rothwell.im

by Jonathan Rothwell

[LINK] Virgin Mobile USA has appallingly insecure PIN practices

Kevin Burke reveals an alarmingly weak password policy and a shocking lack of interest from management at Virgin Mobile USA.

Virgin Mobile forces you to use your phone number as your username, and a 6-digit number as your password. This means that there are only one million possible passwords you can choose.

What’s even more astonishing is that they don’t have basic protections against brute force attacks in place. Burke says that he managed to write a trivial script to brute force his own PIN.

When you have information such as credit card data attached to an account, there should be a simple system in place whereby a specified number of failed login attempts within a certain timescale should cause the account to be locked. My TV set-top-box does it, my computer, my tablet and my phone do it, and my bank’s websites do it—so any excuse Virgin has for not implementing these basic security practices must be pretty flimsy.