I was having trouble paying my monthly bill so I call up Virgin customer support. Here's what happens. I'll let the conversation speak for itself.
Virgin Customer Support = VCS
Me: Hey..I cannot seem to pay my monthly charge. Can you help out?
VCS: Sure..what's your phone number.
Me: Gives number
VCS: Thank You. (Does address and other verification)
VCS: Can you give me your mobile Pin? (Mobile pin = password)
Me: Huh? Do you mean my login password?
VCS: Yes correct
Me: Why do you need my login password?
VCS: Because I need to see why you can't pay your bill
Me: Why do you need my "password" for this?
VCS: (Repeats)
Me: (Tries to explain) This is like asking me for my Email password. Would you ask that of anyone?
VCS: (Ignores) If you don't remember your password...I can send it to you?
Me: Huhhhhh !!! .. still... lets play along. Okay..I say
VCS: Sends text message. Password happily on my phone in clear text now :-o
Me: Reads out pin...(still in shock)
VCS: Thank You (so they had it...just wanted to verify. Ah that's fine then. Good grief)
VCS: Okay I am going to check what happened to your payment
VCS: Okay it didn't go through. Lets try it again.
VCS: Can you give me your card number? and expiry date?
Me: Gives details
VCS: Can you also give me your CVV?
Me: Huh !!! (Another WTF moment)
Me: Why do you need my CVV? That's sensitive information.
VCS: Oh never mind..you have saved card info here. Click. Click. Done.
Me: Er..thank you.
Now there are multiple problems here which I quickly list.
-- My pin is in clear text there. Anyone who has access to the records can basically screw me if they wanted to. How much ..is debatable but at the least they can login as me.
-- They use a password as a verification tool. And when the customer doesn't know, hey no problem...we'll send it to you. So if there's a targeted attack..and someone's phone is flicked he's screwed.
-- Asking for CVV. I don't think you need this to complete a transaction. And assuming it is in fact needed, isn't it risky to give someone this on a call? They now have all my card related information and can misuse it anywhere.
-- Lastly..I hope all my card info is not stored in plain text in the DB. I really don't know.
So..while I did end up paying my bill, this experience shook me a little. Thoughts?
Virgin Customer Support = VCS
Me: Hey..I cannot seem to pay my monthly charge. Can you help out?
VCS: Sure..what's your phone number.
Me: Gives number
VCS: Thank You. (Does address and other verification)
VCS: Can you give me your mobile Pin? (Mobile pin = password)
Me: Huh? Do you mean my login password?
VCS: Yes correct
Me: Why do you need my login password?
VCS: Because I need to see why you can't pay your bill
Me: Why do you need my "password" for this?
VCS: (Repeats)
Me: (Tries to explain) This is like asking me for my Email password. Would you ask that of anyone?
VCS: (Ignores) If you don't remember your password...I can send it to you?
Me: Huhhhhh !!! .. still... lets play along. Okay..I say
VCS: Sends text message. Password happily on my phone in clear text now :-o
Me: Reads out pin...(still in shock)
VCS: Thank You (so they had it...just wanted to verify. Ah that's fine then. Good grief)
VCS: Okay I am going to check what happened to your payment
VCS: Okay it didn't go through. Lets try it again.
VCS: Can you give me your card number? and expiry date?
Me: Gives details
VCS: Can you also give me your CVV?
Me: Huh !!! (Another WTF moment)
Me: Why do you need my CVV? That's sensitive information.
VCS: Oh never mind..you have saved card info here. Click. Click. Done.
Me: Er..thank you.
Now there are multiple problems here which I quickly list.
-- My pin is in clear text there. Anyone who has access to the records can basically screw me if they wanted to. How much ..is debatable but at the least they can login as me.
-- They use a password as a verification tool. And when the customer doesn't know, hey no problem...we'll send it to you. So if there's a targeted attack..and someone's phone is flicked he's screwed.
-- Asking for CVV. I don't think you need this to complete a transaction. And assuming it is in fact needed, isn't it risky to give someone this on a call? They now have all my card related information and can misuse it anywhere.
-- Lastly..I hope all my card info is not stored in plain text in the DB. I really don't know.
So..while I did end up paying my bill, this experience shook me a little. Thoughts?
0 comments:
Post a Comment