I simply don't understand how brute-forcing can remain a problem today. It seems like such a trivial implementation detail to freeze account access after a certain number of incorrect attempts – and yet most password security guidelines still warn against what they consider brute-forceable passwords.
Could a security professional explain in non-domain-expert terms why this practice isn't simply adopted everywhere?
I think that one of the reasons it is not implemented is because it is a problem that isn't purely technical in nature. So you want to lock people's accounts to prevent brute forcing? There are still a bunch of decisions (both business and technical) before you can move forward.
1. User support. How willing are you to deal with increased need for customer support when they start locking themselves out of their accounts after a dozen failed attempts?
2. How do you keep track of the number of failed attempts? Another column in your database? I don't run any big websites, but it seems to me that if an attacker can cause a write to your DB for every POST he can throw at you, your website performance will suffer.
3. If it takes a dozen (or a hundred (or a thousand)) failed logins to lock an account, it would be trivial for an attacker to lock users out of their accounts, DOSing your site in a different way.
4. Ok, so we block IP addresses instead of accounts? Now we have to deal with issues of shared or easily changed IP addresses (or botnets that can afford to have hundreds of thousands of IPs blacklisted from a site and still keep brute forcing).
A lot of these issues are surmountable, but not until you do some basic threat modeling to decide what you want to protect against.
Maybe you decide to focus on preventing from attackers coming from one IP from slamming your site, so you keep an in-memory table of number of recent failed logins and perform temporary bans. It wont protect against botnets, but hopefully you are paying attention to what is happening on your site, and can make changes if that becomes an issue.
> yet most password security guidelines still warn against what they consider brute-forceable passwords.
Your password should be hard to brute force, regardless of whether or not the site protects itself from brute forced logins. The other big danger is that someone hacks the site and gets a dump of password hashes. Then, it doesn't matter what anti-brute force techniques the website is using if the attacker can perform an offline brute force attack against your hashes.
Because the people who implement the login systems aren't always security professionals. Sometimes they're random, mediocre, software engineers who don't really care about security, but their boss put them in charge of the website.
Automatically freezing an account makes it easy for an attacker to denial-of-service an account. Just try to login as many times as it takes to freeze the account, and then it's not available anymore to the legitimate user.
The greater the restrictions on the account lockout policy, the more personnel you need to hire (salary, health benefits, pension, 401k) to deal with people who manage to lock their accounts out.
My wife has Virgin Mobile and is happy with it, and I am (or was?) planning to switch in a couple of months, once my AT&T contract runs out, so I really hope they fix this pronto.
I think it's especially important that Virgin Mobile resolves this, since the market share is basically theirs for the taking.
Their basic $35/mo. plan, which includes text and data, is great for my needs, so I called AT&T and told them I was thinking of switching, but because I'd been an AT&T customer for years, I was giving them a chance to match that kind of offer. Not only did the rep basically say, "Nope, we can't come close to matching that," but -- more surprisingly -- he had no script to say, "Here's why you shouldn't switch to Virgin." Which says to me that AT&T isn't taking Virgin seriously yet.
If Virgin Mobile can get its account security act together, I think it can make pretty good in-roads against the bigger carriers.
The big blocker for Virgin Mobile is that the phones only talk to Sprint owned towers. Sprint's Sprint branded phones have a pretty good network because they roam on Verizon. Virgin, not so much.
Still a good deal if the Sprint network is enough coverage.
I've been using VM for a few years now and overall have been very happy. Sprint coverage sucks in some areas but for the most part is fine. Being half the price of other providers makes up for it. My phone came with tethering enabled which I used a lot before getting a Clear access point.
the only problem i ever had with VM (recently switched to StraightTalk) was the phone selection. phones are getting better but you can't buy a different phone and just use it on VM. at least sticking with sim card phones you have other options.
"Wide open" is factually incorrect if they still require you to guess the pin.
Why didn't the author also mention that since there's no e-mail address associated with new prepaid accounts you can specify any e-mail you want the first time you try to sign into the website? Seems like an easier exploit to me.
Their network ACLs and support web apps are also swiss cheese. I wouldn't really rely on a VM account for security.
In case you're curious, the limitations around runs and sequences reduces the keyspace to 993240 possibilities - that's assuming sequences both upwards and downwards.
Be grateful they haven't reduced it further. If runs and sequences of length 3 were also banned, only 904728 would remain.
I just sent this link to my partner who is a Virgin Mobile customer.
She couldn't open the page on her mobile browser. She said it said something like "Restricted by Virgin."
Seems a bit strange. I will ask her to try again later.
EDIT: Kevin is actually talking about Virgin Mobile in the US. His domain, however, is inaccessible to my partner who uses Virgin Mobile UK ("adult restriction").
If you all think this is a horrible breach of security, keep in mind that voicemail systems usually let you keep guessing forever. (And usually let you in with a spoofed caller-id number, but that's slightly less trivial)
If you want to try to break into your voicemail (or speed up guessing of PINs for the website), use one of the 20 most commonly-used PINs on either of these pages. One list even has 6-digit pins. Happy hacking!
The login page on Virgin Mobile's USA site is totally non-functional right now. I wonder if all the curious people trying to recreate this brute force hack DDoSed the site.
While I'm a strong supporter of full disclosure, I'm iffy about this "hack" because hitting any web site in an automated fashion approximately a million times in one day is firmly in the very dark shade of gray areas.
I'm a Virgin Media customer in the UK. My home internet connection stopped working recently and (long story short) in dealing with trying to fix it, it turns out my main login password for their service can be accessed by support staff. This means the password is being stored in plaintext.
I was contacted to ask about how customer services dealt with me and I stated how unbelievably insecure their (my!) data must be. This was the straw that finally broke my password insecurity camel's back - I now use KeePass to generate all my passwords.
I wonder if any big telcos actually treat customer data appropriately?
I use Virgin Media, but I'm not sure what you mean by 'password for the service'.
AFAIK you don't need a password to access the internet , just plug the cable modem in.
There is a password that you create which is used to call customer support, but AFAIK it's only used by the callcenter.
It's also worth noting that Virgin Media is nothing to do with virgin mobile, Virgin Media is still operated by the old telewest/NTL but they bought the Virgin branding.
Not sure what you tried, but they haven't fixed the problem. I just tried 100 different random 6-digit passwords using a python script over a one minute interval, then logged in to my account just fine using the web interface.
I'd post my code, but that would let any idiot figure out how to replicate this attack. Try including a user agent, and not using the same cookies every time.
After reading down a few comments on the article you see that the write is talking about Virgin Mobile in the UAS, as someone in Australia points out that this doesn't work.
It would be nice if the writer of the article would have said that they where talking about Virgin Mobile US, as Virgin Mobile are a multi national company.
So unaccountable nation-states have access to anything you say or do on a network, and random strangers have access to your account and billing details. Is there anything left standing here?
Wow the comments on the site there make this even more concerning.. rules on that limited set of numbers and even recommending to users that they should use their birthday as their PIN...
I've been with someone when they signed up for a virgin mobile account (instore), and the rep specifically asked for a new password - and did not prompt with using the birthdate for example. That was in august last year. That said, I distinctly remember the process being somehow a bit wrong - e.g. having to handwrite the 6 digit PIN on some signup form. Once you've got the initial PIN, you can however change it on the website.
I noticed this when I signed up with them, but don't consider it the end of the world -- when I switched my number from AT&T, is was obvious anybody who had a little of my personal information and phone number could have done the same thing.
However, I'm not sure it's the apocalypse on wheels. Plausible deniability is nice. Sometimes.
I find it more irritating how nearly everything on my phone is tied to a Google account.
Relevant here is that Virgin Mobile USA is a completely different business to Virgin UK. Virgin USA is an MVNO on the Sprint network. As a joint venture between Virgin and Sprint, I wonder what actual involvement Virgin has in this area. Ensuring standards and oversight certainly isn't part if that involvement.
Many of the Virgin Group's web properties have weak password requirements.
Virgin Atlantic requires your password to be between 5-8 characters (including symbols) and Virgin Trains allows a maximum of 10 alphanumeric characters (no symbols).
Both sites allow you to store sensitive data like passport numbers, phone numbers, addresses, etc.
>> I verified this by writing a script to “brute force” the PIN number of my own account.
They need to turn on ip rate limiting to stop brute force attacks or make them impractical. At least that's my understanding of the purpose of rate limiting.
Are the Virgin Mobile gateways for other countries affected, or is this US-only? AFAICT online access to my Canadian account is still using a run-of-the-mill user-defined password.
[+] [-] mortenjorck|13 years ago|reply
Could a security professional explain in non-domain-expert terms why this practice isn't simply adopted everywhere?
[+] [-] colonelxc|13 years ago|reply
Maybe you decide to focus on preventing from attackers coming from one IP from slamming your site, so you keep an in-memory table of number of recent failed logins and perform temporary bans. It wont protect against botnets, but hopefully you are paying attention to what is happening on your site, and can make changes if that becomes an issue.
> yet most password security guidelines still warn against what they consider brute-forceable passwords.
Your password should be hard to brute force, regardless of whether or not the site protects itself from brute forced logins. The other big danger is that someone hacks the site and gets a dump of password hashes. Then, it doesn't matter what anti-brute force techniques the website is using if the attacker can perform an offline brute force attack against your hashes.
[+] [-] cecilpl|13 years ago|reply
[+] [-] perlgeek|13 years ago|reply
[+] [-] s_henry_paulson|13 years ago|reply
The greater the restrictions on the account lockout policy, the more personnel you need to hire (salary, health benefits, pension, 401k) to deal with people who manage to lock their accounts out.
[+] [-] PeterisP|13 years ago|reply
[+] [-] jawns|13 years ago|reply
I think it's especially important that Virgin Mobile resolves this, since the market share is basically theirs for the taking.
Their basic $35/mo. plan, which includes text and data, is great for my needs, so I called AT&T and told them I was thinking of switching, but because I'd been an AT&T customer for years, I was giving them a chance to match that kind of offer. Not only did the rep basically say, "Nope, we can't come close to matching that," but -- more surprisingly -- he had no script to say, "Here's why you shouldn't switch to Virgin." Which says to me that AT&T isn't taking Virgin seriously yet.
If Virgin Mobile can get its account security act together, I think it can make pretty good in-roads against the bigger carriers.
[+] [-] maxerickson|13 years ago|reply
Still a good deal if the Sprint network is enough coverage.
[+] [-] driverdan|13 years ago|reply
[+] [-] thekillingtree|13 years ago|reply
[+] [-] peterwwillis|13 years ago|reply
Why didn't the author also mention that since there's no e-mail address associated with new prepaid accounts you can specify any e-mail you want the first time you try to sign into the website? Seems like an easier exploit to me.
Their network ACLs and support web apps are also swiss cheese. I wouldn't really rely on a VM account for security.
[+] [-] BadassFractal|13 years ago|reply
[+] [-] barrkel|13 years ago|reply
Be grateful they haven't reduced it further. If runs and sequences of length 3 were also banned, only 904728 would remain.
[+] [-] mattdeboard|13 years ago|reply
[+] [-] Xcelerate|13 years ago|reply
[+] [-] klinquist|13 years ago|reply
[+] [-] ryankask|13 years ago|reply
She couldn't open the page on her mobile browser. She said it said something like "Restricted by Virgin."
Seems a bit strange. I will ask her to try again later.
EDIT: Kevin is actually talking about Virgin Mobile in the US. His domain, however, is inaccessible to my partner who uses Virgin Mobile UK ("adult restriction").
[+] [-] kevinburke|13 years ago|reply
[+] [-] peterwwillis|13 years ago|reply
If you want to try to break into your voicemail (or speed up guessing of PINs for the website), use one of the 20 most commonly-used PINs on either of these pages. One list even has 6-digit pins. Happy hacking!
http://www.datagenetics.com/blog/september32012/index.html http://wiki.docdroppers.org/index.php?title=Breaking_into_ce... http://amitay.us/blog/files/most_common_iphone_passcodes.php https://docs.google.com/viewer?a=v&q=cache:w8orMsrdbScJ:...
[+] [-] georgemcbay|13 years ago|reply
While I'm a strong supporter of full disclosure, I'm iffy about this "hack" because hitting any web site in an automated fashion approximately a million times in one day is firmly in the very dark shade of gray areas.
[+] [-] lifebeyondfife|13 years ago|reply
I was contacted to ask about how customer services dealt with me and I stated how unbelievably insecure their (my!) data must be. This was the straw that finally broke my password insecurity camel's back - I now use KeePass to generate all my passwords.
I wonder if any big telcos actually treat customer data appropriately?
[+] [-] jiggy2011|13 years ago|reply
AFAIK you don't need a password to access the internet , just plug the cable modem in.
There is a password that you create which is used to call customer support, but AFAIK it's only used by the callcenter.
It's also worth noting that Virgin Media is nothing to do with virgin mobile, Virgin Media is still operated by the old telewest/NTL but they bought the Virgin branding.
[+] [-] dsl|13 years ago|reply
After a few attempts you can no longer use a PIN and must call in or use your security question.
[+] [-] kevinburke|13 years ago|reply
I'd post my code, but that would let any idiot figure out how to replicate this attack. Try including a user agent, and not using the same cookies every time.
[+] [-] Swifty|13 years ago|reply
It would be nice if the writer of the article would have said that they where talking about Virgin Mobile US, as Virgin Mobile are a multi national company.
[+] [-] spullara|13 years ago|reply
[+] [-] jpxxx|13 years ago|reply
[+] [-] ktizo|13 years ago|reply
[+] [-] bobbles|13 years ago|reply
[+] [-] damian2000|13 years ago|reply
[+] [-] armored_mammal|13 years ago|reply
However, I'm not sure it's the apocalypse on wheels. Plausible deniability is nice. Sometimes.
I find it more irritating how nearly everything on my phone is tied to a Google account.
[+] [-] gregsq|13 years ago|reply
[+] [-] maxerickson|13 years ago|reply
[+] [-] ryankask|13 years ago|reply
Virgin Atlantic requires your password to be between 5-8 characters (including symbols) and Virgin Trains allows a maximum of 10 alphanumeric characters (no symbols).
Both sites allow you to store sensitive data like passport numbers, phone numbers, addresses, etc.
[+] [-] rohansingh|13 years ago|reply
[+] [-] jebblue|13 years ago|reply
They need to turn on ip rate limiting to stop brute force attacks or make them impractical. At least that's my understanding of the purpose of rate limiting.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] Cyranix|13 years ago|reply
[+] [-] KeyBoardG|13 years ago|reply
[+] [-] damian2000|13 years ago|reply