Virgin Mobile has come under fire from a developer that's not so pleased about the company's username and password handling.
Kevin Burke yesterday took to his personal blog to report that Virgin Mobile's authentication process only allows for users to input numbers as their account PIN. What's worse, he says, the password is limited to six numbers, leaving "only one million possible passwords you can choose."
"This is horribly insecure," Burke wrote. "Compare a 6-digit number with a randomly generated 8-letter password containing uppercase letters, lowercase letters, and digits -- the latter has 218,340,105,584,896 possible combinations. It is trivial to write a program that checks all million possible password combinations, easily determining anyone's PIN inside of one day.
"I verified this by writing a script to 'brute force' the PIN number of my own account," he continued.
The information that could be obtained from the hack is by no means trivial. Burke claims that hackers could read the user's call and SMS logs, change handsets associated with the account, and even purchase new handsets.
Burke didn't just stop at his blog. He also asked Virgin Mobile about it on the company's Twitter page. Its customer care center directed him to the Virgin Mobile "Authentication and Contact" section of its General Terms and Conditions. That section discusses how the PIN works, and explains that the company may "treat any person who presents your credentials that we deem sufficient for account access as you or an authorized user on the account for disclosure of information or changes in Service."
Despite Burke's issues, however, it's important to note that his findings are only a potential vulnerability. So far, there has been no known widespread attack on Virgin Mobile accounts.
CNET has contacted Virgin for comment on Burke's findings. We will update this story when we have more information.
(Via Wired)
Don Reisinger 18 Sep, 2012
-
Source: http://news.cnet.com/8301-1009_3-57514967-83/virgin-mobile-chastised-for-pin-authentication-vulnerability/?part=rss&tag=feed&subj=DialedIn
--
Manage subscription | Powered by rssforward.com
Anda sedang membaca artikel tentang
Virgin Mobile chastised for PIN authentication 'vulnerability'
Dengan url
http://thespreadofavianinfluenza.blogspot.com/2012/09/virgin-mobile-chastised-for-pin.html
Anda boleh menyebar luaskannya atau mengcopy paste-nya
Virgin Mobile chastised for PIN authentication 'vulnerability'
namun jangan lupa untuk meletakkan link
Virgin Mobile chastised for PIN authentication 'vulnerability'
sebagai sumbernya
0 komentar:
Posting Komentar