canspice.org

I love companies that are nearly completely clueless about doing business online. You’d think that since it’s been done for so long they wouldn’t get things wrong, but they do. Oh they do.

Take the Hawaii Tribune-Herald as an example. If you go to their website you may notice that you can subscribe online. Kudos to them for offering it, it saved me from having to talk to a person when I subscribe. They email you a receipt to confirm that the subscription was filed, and that’s all good.

What isn’t good is that your credit card number is right there in the email for anybody to see. Everything, all sixteen digits, the expiry date, the name on the card. Given that email is sent without any sort of encryption, it means that anybody who has access to the email can get the number. And given that email can be sent from any number of computers before reaching you, you have to trust that every server that it’s passed through is secure and there isn’t anybody watching.

One of the standard edicts of Internet commerce is “never send personal information over email.” It’s a shame that the Trib couldn’t get this one blazingly easy thing right. It’s not that hard to X out all but the last four digits, just like nearly every other company on the face of the planet does.

So I emailed the webmaster for the Trib, and he replied with:

When you subscribed you were using our secure server and the data is totally encrypted on our end to us. Nothing is stored in a database, we complete whatever transaction you selected and then your information is deleted.

Our parent company that assists us with secure online transactions and content management is subject to security audits although I am not sure the last time one was completed.

On the form you filled out, one of the options that you had was to be contacted for payment options. We have this for people who are not comfortable with conducting commerce electronically. I can assure you that your information was/is not in jeopardy of being “stolen” through our system.

Of course he missed the point entirely. I suggested X’ing out the credit card number, to which he replied, “Oh, that sounds like a good idea.” Gah.

Then there’s JCPenney. Alice and I needed new curtains, so we ordered some online from them. Everything went well, and of course the ordering process had a box saying something like “can we use your email address to bombard you with useless sale deals and other rot that just ends up getting deleted anyhow?”, to which I answered no. Then amazingly I received an email from them saying I wouldn’t receive email from them. I quote, “This is being sent to confirm that b.cavanagh@jach.hawaii.edu will not receive Email from jcpenney.com.” In an email sent to b.cavanagh@jach.hawaii.edu from shopper@jcpenney.com. Brilliant!

And of course I’ve since received three emails from them about online-only sales.