Help:About/archive/2007 Fax Incident

From VbzWiki
Jump to navigation Jump to search

Summary

A customer actually tried to use our fax number to send in his credit card information (nobody had tried to use this for several years prior). Unfortunately, the instructions in the ordering area still had our old fax number at k7.net. K7 is a service which provides you with a dedicated phone number which accepts faxes and forwards them to you as emails. However, they mysteriously dropped my account several years ago and I switched to FaxAway, which does essentially the same thing -- and of course I forgot to update our fax number in the checkout system. (The checkout system is going to be rewritten from scratch as soon as I have enough of the data migrated over; this will make it much easier to be sure all the contact information is correct.)

If I hadn't been busy fighting the issues caused by our lousy internet, and then subsequently busy trying to figure out why our brand-new shiny internet was just as lousy, I would have spotted the problem a week earlier. I feel very frustrated about this, but I can't really see what I could have done differently; I absolutely thought I had updated the fax number, so it never would have occurred to me to double-check that particular area of the code.

If anyone has any thoughts on how I might have handled this better, please feel free to post them on the discussion page.

The customer placed his order on Sunday November 11; on Thursday the 15th, he sent an email asking when it was going to ship. I finally had time to research the situation on Saturday the 17th, when I determined that he didn't seem to have entered any credit card information, and I emailed him back to this effect; he replied later that evening (after my bedtime) that he had faxed it in. The next day I looked into the situation, and realized what had happened...

Emails

vbz to customer

Oh, well that certainly explains it! We haven't had a fax so long that I didn't think to check on that possibility.

Also, apparently the fax number listed on the site is our old fax number, at a fax service which I thought had been discontinued.

This is obviously something of a ghastly mistake on my part, as your credit card number is now possibly in the hands of an unknown individual. If this is the case, the chances are good that they will not make malicious use of it -- but you may want to take whatever actions you would normally take if you were concerned that your credit card number had fallen into the wrong hands (not necessarily malicious, but unknown).

Personally, I would just be watching my credit card statement online extra carefully for the next couple of weeks, but some people might go so far as to cancel the card and get a new number; it's entirely up to you...

...but either way, my profuse apologies for allowing this to happen. I will be sending you the stickers free of charge, by way of apology. (I am also tempted to remove the fax option from our site, as it has been difficult to maintain and has not been used for several years.) Please let me know if there is anything else I can do.

Towards evaluating the risk that your card number will be misused:

  • I called up the number in question (206 338 5660), and got a voicemail system which did not announce the name of the owner. I have sent another fax to that number asking them to destroy the fax if they received it, and to let me know either way. I will let you know if I hear anything from them (I wouldn't expect to hear back before Monday).
  • A Google search for that number turns up only references to vbz.net and to me, so it's entirely possible that the account is actually not in use.

Again, I apologize for this error. I will send out the stickers free of charge in Monday's mail.

Thank you,

customer to vbz

This is outrageous. I can't believe that an honest merchant would do such an irresponsible thing allowing an unsuspecting customer to send their credit info to who knows where. I sent the info by fax because it looked like your website was not secure (no "https" on the order page). I should have known better than fax you my credit card given the lack of security and your own admission of technical problems with your ordering system on the website. I seriously think you take your website offline immediately until you can clean up your act. In this day and age of secure online shopping this is completely unacceptable.

I hope this is not some sort of scam. I will contact my credit card company and cancel the account. I look forward to getting my "free" stickers.

vbz to customer

I don't have the main shopping pages secured because no personal information is entered there; when you press the "Finish Order >>" button, the next page you go to is https://ssl.vbz.net/checkout/ -- which is secured. It is on these secured pages that you enter all your contact, shipping, and payment information.

The problems with the ordering system, which have largely been resolved at this point (I need to update the status page), never affected the site's security.

I have removed the fax option from the checkout process.

I apologized to you because my website led you to believe that it was safe to fax your credit card information to the number given, when it was not in fact safe to do so; I admitted that mistake, said I would send you the stickers for free, and asked you if there was anything else I could do.

You suggested taking the store offline "until you can clean up your act". I seriously considered doing this, as I have considered doing many times before for various reasons -- but ultimately I don't think this error (which has now been corrected), as serious as it was, warrants such an extreme measure. Although the vbz.net web site has many flaws, I do not think that data security is one of them.

As for the implied dishonesty -- should it happen that your credit card number is abused, vbz.net will not be benefiting in any way; the sole beneficiary, if any, will be whoever misused the number. In fact, it looks like I might be liable for any abuse of your credit card -- the merchant credit card processing agreement includes this bit of text: "Merchant agrees to indemnify, defend, and hold [card-issuing bank] harmless from and against all losses, liabilities, damages and expenses (including legal fees and collection costs) which the [card-issuing bank] or their affiliates or agents may suffer or incur arising from any breach of any warranty, covenant or misrepresentation by Merchant" -- where my posting of the wrong fax number would qualify, I think, as a "misrepresentation", however unintentional -- so I thank you for taking prompt action and cancelling your card.

You can accuse me of sloppiness or negligence in this instance, but I don't think you have any grounds for suggesting that I have been dishonest. I could have attributed the loss of your card information to a "glitch in the fax system", or "oh, yeah, we found that fax and it was all smeared, so we've disconnected the machine..."; I did not do so. I immediately owned up to the mistake as soon as I realized what had happened. And of course as I said earlier, it's not as if I could possibly benefit from this in any way (even if you assume I am lying to you, I can't think up a scenario where I would benefit by telling you what I have told you).

Again, I apologize for this error, and I truly hope it turns out that your credit card number was not abused during the week or so when it was active and in unknown hands.

I have packaged the 2 sticker sets (qty 2 of the same set), and they will be going out in Monday's mail.

Regards,

customer to vbz

I had no intention of implying that you are dishonest. I am angry about what happened and I stand by everything else I said. I am glad you fixed the error on your website.

Have a nice day.