Sprint today denied that subscribers of its Virgin Mobile subsidiary were wide open to account hijacking attacks as claimed by an independent software developer this week.
In emailed comments, Sprint spokeswoman Stephanie Vinge Walsh said the company has multiple safeguards to protect customer accounts from intrusion and tampering by unauthorized users.
"It's important to note that there are many different overlapping safeguards in place to ensure our customers' privacy and security, and we have taken steps to further prevent intrusions and spoofing," Walsh said. "While we maintain confidentiality about our security measures, our customer accounts are monitored constantly for several types of activity that would indicate if something illegal or inappropriate may be taking place."
Walsh was responding to questions that arose from a Monday blog post by developer Kevin Burke. In it, Burke detailed how the username and password system used by Virgin Mobile to let users access their accounts online was inherently weak and open to abuse.
Virgin forces subscribers to use their phone numbers as their username and a six-digit number as their password, Burke noted.
Because the password is just six digits long, it is relatively easy to guess using brute-force password guessing tools, Burke claimed. Burke authored a password-guessing tool to crack his own password to demonstrate how easy it is to defeat Virgin Mobile's authentication. The tool was designed to test different 6-digit password combinations until it discovered the right one.
With the password and phone number, an attacker would be able to get a user's entire call records and texting history, change the handset associated with the number and change service address and password to lock the actual user out of an account, Burke wrote.
Burke said he went public with his discovery because Sprint did not fix the vulnerability after being told how easy it was to exploit. He also noted in his blog that Virgin Mobile subscribers had no easy way to mitigate any exposure to account hijacks.
In response, Sprint said it implemented a new procedure to lock out users from their accounts after four failed attempts. Burke described that move as ineffective because hackers could bypass it by making login attempts without sending any cookie data with the requests.
In her comments today, Walsh did not specifically address Burke's claims. Instead, she said the company has not received any reports of fraud affecting Virgin Mobile customers.
"We have had no unusual reports of fraud incidents or adverse consequences to our customers and believe that the total security measures in place prevent vulnerability of their accounts," Walsh said. "Payment card data is not visible on an account and we have additional processes in place to monitor and limit balance transfers and correction of inappropriate charges."
Walsh offered no details on what those measures might be.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is [email protected].
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.