INFOWORLD GRIPE LINE BY ED FOSTER Bookmark this page

  
Display: Sort:
Intuit's Razor | 20 comments (20 topical) | Post A Comment
Not Intuit, but related to an earlier gripe[ Reply to This ] (none / 0) (#2)
by Anonymous User on Sun Mar 09, 2008 at 12:12:03 PM PDT

I seem to recall a company named Digital River coming up as the subject of a gripe within the past few months. I don't remember exactly what the provocation was, but I think we can add exposing customers' personal data to the rap sheet now.

I just got an email from them confirming somebody else's order.

Whoever it was apparently misspelled their e-mail address in the order forms, or purposely used a phony one to avoid the possibility of spam but happened to pick one that was genuinely in use.

Either way, I would up with a plaintext order confirmation with someone else's street address and a bit of financial information in it. The customer's home address and shipping address were both in there (and in this case were the same, but if the customer had shipped to a P.O. box it still wouldn't have stopped the email exposing their home address).

Apparently they don't verify that an e-mail address belongs to the correct person before sending information on it.

I recall this site having featured, in the not too distant past, a) gripes about Digital River doing other shenanigans and b) gripes about a different company, I think a telecom, persistently sending emails with sensitive information meant for a customer to the wrong address and refusing to correct the error.

I replied to the Digital River originated email to alert them that they'd "gotten the wrong number" and suggest that they change such emails to just contain links back to their site, where a customer can login to see whatever the email would have contained.

I am, of course, keeping the customer data that I saw confidential.


[ Reply to This ]



Please, let's not go nuts[ Parent | Reply to This ] (none / 0) (#3)
by Anonymous User on Sun Mar 09, 2008 at 04:48:45 PM PDT

I'm sorry, but I just don't consider my name and address confidential information. Hundreds - thousands - maybe millions, for all I know - of business have it.

Now, if DR had emailed you their customer's banking information - checking account info, credit card numbers - or something else that would generally be accepted as confidential then I'd be more concerned.

But a couple addresses? Please.

[ Parent | Reply to This ]



It's happened again.[ Parent | Reply to This ] (none / 0) (#7)
by Anonymous User on Mon Mar 10, 2008 at 11:27:46 AM PDT

"I'm sorry, but I just don't consider my name and address confidential information."

You may not, but you are not everyone.

And we now have another example of businesses disclosing this kind of customer information blindly via e-mail: TheraBreath, apparently a company that makes toothpaste and other similar products.

The same person ordered products from there and gave my e-mail address again, and this time apparently the products ordered were a gift, because the shipping address wasn't the home address this time. So now I have TWO peoples' addresses.

TheraBreath's mailing also contained customer credit card information. You may not be worried about your home address being exposed to random people on the 'net, but your credit card info?

Needless to say, TheraBreath has been notified of their breach too now, and I won't disclose or misuse the information in their email to anyone.

Meanwhile, the list of companies that will blindly send customer-directed email to the wrong address grows to three:



[ Parent | Reply to This ]


Paranoid?[ Parent | Reply to This ] (none / 0) (#9)
by Anonymous User on Tue Mar 11, 2008 at 09:18:48 AM PDT

Certainly, credit card data and other personal financial information should never be sent in an email. But name and address? That information is only considered secret by the terminally paranoid. It's in the phone book. It's readily available from the DMV (at least in Florida). You've given it to any business you've done business with (even casually). What do you think will happen if somebody gets ahold of that information? You'll get more junk mail?

[ Parent | Reply to This ]


Apparently...[ Parent | Reply to This ] (none / 0) (#10)
by Anonymous User on Tue Mar 11, 2008 at 09:42:40 AM PDT

...you've never been stalked before.

Well, you know what they say. There's a first time for everything.


[ Parent | Reply to This ]



Oh Puhleeze, let's inject some reality here[ Parent | Reply to This ] (none / 0) (#12)
by Anonymous User on Tue Mar 11, 2008 at 11:45:29 AM PDT

The act of knowing an address is a stalking threat? Most stalking incidents are related to personal relationship issues or matters of celebrity. The probability that a stalking threat will result because a random person somewhere in the world receives a name and address is so remote that I would be more worried about protecting my home from meteorite hits. ... and remember this is all a result of the customer apparently deliberately entering a bogus e-mail address when purchasing.

