There's a guy. His name is mike and he lives in ohio. Mike knows a woman named Brittany. Brittany lives in Atlanta, and Mike wants to book one-way travel to Ohio for her. Priceline is as good a site as any to do this, so he logs on, and sets her up. Everything is hunky-dory, until Mike decides to do something rather stupid - presumably because he wants to avoid SPAM, he makes up an email address when creating his account. MY email address.
I immediately responded to the confirmation email when I got it, notifying priceline of the problem. They sent an automated message back saying that mailbox is not monitored. Fine. I took a few minutes, went to their online form and notified them again - and... I was ignored. After a few days, I figured priceline was going to continue to ignore me, so I decided to see what exactly the risk to them was, not to mention Mike from Ohio, and possibly even Brittany from Atlanta.
I found it very easy to reset Mike's password and log into his account. All I needed was his name and access to his email account, which was actually my email account, and his name was included in the trip confirmation.
Here's his account!!
Here's Brittany's flight information!!
Best of all, here's his saved credit card!!
There was nothing (credit card spending limits?) preventing me from booking him and Brittany a $10,000 flight to Siberia on his own credit card. Luckily for Mike, I'm no criminal so I won't do that, but especially since priceline ignored my message to them, I wouldn't want to miss the opportunity to publish this example as a common-sense lesson to all - If you consider a company worthy of using your credit card information, they're probably also worthy of being trusted with your email address too.
.. Yes, I know people are concerned about SPAM and keeping their email addresses to themselves, but .. trust me, Priceline isn't the cause of email spam. You'll be ok.
New entries for Steve's blog are published every Monday, Wednesday, and Friday at 10:00am NY time and can be seen at http://www.tursi.com
No comments:
Post a Comment