Security Loses as Arrogance Rears and Kicks
Folks may consider my need for privacy a surprise, but I am a firm believer in it. One always needs a place where eyes will not judge what is said, done, and eaten. Security is the wall that privacy depends upon. When security is compromised, bad surprises may happen.
For the past few months, I have been plagued with messages to my GMail account that was set up for IT/SW/EE information. I have always used this account (since GMail began, in fact) to stay in the know of my former career fields so I am not out of touch. The emails that have been the nuisance began because two other “Kimberly Reynolds” each in the Detroit and Dallas areas respectively decided that they can use that address to sign up for coupons and such.
My first example is more of an annoyance than a security pet peeve. I get emails about Pampers specials and other similar products by Proctor and Gamble that require me to sign into their website. I have no idea what the password is, but my email address is the sign on ID. Curious, I tried seeing if I could remove my email address. No luck because I cannot provide the information to do so. The consoling fact that Proctor and Gamble requires a person to enter their date of birth and zip code (in this case Detroit) when a password reset is requested is great, but does not help me at all since I did not sign up for their coupons in the first place. I have yet to figure out how to get my name removed from their emails because unsubscribing from their email “pusher” does not work. So far creating a filter to mark the messages as spam does.
The next example of Replacements, Ltd in North Carolina is scarier. Somehow I ended up receiving all of the emails for a woman in the Dallas, TX area because a staff member entered my email address as hers. If you go to their website there is no way to edit your customer profile, but when I click on the link emailed to me from Replacements, I can see that person’s mailing address and phone number. I could even edit the information to a different place entirely. Please note that all of these changes can be done without the prompting of a password. Yikes!!
This same Kimberly Reynolds in Texas opened up a Lane Bryant credit account. How do I know? You guessed it. Lane Bryant never verified her email address when she set up the online account. I am just glad that I am not the type of person who would fraudulently use another person’s account. Can you imagine if one did?
The worst culprit I have encountered in my email craziness is by a well-known job site, “Snag A Job” based in Virginia. I had been checking my emails and was caught off guard by the message that welcomed me into the Snag A Job workforce. Minutes later I received an email confirming that my application to Michael’s Crafts was successfully entered and accepted. Being the bunny I am (Rabbits are notorious for wanting things in an orderly fashion. That is why they are territorial and easily angered when their cages are cleaned.) I stopped what I was doing to find out who the heck “Snag A Job” was. What I quickly learned is that I would NEVER, EVER in a million years use that company.
When I twice called the toll free number to customer service, it put me into voice mail. I left a message after the second call. Realizing that this company probably will not call me back, I called again and received a rude awakening. It seems that Snag A Job does not verify a person’s email address when they sign up. I was told this decision not to verify email addresses was made by their product management team. Doing so would be a waste of time and “their numbers for potential sign ups would fall.” Here’s the catch that scared me: I could have taken the welcoming link sent to me to log into that account and would have access to that person’s social security number, date of birth, and other sensitive information.
As I repeated asked if this issue would ever be addressed, I was told no. Hearing the same explanation over and over, I finally had to hang up the phone after telling the customer service representative I could not wait to share what I had learned. I could see in my head her shrugs of indifference. I guess it was no big deal to her because who would listen to me anyway. Looking up Snag A Job’s website, I saw they used three Twitter accounts. I tweeted about their lack of security and included all three accounts:
Today was interesting. @SnagAJob @SnagAJobWorks & @LifeAtSnagAJob don’t verify registrants’ emails. Guess how I found out? My story soon!
Now “soon” was stated because I knew that my angry nerves needed to calm down after being told this company did not care about security. All I kept thinking was how arrogant they were on the phone and how sloppy their attitudes looked. It has been 2 days shy of a month since that happened and I disgustedly am still shaking my head and holding my stomach to stop the forming knots. What I have to put behind me is knowing that tens of thousands of people have trusted their information to a company who has put their data behind profit. To this day the issue has not been addressed. I am still mortified. Wouldn’t you be? =:8
I would report all those companies to your local Better Business Bureau for investigation. There I am sure statutes in place in the US that guard against this type of thing and if there isn’t, Holy F*ck.
you should also report the places that are spamming you to the FTC. refusing (or neglecting) to remove you from their email lists when requested via the unsubscribe link in the messages is a violation of the CAN-SPAM act and can cost them big bucks in fines. see http://www.ftc.gov/bcp/edu/pubs/consumer/tech/tec02.pdf (pdf, includes how to file a complaint). couldn’t hurt to report the snag a job thing there too as i suspect there are privacy protections for at least the SSN stuff that are being violated. good luck. lately 99% of the spam i get is in french, which makes them really easy to sift out!