According to a new report from MobileSyrup, a hacker has uncovered a vulnerability in Freedom Mobile’s customer login system. This means that Freedom Mobile customers could be at risk of hackers gaining access to their personal information such as phone number, call history, and address.
The hacker, who goes by the username NullHumanity, showed a screenshot of code on a subreddit that appears to show them successfully brute-forcing user logins.
The login system is “forced to the Phone Number/PIN model” which cannot even be changed if the customer calls support. This makes it really easy to brute force logins because there are only 10,000 possible combinations of four-digit PINs and phone numbers are fairly easy to access.
“There are lots of services out there to identify carrier numbers.”
The hacker said that there have already been 2,000 accounts that have been identified as being at risk. The group does not intend to do anything malicious with the information they have gained, but they expect that it would be possible to target up to 350,000 accounts based on their brute force attack.
“A phone number is predictable and a 4 digit PIN isn’t secure. Figuring out matching sets can be automated easily.”
The four-digit PIN as a password for accessing online banking raises huge security concerns, which the company needs to address. NullHumanity reached out to Freedom Mobile regarding the issue and he was told that four-digit pins provide adequate security because they are used in a lot of banking applications.
Clearly, there are some people who have yet to come to terms with today’s standard of security. That being said, it looks like Freedom Mobile has a lot of work to do in order to make their customer login system secure. Hopefully, someone at Freedom Mobile is looking into providing a solution for this outdated security system.