The problem with this authentication method is that the username for the account is the user's mobile phone number, the password is a 6-digit PIN (meaning only one million possible password combinations), and Virgin Mobile does not restrict the number of repeated login attempts.
Kevin Burke, a developer with cloud communications IaaS company Twilio and a Virgin Mobile USA customer himself, has proved the vulnerability by breaking into his own account via a brute-forcing script back a month ago, and has immediately notified the carrier of the danger.
But when after many emails exchanged the company said that they intend to do nothing about the matter, he decided to force their hands by making the flaw public.
"Anyone who knows your Virgin Mobile USA phone number can see who you’ve been calling and texting, change the handset associated with your number, change your address, your email address, or your password, and purchase a handset on your behalf," says Burke.
He points out that there is currently no way to wholly protect yourself from this attack (as a new PIN is as guessable as an old one) and advises users to be vigilant, delete any credit cards they have stored with Virgin, and consider switching to another carrier.
Following the disclosure, Burke received a response from Virgin Mobile USA pointing him to a section of their Terms of Service agreement that apparently relieves them of any responsibility if other persons log in with their credentials (whether they have been authorized to do so or not).
Nevertheless, Burke points out that there are a number of steps that Virgin could take to fix this issue, and they include freezing accounts after five failed password attempts, allowing more complex passwords, introducing two-factor authentication, as well as other security best practices.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.