Sprint Responds to Developer's Disclosure of Virgin Mobile Security Shortcoming

2012-09-20T01:52:24
ID THREATPOST:AB11EFCEBFFF8F3D1F1816C22D9DFF3E
Type threatpost
Reporter Anne Saita
Modified 2013-04-17T16:31:30

Description

A Sprint spokeswoman today responded to a software developer’s claim that millions of Virgin Mobile users are vulnerable to attacks due to inadequate authentication mechanisms.

In an email sent to Computerworld, Stephanie Vinge Walsh said Virgin Mobile, a subsidiary of Sprint, has multiple safeguards to prevent someone from tampering with users’ accounts.

“It’s important to note that there are many different overlapping safeguards in place to ensure our customers’ privacy and security, and we have taken steps to further prevent intrusions and spoofing,” Walsh said. “While we maintain confidentiality about our security measures, our customer accounts are monitored constantly for several types of activity that would indicate if something illegal or inappropriate may be taking place.”

Walsh’s comments came after Texas software developer Kevin Burke went public Monday with what he considered a serious flaw allowing Virgin Mobile accounts to be hacked because of how usernames and passwords are set up. Customers’ phone numbers are paired with six-number PINs that can be guessed an unlimited number of times. Burke said he created a script that cracked his own numeric password with relative ease.

He said he publicly disclosed the security issue after the company said it had no plans to resolve the issue.

Burke’s warning to the 6 million Virgin Mobile users got a lot of attention, and on Wednesday Sprint said a new procedure locked out users after four failed attempts. It also is monitoring accounts for unusual behavior.

“We have had no unusual reports of fraud incidents or adverse consequences to our customers and believe that the total security measures in place prevent vulnerability of their accounts,” Walsh told Computerworld. “Payment card data is not visible on an account and we have additional processes in place to monitor and limit balance transfers and correction of inappropriate charges.”