Gear4Music account security

[Mornats]

I've just ordered from Gear4Music for the first time. Got a cable that was damaged in the post. That was fine, I emailed them and they very kindly said to keep that cable and they'll send another.

However, their email to me about the dispatch of the new cable included my account password at the end. What the actual f***?! Now I have to change my password on a fair few sites (I have a range of passwords that I use so it's not all sites and nothing absolutely secure thankfully.)

So if you use Gear4Music, please make sure that at the very least you use a unique password for their site.

Emailing a password is the most stupid breach of security a site could do. I can't believe that in 2014 major retailers do this. If they held any card details on their site they'd be up for a massive fine for a breach in data security.

[Jonnyboy Rotten]

It seems they are as careful with their customers details as they are with their guitars!

Edited March 27, 2014 by Jonnyboy Rotten

[skej21]

Have you mentioned this to them? Maybe they aren't aware and you could help highlight the issue and prevent any misuse of information too

[Mornats]

Yes, I did reply to them to point out that they shouldn't be doing this.

I've been working in web user experience for over 14 years now and honestly thought that the days when an online retailer would email your password to you were long gone. They shouldn't need a customer to point this out.

[skej21]

[quote name='Mornats' timestamp='1395939887' post='2408243']
Yes, I did reply to them to point out that they shouldn't be doing this.

I've been working in web user experience for over 14 years now and honestly thought that the days when an online retailer would email your password to you were long gone. They shouldn't need a customer to point this out.
[/quote]

Oh I totally agree but things dont improve if we don't help each other (which you did ). That is a bit worrying though!

Edited March 27, 2014 by skej21

[Mornats]

Well, it's such a serious breach that if they stored my credit card details (which they don't thankfully) I'd be reporting them for a breach of the data protection act. And that carries a jail term as maximum sentence.

I appreciate that yeah, we should help each other but this is a major security mess up.

I'll never use this site again. They also sent my replacement cable to my billing address not my delivery address so they've not gotten much right.

[dannybuoy]

They shouldn't even be storing the actual password, they should be storing a one way hash value so they can verify it when you log in, but they can't unscramble that value back to the original password. Noobs.

Edited March 27, 2014 by dannybuoy

[thisnameistaken]

[quote name='dannybuoy' timestamp='1395952546' post='2408393']They shouldn't even be storing the actual password, they should be storing a one way hash value so they can verify it when you log in, but they can't unscramble that value back to the original password. Noobs.[/quote]

Agreed. But assuming they've done their PCI DSS accreditation (they may not have, but they're a big operation, maybe they have) they might think that storing passwords isn't any more of a risk given all the other sensitive data they're storing. Clearly they're wrong if they're randomly firing that data out in plain text from their mail server, but there you go.

The last big contract I worked on before I went and got a 'proper job' last year was developing a billing and payment system for a large service management platform with an annual budget in the tens of millions. Long story short it all worked and was supported by tests when I was done with it, and then they got their in-house guys to refactor something because it looked complicated (it looked complicated because it [i]is[/i] complicated!). They didn't test beyond having the developers eyeball that it seemed to do what they expected, and went live with a horrifically broken payment system which left the billing system completely in the dark about whether something was paid or not. Six months in they realised nothing had been paid.

Turned out they also had problems with organised crime using their platform for money laundering - I swear the bigger the budget the less diligent these operations become. IMO if your testing team isn't pretty much the same size as your development team you're going to either produce bad software or your development cycle is going to be ponderously slow and your devs miserable.

[dave_bass5]

[quote name='Mornats' timestamp='1395876160' post='2407626']
I've just ordered from Gear4Music for the first time. Got a cable that was damaged in the post. That was fine, I emailed them and they very kindly said to keep that cable and they'll send another.

However, their email to me about the dispatch of the new cable included my account password at the end. What the actual f***?! Now I have to change my password on a fair few sites (I have a range of passwords that I use so it's not all sites and nothing absolutely secure thankfully.)

So if you use Gear4Music, please make sure that at the very least you use a unique password for their site.

Emailing a password is the most stupid breach of security a site could do. I can't believe that in 2014 major retailers do this. If they held any card details on their site they'd be up for a massive fine for a breach in data security.
[/quote]

Is this a new thing then? Ive just gone back through all my orders and cant see this on any emails.

[JapanAxe]

[quote name='Jonnyboy Rotten' timestamp='1395878940' post='2407649']
It seems they are as careful with their customers details as they are with their guitars!
[/quote]

Too right! Look what happened to my password when they sent it back to me:

[thisnameistaken]

[quote name='JapanAxe' timestamp='1395963815' post='2408570']
Too right! Look what happened to my password when they sent it back to me:


[/quote]

That's like when those terrorists were using improvised explosive devices made from tins of alphabetti spaghetti.

If one of them had detonated it could've spelled disaster.

[Dad3353]

[quote name='thisnameistaken' timestamp='1395965375' post='2408580']
That's like when those terrorists were using improvised explosive devices made from tins of alphabetti spaghetti.

If one of them had detonated it could've spelled disaster.
[/quote]

[URL=http://www.smileyvault.com/][IMG]http://www.smileyvault.com/albums/userpics/13049/applause.gif[/IMG][/URL] Like.

[Mornats]

[quote name='dave_bass5' timestamp='1395963364' post='2408568']


Is this a new thing then? Ive just gone back through all my orders and cant see this on any emails.
[/quote]

It wasn't on the original order confirmation, it was on their reply to my email about the cable being damaged due to lack of packaging.

I won't be using them again for sure.

[discreet]

[quote name='thisnameistaken' timestamp='1395965375' post='2408580']
That's like when those terrorists were using improvised explosive devices made from tins of alphabetti spaghetti.
If one of them had detonated it could've spelled disaster.
[/quote]

Haaahhhhh!!

Edited March 28, 2014 by discreet

[dave_bass5]

[quote name='Mornats' timestamp='1396008618' post='2408925']
It wasn't on the original order confirmation, it was on their reply to my email about the cable being damaged due to lack of packaging.

I won't be using them again for sure.
[/quote]

Ah, i see, thanks for clearing that up.

[discreet]

[quote name='thisnameistaken' timestamp='1395965375' post='2408580']
That's like when those terrorists were using improvised explosive devices made from tins of alphabetti spaghetti.
If one of them had detonated it could've spelled disaster.
[/quote]

I also like Nick Helm's joke:

'I needed an eight-character password - so I chose Snow White and the Seven Dwarves...'

Edited March 28, 2014 by discreet

[skej21]

[quote name='JapanAxe' timestamp='1395963815' post='2408570']


Too right! Look what happened to my password when they sent it back to me:


[/quote]

That's an easy one to crack, you didn't use any numbers or characters!