So I just finished sending letters of complaint to VeriSign and a certain online vendor that shall remain anonymous until I’m sure they flushed my CC number from their system. These guy are really, really stupid.
Here’s what they do. They offer me an HTTPS secure connection to set up my account to buy this techno item I needed. As part of registration I HAVE to enter my credit card number, which is kind of annoying, but they’re going to get it eventually anyway. They also want a password, so I choose a new secure-ish one to protect my information, right? And I note that my full CC number is visible afterwards in My Account info, which isn’t great. Amazon does the right thing by only showing the last digits. But the site has this gold “Verisign Secure Site” logo so I figure I’m covered.
Then they EMAIL me IN PLAINTEXT my PASSWORD! Fools!
If I was some average idiot, I would just leave the password the way I set it and any fool who can intercept or read my email would be able to log in and suss my CC number. Not good.
So I emailed then and cc’d Verisign, and filed an abuse notice on Verisign’s site. I want them to delete my account info clean from their system. And Verisign ought to do something about giving a seal to this lame security. No matter how good your security on-site is, it sucks if you leave such a gaping hole in the email response system. Sheesh.
I’ll update with the name of the idiot vender once I’m sure they’ve removed me from the system.