Random learnings and other thoughts from an unashamed geek

Info Leak: Virgin Media

| Comments

At 10:57am today (29th Jan 2013) I received a call from 00501, which according to phoneowner.info is commonly used by scammers (PPI reclaiming, etc.). The man on the other end of the phone had a heavy accent and the audio distortion on the line made it sound like it was coming from overseas. The call went as follows:

Them: Hello sir, I’m calling from the technical department of your broadband provider.

Me: Sorry, you’re calling from where?

Them: From your broadband provider.

Me: Oh, and which company is that?

Them: pause: Virgin Media

Me: surprised: Okay, hello.

They hang up: beeeeeeeep

They probably hung up because they figured it’d be too much effort to try and scam me if I was asking questions before even greeting them.

I get a lot of spam calls, despite using the Telephone Preference Service and rarely giving my landline out for anything, but this one slightly surprised me: they knew I used Virgin Media. How did they know that, I wondered? Was it just a fluke? Were they legit? Was it just a bad connection making it sound like an overseas call? Then I realised: it’s really easy to find out if someone used Virgin Media in the UK.

How to find out if a phone number uses Virgin Media

It’s easy: just plug the phone number into the Virgin Media Status page:

If the phone number exists and is a Virgin Media number, they’ll display a status page. If it doesn’t then they’ll tell you “We don’t recognise this phone number. Please re-enter your full Virgin Media home phone number.”

Now this isn’t 100% reliable - you might use a different provider for phone line, or you may have no landline at all. But for the most part (I expect) a scammer could just try random combinations of digits in the status page until they get a phone number that works, then phone them up claiming (semi-convincingly) to be Virgin Media and telling them to enter this command to wipe the viruses from this computer (or whatever thing the scammers are doing these days). Then they’ll get confused because Linux doesn’t have a “Start” button for you to press, and Ctrl+R doesn’t do anything, and all that jazz…


I see this as an information disclosure leak and I think Virgin Media should fix it. Postcode is fine for that status page, since it’s (generally) not specific to one address like a landline (generally) is.

Or why not just make your status page visible to all - not requiring a phone number/postcode/etc. This would show you are proud of the services you offered and don’t want nor need to hide anything: why not have a status chart like Amazon Webservices do.