Saturday, January 02, 2010

Yahoo! store merchant sends my security code in email!

So I just placed an order with a Yahoo! store merchant and got an email that looked like this: 
This email is to confirm the receipt of your recent order from <merchant name>.


You can always find out the current status of your order by going to
https://order.store.yahoo.net/blahBlahBlah

Date     Sat Jan  2 08:22:10 HST 2010
Ship to  Carol Park
         <our street address>
         <city/state/ZIP>
         US United States
         <ZIP extra 4 digits>
Bill to  Same
SC       <the real 3-digit security code from the back of my credit card!>
E-Mail   <my email address> (emailed)
Via      US Priority Mail
Payment  <CC type (Visa or MC)>


Name             Code               Qty   Each  Options
-----------------------------------------------------------------
blahBlahBlah...

I was rather unhappy to see the real 3-digit security code right in the middle of the email, and sent the merchant a note asking them to please tell Yahoo! to not send the security code. Maybe it was the merchant who set the options up wrong? I'm not sure. Anyway, I'll let you know when they tell me they've got it fixed. Here's what I wrote to them: 

Folks, 

Please forward the below to whoever manages your web-order system, 
maybe some yahoo.com person.  Short version: I'm quite concerned 
that my credit card's security code was sent in email in plain text. 

------------------------------------------------------------------------

Dear web/mail/order system design/maintenance staff:

PLEASE do not send the card's security code in email!

The below email had a line with the credit card's security code
in cleartext.  It looked like this:

SC       123

(I changed the digits; that's not my real security code.)

The code is called a SECURITY code because only the card holder
is supposed to know it!  It's one thing to enter the code over
an SSL connection (https:...); it's quite another to send it in
plaintext email.

Please let me know that you've fixed this, so that I can feel
more comfortable ordering stuff from other Yahoo! store merchants.

Thanks and

Happy new year,

Collin Park (the below order is a gift for my wife)

*** Your original message follows ***

<merchant name> (through Yahoo! Store Order System) wrote:
> This email is to confirm the receipt of your recent order from <merchant name>.
> 
> 
> You can always find out the current status of your order by going to
> https://order.store.yahoo.net/OS/[[this part elided]]
> 
> Date     Sat Jan  2 08:22:10 HST 2010

[[...elided...]]
I'm also going to let them know that I put this up on my blog.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)