Hi,
I recently found pretty serious security issue on Pokerstars.

I have my .EU account there for years. Using PIN and SMS Validation as security options. Recently i decided to open account on .ES. Most of ROW players are able to create account there since pool merge between Spain and France. Right after creating account i decided to turn on PIN and SMS Validation feature. I had no problem with PIN setup, but there was an issue with SMSV. You cannot use same mobile phone number on another account, despite the fact that both accounts is created legally by same person. I have only one mobile phone number, so cannot use that one.

I contacted support about the issue and ask them if they can manually copy the number from my .EU account to .ES. After some time I recieved SMS telling me, that my phone number was removed from my .EU account and whole SMSV disabled! I was shocked. I simply asked if they could copy the number. Instead of the answer, they just did the worst option. Didnt even ask me if it is OK to lower security on my main account! I urge them to revert it back immediately since i didnt authorize the change. Fortunately they did. So i gave up on .ES thing.

Few days ago i tried to deposit via Skrill on .ES without SMSV enabled. Right after filling all required data for deposit, popup came up asking about things like my name and address (which were already filled in the account) and of course my phone number. Without filling the number this cannot be completed and deposit did not complete as well.

So i emailed support again. This time i didnt mention any transfer of the phone number on purpose. I just simply asked how do i deposit. You can guess what happened. Boom, SMS recieved that the phone number was removed from my .EU account! The level of competence of PS support hits the new bottom in my eyes.

Maybe you ask where is the security issue. There are hundreds of thousands people using same password for their email account and Pokerstars account. But they rely on SMS Validation so even in the case someone have their login credentials they wouldnt be able to login from different computer/country. In this case all the attacker need to do is to create account on .ES and ask for mobile number to be copied. Whole SMS Validation will be disabled on .EU/.COM and villain will be able to steal your funds.
As far as i remember PS support didnt ask anything about proof that account on .ES was created by same person as .EU account other than using same email address. In theory attacker only needs your email address without password, create .ES account with that address and just ask support via built-in form in PS client. SMSV removed.

You are OK when using RSA token, but PIN is not changing over time unless you change it yourself. So even people using PIN are vulnerable since attacker can use some keylogger/screenscraper to take possession not only your username and password, but also your PIN. SMS Validation was last resort to prevent such scenario, but at this time it have some serious flaw in my eyes.

I hope the level of my english is enough for you to understand.

What do you think about this issue?

That's awful, removing it on a whim defeats the whole point. They've been shifting their support to India so it's only going to get worse (check the job listings on their website).

If you have a landline you can probably receive texts to it (in the UK it works anyway, they get read out by a creepy computer voice).

That is brutal. Things like this show Any hope of pokerstars or online poker being close to what it once was are fools gold.

Can any support staff from Pokerstars not come in here and tell OP to handle this privately, but explain to us how your support has devolved to this. So sad

That's because they are officially launching in India (pokerstars.in) and they will only be handling Indian players.

This is indeed a very serious issue, I hope a Pokerstars rep becomes aware of it and takes action before someone gets hacked... I'm hoping that before they remove someone's phone number they actually check if both accounts' details match (name, address etc.) even though they should obviously ask for proof of ID first.

I just recieved a call from PS representative. Admitting the issue was poorly handled and apologized. Thats great. We can only wish they will improve the chain of decisions in similar cases. I would say removing SMSV after authorization of account holder and confirmation with SMS code would be fine.

I was informed that currently you can use your phone number only on one account unfortunately. I was offered to choose which account i want to have with SMSV enabled. So i decided to stick with .EU until they resolve the issue. Other solution is to buy some cheap prepaid SIM, which would be way to go for me since i have 2-sim phone.

This is a reminder that the weakest link in any security system is often the people, rather than the technology.