[Nolug] E-commerce security nightmare

From: Joey Kelly <joey_at_joeykelly.net>
Date: Thu, 18 Dec 2008 16:43:48 -0600
Message-Id: <200812181643.49105.joey@joeykelly.net>

Guys,

I have a little story to tell, and you are simply going to love this one.

I ordered some item from some website right before my trip, about a month ago.
The company has been a staple of their industry for decades, first doing
catalog sales, and recently putting up a web presence. The shipment never
arrived, so yesterday I got on their site to check the status of my order.

The website pretended not to have my email address on file (they use that as
the account number), which was rather strange, since I've been getting spam
from them every few days for a month, ever since I placed my order with them.
Along the way I requested my password be reset. More on this later.

I called the company, and they told me that I did in fact have an account on
their system, and that my order was received, and I should have gotten a
confirmation email. I did get one some weeks back, but it said that the order
status was pending. They told me over the phone that the item in question was
discontinued, and that the notification should have stated such (it did not).
The person apologized for the website not telling me that the item wasn't
offered any more.

Fair enough. The CSR even pointed me to a couple of other websites, but these
didn't pan out for me. I did appreciate the effort at the time.

I don't remember the exact details or order of events, but at some point I
created a new account, then of course I realized that their database probably
had two accounts under my name (either Joey or Allen Kelly, I forget which I
used). Remember, even though my first account seemed not to exist, I did place
an order (they found it when I called them, searching by last name and zip
code).

So today I get an email from their server telling me that my password had been
reset, to "password123". Was this from my initial attempts to log in and check
my order when no account supposedly existed? Or had the second account I
created been accessed by someone other than me? I immediately sent a query to
the email support guys, which got me an apology.

I'm no dummy, regardless of what you might have heard. I emailed them back,
informing them that since anyone could request a password reset via the
website, any cracker (the media and other clueless types call them "hackers")
can gain access to any account, knowing only the account-holder's email
address, and the trivial password string used. I smell an automated attack,
and I am convinced that my account has been or will shortly be illegally
accessed.

In my email, I asked that my account and all my info and credit card data be
deleted and scrubbed from their database, and told them that I was considering
contacting the feds to inform them about this company's complete lack of
security on their website, and also that I might consider suing them. Lastly,
I demanded a written apology from an officer of the company. I am awaiting
their terrified response.

By the way, if I called the company's name, practically every one of you would
instantly recognize it.

-- 
Joey Kelly
< Minister of the Gospel | Linux Consultant >
http://joeykelly.net
___________________
Nolug mailing list
nolug@nolug.org
Received on 12/18/08

This archive was generated by hypermail 2.2.0 : 12/19/08 EST