3V.ie Online Account Security Weakness – Beware!

Image via payzone.ie
Image via payzone.ie

I may have identified a possible security weakness with the 3V.ie (online customer account) service. This occurred recently while trying to retrieve my own 3V account details, this weakness would allow any person with prior knowledge that you have a 3V account coupled with your mobile phone number to access your 3V “Online Customer Service” browse your balance & purchase history etc. Here is a summary of user tasks taken from their website:

Online Customer Service

Sign on to the new Online Customer Service section of this 3V website using your email address and personal password to:

  • Receive again the security details for any Voucher.
  • Check the balance and transaction history on your 3V Vouchers.
  • Redeem money left on your 3V Vouchers to your bank account.
  • Transfer money from one Voucher to another Voucher.
  • Request a replacement 3V Customer Card.
  • Update your personal details or password.
  • Change how you receive the security details when you buy a 3V Voucher.

You can also find the balance and transaction history for any 3V Vouchers quickly by clicking on the View Transaction History link on the left hand side of this page.

The info that follows may have been a one off chance of gaining someones account information but non the less a weakness… try it yourself on your own account if you like!

Let me explain…

I hadn’t used my 3V account with over a year and had lost my card but also had forgot my account username and password, so a few weeks ago I tried the standard “Forgot Your Password” option on the website www.3v.ie and went through the various email address I may have used for that account. Unfortunately neither of my email addresses worked as the 3V website started to throw an error along the lines of “Cannot complete your request, please try later” etc.

The weakness…

Now at this point I gave up and then a couple of days later I tried the same procedure but got the same result, out of frustration I sent 3V.ie an email asking how I could retrieve my account details but never received an answer,but

Only discovered this today on their website:
“Emails must be sent from your registered email address and must include the last six digits of your 3V Voucher number if you have a query about a particular 3V Voucher.”

Roll on about 2 weeks later I really needed to use the 3V account to purchase an ebay item so I opted to call support by phone. This is where their weakness began to show…

The conversation…

I called customer service and stated that I needed to retrieve my account information, I was asked for my registered email address and password. I then explained that I couldn’t remember my registered email address or password and that is why I was speaking to support on phone! What followed was clearly shocking! Support asked me for my mobile number which I gave, I was then told my email username was xxxxx@xxxxx.com with no problem….. at that point I was actually relived now to have at least my username so while talking to support I tried the “Forgot My Password” option on the website login and still got the “Cannot complete your request, please try later” response feeling annoyed I asked why it was not working for me and also sensing the support persons frustration as I was asked to repeat the request… but each time it failed and then out of the blue I was informed “OK your password is xxxxx try that” and yes I had my password and yes it did work!!!

The conclusion…

So what I’m saying here is if I was posing as another person and rang customer support armed with just a known 3V user and there mobile number I could easily retrieve their information by causing a flurry about why I cannot access my account for some reason or another using the flaw “Cannot complete your request, please try later” response” etc. This happend to me and made me realize I could have been someone else! or maybe… just maybe the customer support person could actually see I was trying to access the system at that point and felt confident I was the same person on the end of the phone and freely gave the details away?

Opinions please?

7 thoughts on “3V.ie Online Account Security Weakness – Beware!”

  1. That’s quite alarming, but difficult for the company to police. They should send your login details via snail mail to your registered address.

    I hope they educate their support staff a little better if this becomes known.

  2. Donncha.. I agree with the company sending your login details via snail mail to your registered address, its the safest way really. Maybe someone from 3V will pick up on this post and reply. Hard luck on your trouble with your stolen credit card details at least you got a lock down.

  3. You wont believe this but the EXACT same thing happend me there a few weeks ago and I thought the same too.. how easy to access accounts if you appear to be under “stress” on the phone to Customer Support… very little info needed. ;o(

    I always sign up for accounts and stuff using GMAIL cause you can always quickly find your login details (…U/N ..P/W etc) using the Quick SEARCH function..

    Ok.. thats my 2 cents..

    JD

  4. Hi I was wondering how to etrieve my 3v voucher number because I’ve lost my 3v voucher and there is still money on it.

  5. 19/10/2012 remaining money for my voucher 3v visa card in the amount of 108.96 euros transferred the account to my bank including webpage my bank IBAN and name of the bank, and so far that are waiting money has been received by me on my account. Waiting longer than a week and do not know when I get the money to my bank account. I know that the transfer can take a few days but it is already a slight exaggeration.

    Yours faithfully

    Monika Chlebda

Comments are closed.