a python script over a one minute interval, then logged in to my account just fine using the web interface.

I'd post my code, but that would let any idiot figure out how to replicate this attack. Try including a user agent, and not using the same cookies every time.

It appears they are still clueless about how the internet works. https://twitter.com/VirginMobileAus/status/24795811996620800...

This is perhaps the best false promise corp-speak I've heard in relation to an exploit:

> any word on supporting longer passwords eventually?

> Nothing as of right now but it's something we may definitely look into in the future. Thanks, Shane.

"May definitely"?

I say post the code. That would really light the fire under Virgin's ass.

Any person nefarious enough to perform the attack is probably smart enough to figure it out anyway.

No thanks... that would cross the line between full disclosure and malice.

It should be trivial for anyone who understands HTTP and threads to reimplement.

I really hope that Virgin are not stupid enough to go after you in some lawyery way over this. I think you are already running a risk by disclosing this at all. The usual next step when a company doesn't show willingness to fix a security problem is that they try and shoot the messenger :-(

It should be trivial for anyone who understands HTTP and a for loop to reimplement.

After reading down a few comments on the article you see that the write is talking about Virgin Mobile in the UAS, as someone in Australia points out that this doesn't work.

It would be nice if the writer of the article would have said that they where talking about Virgin Mobile US, as Virgin Mobile are a multi national company.

They are probably keeping it in a cookie for expediency.

So unaccountable nation-states have access to anything you say or do on a network, and random strangers have access to your account and billing details. Is there anything left standing here?

In those terms, it is the same as it ever was, just with different tech.

Wow the comments on the site there make this even more concerning.. rules on that limited set of numbers and even recommending to users that they should use their birthday as their PIN...

I've been with someone when they signed up for a virgin mobile account (instore), and the rep specifically asked for a new password - and did not prompt with using the birthdate for example. That was in august last year. That said, I distinctly remember the process being somehow a bit wrong - e.g. having to handwrite the 6 digit PIN on some signup form. Once you've got the initial PIN, you can however change it on the website.

I noticed this when I signed up with them, but don't consider it the end of the world -- when I switched my number from AT&T, is was obvious anybody who had a little of my personal information and phone number could have done the same thing.

However, I'm not sure it's the apocalypse on wheels. Plausible deniability is nice. Sometimes.

I find it more irritating how nearly everything on my phone is tied to a Google account.

Relevant here is that Virgin Mobile USA is a completely different business to Virgin UK. Virgin USA is an MVNO on the Sprint network. As a joint venture between Virgin and Sprint, I wonder what actual involvement Virgin has in this area. Ensuring standards and oversight certainly isn't part if that involvement.

Sprint bought Virgin out a few years ago. They license the branding.

Many of the Virgin Group's web properties have weak password requirements.

Virgin Atlantic requires your password to be between 5-8 characters (including symbols) and Virgin Trains allows a maximum of 10 alphanumeric characters (no symbols).

Both sites allow you to store sensitive data like passport numbers, phone numbers, addresses, etc.

I wonder if the form is susceptible to timing attacks. That could make identifying a user's PIN even faster.

>> I verified this by writing a script to “brute force” the PIN number of my own account.

They need to turn on ip rate limiting to stop brute force attacks or make them impractical. At least that's my understanding of the purpose of rate limiting.

Are the Virgin Mobile gateways for other countries affected, or is this US-only? AFAICT online access to my Canadian account is still using a run-of-the-mill user-defined password.

Virgin Mobile outsources everything to IBM. It'll be months before the paperwork and red tape get done to allow them a fix.

If/when the media coverage ramps up, this will be done quickly, believe me. Not to would be corporate suicide.

Amazing that a company of this stature and size doesn't have proper security in place. They deserved to get fired.

I think some people are about to lose their virginity.


I know I shouldn't reply to a troll, but I'm curious about this one.

I think he intended it to mean, "some people are about to be fucked," as in "fucked over."

Or refers to Richard Branson's Book "Losing my virginity": http://www.amazon.com/Losing-My-Virginity-Survived-Business/...

That was it.

Virgin Mobile. Lose their V-card by switching to a different carrier.

Or better yet, I like this chick, so I hack into her Virgin Mobile account and track down her SMS correspondence to realize that she calls the local Pizza Hut a lot. So I show up at her door with a pizza before he usual time of call, and she says, "how do you know I like pizza?" And I say, "Baby, it's because I have a radar for chubby girls" and we eat pizza and make out with our greasy lips and do the deed. And later she says, "so how was it?" And I'd say "It was great, like a virgin." <eom>

You can brute-force everything, and since usernames are public and passwords often guessable, I bet you can hack some accounts on most websites. Also I'd be surprised if they didn't ratelimit you in a way that make such bruteforce attacks infeasible.

If we'd start to report all such vulnerabilities, we can fill up three pages of news with it every day...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact