FCW Insider

Blog archive

Virgin Mobile's security fail

I confess: I am not cool enough to have a smart phone. My mobile phone is not smart at all. It’s a touch-screen LG model with a slide-out keyboard, and I can use it for calls, text messaging and very limited web browsing.

But as not-smart as it is, it may be smarter than the provider I use, Virgin Mobile. I say this because this morning I received a text message alerting me that my secret security question has expired. It directed me to go to the Virgin Mobile website and update it … and then helpfully provided my secret personal identification number.

Get that? The verbatim text is, “Your Secret Question has expired. Please update it at virginmobileusa.com with acct PIN … " and then my actual PIN, right there in plain view.

Was it a phishing attempt? Unlikely, for two reasons. First, the site MyCallBot.com verifies the number it came from is one Virgin uses. Secondly, whoever sent it already has my phone number and PIN. They don’t need to phish for anything else.

Now as it happened, I had my phone with me and saw the message. But what if I had lost it, or it had been stolen? If that had happened, Virgin would have just handed a stranger the key to unlock my account.

And why? Virgin’s customers should keep up with their PINs and not need the company to provide them, especially not without some security measures to ensure the person getting the message is the one authorized to access the account. That the company would do that at all is surprising; that they would do it on their own initiative, without the customer requesting it, is mind-boggling.

As you implement your own mobile device security policies, that should be one to include: Don’t send people their own passcodes in plain text, especially if you have no reason to think they need it.

Posted by Michael Hardy on Jan 11, 2012 at 9:03 AM


Reader comments

Sun, Jan 29, 2012 MRAD

I just got one of these e-mails for my Broadband account with VMusa. When i log into my account there is no place to update a "Secret Question".

Thu, Jan 26, 2012

I also received this message this morning but no pin showing. One question though I have had this account for years and suddenly they tell me my secret question has expired?! I have never been told that. I also questioned them on it but again they didn't show my pin. which was good. Can't wait to hear their explanation. I even checked to see if i got charged for it, nope. I think this is very odd

Fri, Jan 20, 2012

I just got this as an email, not a text, containing my PIN in plain text. I registered my protest, too.

Fri, Jan 20, 2012 Clive

Got an email saying same. There's 2 things that stand out here:

1) whoever is in charge of this is an idiot
2) they store your PIN *unencrypted* - whoever is their data architect is also an idiot.

Thank goodness Inever do anything I need to be secure with

Fri, Jan 20, 2012

I am guessing they want your IP address. That way they can track who the phone belongs to. The bad guys will not like this nor will they do it.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above