I may have identified a possible security weakness with the 3V.ie (online customer account) service. This occurred recently while trying to retrieve my own 3V account details, this weakness would allow any person with prior knowledge that you have a 3V account coupled with your mobile phone number to access your 3V “Online Customer Service” browse your balance & purchase history etc. Here is a summary of user tasks taken from their website:
Online Customer Service
Sign on to the new Online Customer Service section of this 3V website using your email address and personal password to:
- Receive again the security details for any Voucher.
- Check the balance and transaction history on your 3V Vouchers.
- Redeem money left on your 3V Vouchers to your bank account.
- Transfer money from one Voucher to another Voucher.
- Request a replacement 3V Customer Card.
- Update your personal details or password.
- Change how you receive the security details when you buy a 3V Voucher.
You can also find the balance and transaction history for any 3V Vouchers quickly by clicking on the View Transaction History link on the left hand side of this page.
The info that follows may have been a one off chance of gaining someones account information but non the less a weakness… try it yourself on your own account if you like!
Let me explain…
I hadn’t used my 3V account with over a year and had lost my card but also had forgot my account username and password, so a few weeks ago I tried the standard “Forgot Your Password” option on the website www.3v.ie and went through the various email address I may have used for that account. Unfortunately neither of my email addresses worked as the 3V website started to throw an error along the lines of “Cannot complete your request, please try later” etc.
The weakness…
Now at this point I gave up and then a couple of days later I tried the same procedure but got the same result, out of frustration I sent 3V.ie an email asking how I could retrieve my account details but never received an answer,but
Only discovered this today on their website:
“Emails must be sent from your registered email address and must include the last six digits of your 3V Voucher number if you have a query about a particular 3V Voucher.”
Roll on about 2 weeks later I really needed to use the 3V account to purchase an ebay item so I opted to call support by phone. This is where their weakness began to show…
The conversation…
I called customer service and stated that I needed to retrieve my account information, I was asked for my registered email address and password. I then explained that I couldn’t remember my registered email address or password and that is why I was speaking to support on phone! What followed was clearly shocking! Support asked me for my mobile number which I gave, I was then told my email username was xxxxx@xxxxx.com with no problem….. at that point I was actually relived now to have at least my username so while talking to support I tried the “Forgot My Password” option on the website login and still got the “Cannot complete your request, please try later” response feeling annoyed I asked why it was not working for me and also sensing the support persons frustration as I was asked to repeat the request… but each time it failed and then out of the blue I was informed “OK your password is xxxxx try that” and yes I had my password and yes it did work!!!
The conclusion…
So what I’m saying here is if I was posing as another person and rang customer support armed with just a known 3V user and there mobile number I could easily retrieve their information by causing a flurry about why I cannot access my account for some reason or another using the flaw “Cannot complete your request, please try later” response” etc. This happend to me and made me realize I could have been someone else! or maybe… just maybe the customer support person could actually see I was trying to access the system at that point and felt confident I was the same person on the end of the phone and freely gave the details away?
Opinions please?