A software developer claims he has found a security weakness in Virgin Mobile phones that allows hackers to intercept calls and text messages, lock users out of their accounts and buy a new phone with their credit card.
In a blog post, Kevin Burke said the vulnerability stems from the fact that the wireless carrier requires subscribers to use their phone numbers as their username and a 6-digit number as their password.
Burke said this is “horribly insecure” compared with a randomly generated 8-letter password containing uppercase letters, lowercase letters, and digits. He warned a hacker could determine a Virgin Mobile subscriber’s PIN “inside of one day.”
“Pretty much anyone can log into your Virgin Mobile account and wreak havoc, as long as they know your phone number," he said, adding “there is no way to defend against this attack."
Burke works as a developer at Twilio, which helps developers add calls and text messages to their applications. He said he reported his findings to Virgin Mobile USA a month ago, but said the company had not taken action so he decided to disclose his findings publicly.
Burke said Virgin Mobile should take several steps to improve its security, like allowing subscribers to set more complex passwords and freeze their accounts after five failed password attempts.
Virgin Mobile is a wireless carrier that offers pre-paid handsets through Sprint. A spokesperson for Virgin Mobile and Sprint did not immediately return requests for comment.
On its web site, Virgin Mobile says the company is “strongly committed to protecting the privacy of our customers” and “uses standard industry practices to safeguard the confidentiality of your personally identifiable information.”