Absolutely unbelievable!
This morning I made an on line purchase from one of the big resellers that we all deal with. (I don't think it's a good idea YET to reveal who it is.) Unlike the overwhelming majority of retail sites that require you to enter your ID and password, this one requires you to enter your customer number and no password. Well, I didn't remember my customer number, and I didn't feel like searching through many old e-maiuls to find it. So, conveniently there is a link to "find your customer ID" which I click on. OK...so far everything is fine. Now I'm supposed to enter my e-mail address and my zip code. I assume that my user ID will be e-mailed to my registered address. But NO!...a link with my name and e-mail address comes back. I click on the link and viola---all of my information is there.
What's wrong with this you ask? No password, no e-mail sent to me, no security. Just the assumption that if you enter a valid matching e-mail address and zip code pair, then you're the right user of that account. OK...I'll give them the benefit of the doubt--it could have been an oversight--so I send an e-mail to the company very constructively and calmly explaining the vulnerability and my concerns. Later today I got a response from "Customer Service" (I wonder if he/she has little servettes at home...but I digress...) telling me that "management" does not feel that revealing customer's personal information is a problem as long as the cc info is not revealed, and that the function to look up one's customer ID is a much needed feature of their web site.:disgust::Q
Now I'm in disbelief. Disbelief due to both their OUTRAGOUS response and the fact that they claim to be a TrustE licensee. Their own written privacy policy states that they will not reveal any individually identifiable customer information except by court order. (I guess that my name, address, telephone number and a complete list of everything I've purchased with prices and dates aren't personal information. Silly me!) TrustE rule 1 is that you MUST abide by your own written privacy policy, and rule 2 is that you can't reveal user info without their permission.
So, I'm outraged. I've filed a complaint with TrustE and I'm waiting to see what happens. Hopefully the reseller will realize that they are making a BIG mistake and they will fix the problem. (I have little hope for this one.) More probable though is the chance that I might have to reveal who the retailer is right here on AT and thus have them effectively put out of business due to hackers and overall loss of user's trust.
No, it's NOT newegg, and don't ask me.
end of rant
This morning I made an on line purchase from one of the big resellers that we all deal with. (I don't think it's a good idea YET to reveal who it is.) Unlike the overwhelming majority of retail sites that require you to enter your ID and password, this one requires you to enter your customer number and no password. Well, I didn't remember my customer number, and I didn't feel like searching through many old e-maiuls to find it. So, conveniently there is a link to "find your customer ID" which I click on. OK...so far everything is fine. Now I'm supposed to enter my e-mail address and my zip code. I assume that my user ID will be e-mailed to my registered address. But NO!...a link with my name and e-mail address comes back. I click on the link and viola---all of my information is there.
What's wrong with this you ask? No password, no e-mail sent to me, no security. Just the assumption that if you enter a valid matching e-mail address and zip code pair, then you're the right user of that account. OK...I'll give them the benefit of the doubt--it could have been an oversight--so I send an e-mail to the company very constructively and calmly explaining the vulnerability and my concerns. Later today I got a response from "Customer Service" (I wonder if he/she has little servettes at home...but I digress...) telling me that "management" does not feel that revealing customer's personal information is a problem as long as the cc info is not revealed, and that the function to look up one's customer ID is a much needed feature of their web site.:disgust::Q
Now I'm in disbelief. Disbelief due to both their OUTRAGOUS response and the fact that they claim to be a TrustE licensee. Their own written privacy policy states that they will not reveal any individually identifiable customer information except by court order. (I guess that my name, address, telephone number and a complete list of everything I've purchased with prices and dates aren't personal information. Silly me!) TrustE rule 1 is that you MUST abide by your own written privacy policy, and rule 2 is that you can't reveal user info without their permission.
So, I'm outraged. I've filed a complaint with TrustE and I'm waiting to see what happens. Hopefully the reseller will realize that they are making a BIG mistake and they will fix the problem. (I have little hope for this one.) More probable though is the chance that I might have to reveal who the retailer is right here on AT and thus have them effectively put out of business due to hackers and overall loss of user's trust.
No, it's NOT newegg, and don't ask me.
end of rant
