Virgin Mobile U.S. promises its customers that it uses “standard industry practices” to protect its customers’ personal data – but according to a Silicon Valley web developer, any first-year coder can bust into a subscriber’s account, see who they call and text, register a different phone on the account and even purchase a new iPhone.That’s according to developer Kevin Burke, who discovered the flaws on his own account in August and notified the company, only to be told that the company had no intention of fixing its systems. Virgin Mobile U.S. serves millions of customers through pre-paid plans and is a wholly owned subsidiary of Sprint.
Virgin Mobile U.S. account security uses a customer’s phone number as the account name, which is very guessable, and then requires a 6-digit PIN as the password — which only provides a million possible passwords. Even worse, the site allows as many password guesses as one likes — something Burke confirmed by writing a short script to guess his own password in a day.
Once an unauthorized user is in, they can change read a customer’s communication logs, register a different phone to lock the customer out and read their text messages, change their address and order a new phone with the credit card on file. They can also lock a user out by changing the PIN and e-mail address on the account — without notification to the previous address.
Burke, who works as a developer at Twilio, says he’s used to looking at security issues thanks to his day job, and noticed how weak the authentication system was. Once he proved to himself that anyone could bust in with a few lines of code, he contacted the company.
“I tried to escalate it following responsible disclosure principles,” Burke said. After eventually finding someone who understood the problem, Burke repeatedly followed up, only to eventually be told not to expect any change.
He then decided to go publicso that people would know they were at risk — though there’s nothing users can do to protect themselves, except not use Virgin Mobile.
In a response to a tweet from Burke on Monday, Virgin Mobile U.S. directed Burke to a section of their Terms of Service agreement.
Virgin Mobile @VMUcare refuses to fix security hole that leaves their 6 million subscribers' accounts open to attack: bit.ly/virgin-security
@ekrubnivek Hello, please go to bit.ly/OAubLE and review the Authentication and Contact policy. We only have two ways of protection.
That documentsays, in part: “You further agree that Virgin Mobile may, in our sole discretion, treat any person who presents your credentials that we deem sufficient for account access as you or an authorized user on the account for disclosure of information or changes in Service.”
UPDATE 8:27 PM PST: Sprint spokeswoman Stephanie Vinge responded to Wired’s earlier inquiries, saying that “A lockout feature for multiple password attempts is part of Sprint’s standard procedures. We are reviewing the systems we have in place and conducting audits to ensure our standards are being met, including for Virgin Mobile.”
Virgin’s website says it protects users, but can’t be responsible in the case of hacks.
Virgin Mobile uses standard industry practices to safeguard the confidentiality of your personally identifiable information. Virgin Mobile treats data as an asset that must be protected against loss and unauthorized access. We employ many different security techniques to protect such data from unauthorized access by users inside and outside the company.The fixes, according to Burke, start with allowing more complex passwords and locking down accounts after a few failed attempts.
Unfortunately, perfect security does not exist on the Internet, and therefore, Virgin Mobile makes no representations or warranties with regard to the sufficiency of our security measures. Virgin Mobile shall not be responsible for any damages that result from a lapse in compliance with this Privacy Policy because of a security breach, technical malfunction or similar problem. Always be careful and responsible regarding your personal information.
While Virgin Mobile may consider its insecure system to be “standard industry practice,” Twitter ended up signing a 20-year consent decree with federal regulators over its shoddy security practices. One key element in the FTC’s action? Twitter didn’t prevent rapid guessing of passwords.
Posts
Thank you for reaching out to us. We are happy to receive your opinion and request. If you need advert or sponsored post, We’re excited you’re considering advertising or sponsoring a post on our blog. Your support is what keeps us going. With the current trend, it’s very obvious content marketing is the way to go. Banner advertising and trying to get customers through Google Adwords may get you customers but it has been proven beyond doubt that Content Marketing has more lasting benefits.
We offer majorly two types of advertising:
1. Sponsored Posts: If you are really interested in publishing a sponsored post or a press release, video content, advertorial or any other kind of sponsored post, then you are at the right place.
WHAT KIND OF SPONSORED POSTS DO WE ACCEPT?
Generally, a sponsored post can be any of the following:
Press release
Advertorial
Video content
Article
Interview
This kind of post is usually written to promote you or your business. However, we do prefer posts that naturally flow with the site’s general content. This means we can also promote artists, songs, cosmetic products and things that you love of all products or services.
DURATION & BONUSES
Every sponsored article will remain live on the site as long as this website exists. The duration is indefinite! Again, we will share your post on our social media channels and our email subscribers too will get to read your article. You’re exposing your article to our: Twitter followers, Facebook fans and other social networks.
We will also try as much as possible to optimize your post for search engines as well.
Submission of Materials : Sponsored post should be well written in English language and all materials must be delivered via electronic medium. All sponsored posts must be delivered via electronic version, either on disk or e-mail on Microsoft Word unless otherwise noted.
PRICING
The price largely depends on if you’re writing the content or we’re to do that. But if your are writing the content, it is $60 per article.
2. Banner Advertising: We also offer banner advertising in various sizes and of course, our prices are flexible. you may choose to for the weekly rate or simply buy your desired number of impressions.
Technical Details And Pricing
Banner Size 300 X 250 pixels : Appears on the home page and below all pages on the site.
Banner Size 728 X 90 pixels: Appears on the top right Corner of the homepage and all pages on the site.
Large rectangle Banner Size (336x280) : Appears on the home page and below all pages on the site.
Small square (200x200) : Appears on the right side of the home page and all pages on the site.
Half page (300x600) : Appears on the right side of the home page and all pages on the site.
Portrait (300x1050) : Appears on the right side of the home page and all pages on the site.
Billboard (970x250) : Appears on the home page.
Submission of Materials : Banner ads can be in jpeg, jpg and gif format. All materials must be deliverd via electronic medium. All ads must be delivered via electronic version, either on disk or e-mail in the ordered pixel dimensions unless otherwise noted.
For advertising offers, send an email with your name,company, website, country and advert or sponsored post you want to appear on our website to advert @ alexa. ng
Normally, we should respond within 48 hours.