[ Parent | Reply to This ]


Reality? I'll give you reality...[ Parent | Reply to This ] (none / 0) (#13)
by Anonymous User on Fri Mar 14, 2008 at 01:33:20 PM PDT

The act of knowing an address is a stalking threat?

No, but it increases the risk.

[ Parent | Reply to This ]



Wow[ Parent | Reply to This ] (none / 0) (#15)
by Anonymous User on Wed Mar 19, 2008 at 06:55:35 AM PDT

So that means the phone book is a veritable wealth of stalking danger? Or for that matter, Google, or 411.com?

This is starting to sound more tin-foil hat than real

[ Parent | Reply to This ]



Apparently...[ Parent | Reply to This ] (none / 0) (#18)
by Anonymous User on Thu Mar 20, 2008 at 05:21:17 AM PDT

...you've never heard of things like unlisted phone numbers either. :P

[ Parent | Reply to This ]


Why is this Digital River's problem?[ Parent | Reply to This ] (none / 0) (#11)
by Anonymous User on Tue Mar 11, 2008 at 11:35:00 AM PDT

I fail to see why this is considered DR's problem. What do you want them to do to confirm an e-mail address that a customer has posted to them? How much feedback handshake to you want to partake in to place an order with an on-line business? I really have no desire to go through a "you placed an order with us, are you who you say you are?", "yes I am", "are you sure" exchange when I place an order. The responsibility for making sure the return e-mail address is correct is mine and mine alone.

A customer places an order with an on-line business. They are usually presented at least two opportunities to assure that the information entered is correct. If the customer deliberately chooses to enter a false e-mail address, then I would place the blame solely and solidly on the customer who does so.

As far as the company that returned "credit card information"; how much information are we talking here? Just the last 4 digits i.e., the e-mail says, "you paid with your Discover card with the last 4 digits 1549" that seems to be the current working trend is hardly a security breach.

I just don't see the issue here.

[ Parent | Reply to This ]



What to do[ Parent | Reply to This ] (none / 0) (#14)
by Anonymous User on Fri Mar 14, 2008 at 01:37:57 PM PDT

What do you want them to do to confirm an e-mail address that a customer has posted to them?

Why, nothing, of course. Instead, their emails can simply not directly disclose any of a consumer's personal info. They can link back to their site with a URL full of ?custID=gibberish?orderID=ghgfh that produces a login prompt and requires a previously established password before it will reveal any data, unless the original customer goes there and hasn't cleared out the cookie set when they logged in before to place the order of course.

The email could say something like order number xyz has now been shipped or whatever, without revealing what the product actually is or where it's going, providing such a link as described above to actually confirm such details; most customers are likely just to be satisfied with the message saying that the thing is on the way though.

If there's no way in hell for the product's identity to be sensitive it might as well be disclosed. New 19" LCD monitor? Fine. X-rated video? Best just to mention a cryptic order-number. :)

[ Parent | Reply to This ]



Not what the original person said[ Parent | Reply to This ] (none / 0) (#16)
by Anonymous User on Wed Mar 19, 2008 at 07:01:58 AM PDT

The original comment was,
Apparently they don't verify that an e-mail address belongs to the correct person before sending information on it.

Sounds to me like the demand was for some sort of e-mail confirmation handshake.

[ Parent | Reply to This ]



Actually...[ Parent | Reply to This ] (none / 0) (#17)
by Anonymous User on Thu Mar 20, 2008 at 05:20:21 AM PDT

...it's perfectly consistent, because the suggestion above would result in their not sending any sensitive information to any email address whatsoever.

[ Parent | Reply to This ]


Intuit's Razor | 20 comments (20 topical) | Post A Comment
Display: Sort:

Menu
· create account
· faq
· search

Login
Make a new account
Username:
Password:

 HOME  NEWS  COLUMNS  BLOGS  PODCASTS  TECHNOLOGIES  TEST CENTER  EVENTS  CAREERS  IT EXEC-CONNECT   About Awards Contact Us 

Copyright © 2006, Reprints, Permissions, Licensing, IDG Network, Privacy Policy.
All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses,
phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services.

 ComputerWorld :: LinuxWorld :: Network World :: CIO :: PC World :: Darwin :: CMO :: CSO
IT Careers :: JavaWorld :: Macworld :: Mac Central :: Playlist :: GamePro :: GameStar :: Gamerhelp
ITWorld Canada :: Computerwoche :: Techworld UK :: tecChannel :: IDG.se :: IDG.no :: IDG.pl

create account | faq | search