On Top Of Spying On Its Users, Sears Reveals Your Shopping Data To Anyone Who Wants It
from the well,-that's-useful dept
Weren’t we just discussing the idea of criminal liability for egregious security problems with data? And… weren’t we also just discussing Sears’ offering to install spyware on your computer without much notice and all in the name of community? Well, let’s combine those two stories. Ben Edelman has been doing some more digging on the Sears website and discovered a rather massive security hole allowing you to look up the purchases at Sears of just about anyone so long as you know their name, address and telephone number. As Edelman notes, this appears to be in direct violation of Sears’ own privacy policy (and, well, common sense, but that’s a different story…). So, now, Sears.com is spying on users without making it all that clear and revealing all customer purchase data with poorly implemented security. It’s not a particularly comforting picture.
Filed Under: ben edelman, privacy, security, shopping data
Companies: sears
Comments on “On Top Of Spying On Its Users, Sears Reveals Your Shopping Data To Anyone Who Wants It”
I knew there was a reason I don’t like shopping at Sears…
oooooh
Now that’s what I call community!
Wow, stupid Sears
So I guess Facebook isn’t the only stupid corporation around. I just tried this and up popped my parents Sears purchases. Insane
This is why it was a better idea to have stiffer penalties for those that violate the anti spyware laws. To most companies a small fine does nothing to them. Just pay the fine, and move on. They can add the extra expense to the customers purchases, and still smell like a rose. But a major fine hits their pockets. Not so easy to pass on to the customer. Pay one or a couple of those, and you will think twice.
What's the crime?
Unfortunately, having lousy security is not against the law. The free market system fixes problems like this. My question is why has no TV news magazine presented the same evidence as a “public service.”
Re: What's the crime?
Oh they will…
Once they figure out how to spin it so that if you don’t watch the 10 o’clock report you will DIE FROM THIS FLAW!
Unless you’ll die, someone has already died, something will blow up, or someone will die from blowing it up… thus killing someone news really doesn’t have the time to add it in.
You have to fit it between the fluff pieces on your local animal shelter animals up for adoption, the cutesy picture of kids doing some great service to mankind by selling (insert crappy item here) for (insert crappy charity here), and the sensationalized coverage of the election “Obama wins Iowa, Hillary to commit suicide?”, etc etc…
Re: What's the crime?
Well, Sean, first of all, Sears is violating thier own privacy policy by giving out customer information to the general public. Secondly, this most likely also violates thier agrements with Visa and MC.
In regards to the general media — Sears was smart to pull the function very quickly before the media got a hold of it. I wonder if all the blogging increased traffic of hackers and people entering multiple addresses. They certainly did scurry to get the info off the website. I did see articles on yahoo news, abc news and the washington post, so although it has not gotten TV press, the word is spreading.
eBay History
If I know your eBay user ID I can see everything that you have bid on or bought using the advanced search feature.
I can also see everything you have sold. For example, I see that my nephew is selling the PS2 game I gave him. He’s selling it as used, so either he beat it or he didn’t like it.
Re: eBay History
I suspect that ebay allows it because they are technically an auction site and researching a bidder’s history can help in uncovering shills e.g. someone with a feedback around 0 but has bid on 100 items from the same seller and yet never purchased anything.
first discovered issue
For the record, “Heather” first uncovered this issue by posting a comment to the original Sears discovery here:
http://community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx
and then later followed up here:
http://community.ca.com/blogs/securityadvisor/archive/2008/01/03/managemyhome-com-another-privacy-issue-for-sears.aspx
“Heather said:
OMG! Check out a sears site managemyhome.com. Once you register you can look up purchase information for ANYONE by just putting in their name address and phone number. Sears has you enter a code and says that keeps you info safe, but that is pretty useless — I think that just prevents a script from being created, but DOES NOT stop people from entering in any eles info to get the purchase info on big ticket items — this could bring casing someone’s house to a whole new level!!
I contacted the privace e-mail that the site provided, but no one ever responded. Anyone with any ideas about how to get this service off the web, I would be open to suggestions.”
#7
The difference with ebay is that as an auctioneer you build trust by showing that you sell or have sold various items with honest effort in their description and quality of service in delivery. I wouldn’t buy anything on ebay if it didn’t have a search like that or the feedback system. In the case of sears ( as a retailer ) all transactions are between you as a paying customer and sears the company and that transaction is assumed to be private unlike a public auction house full of people where we all expect that everybody there will know what I bought and how much I paid for it because… well then it wouldn’t be auction. So the devil is in the details of public auction (ebay) and private sale ( sears ) sears has no right, without express written or digitally signed consent to sell my purchasing records . If they make that clear then they are technically in the clear because you know upfront your data is going to eventually be sold to the highest bidder you release all right to privacy. You could always shop somewhere else though I doubt many people would willingly shop at sears.
Re: #7
That’s pretty much what I was getting at. Thanks for clarifying some of those points about the relationship between Sears and its customers.
Community
In a real community, everybody knows everybody else’s business, we only figured it made sense to do it this way…
Sears
What is wrong with sears? And who cares if they give this info away, there is nothing to crazy that would show up. Now if it was dildos-R-us, now some crazy stuff might show up there.
😉
Re: Sears
If I just bought a 50″ plasma TV from Sears, I don’t necessarily want some shady neighbors knowing about it.
Re: Re: Sears
But the 50+ inch box sitting on the curb for garbage pickup doesn’t tell them you just bought a new TV either…
Re: Re: Re: Sears
Good point(really) but someone has to actually drive around a city looking for those boxes whereas with this info being online, you can sit at home and case entire neighborhoods for loot. Then you can take your time casing the physical aspects.
But wait, there’s more.. If I know your name and telephone number and that you’ve made a purchase from Sears, it becomes a trivial task to social engineer other information as well.
“Hi, this is the Sears Warranty Support Center. I see that you recently purchased one of our plasma televisions but you neglected to get an extended warranty on it.”
Customer: “What!?!?! I paid $300 for a 5 year service plan”
“Sorry, we don’t have any record of that. Can you please tell me the credit card number you used for the purchase?……..and that expires when??? Hmm, sorry, I still don’t show anything…oh wait, here it is…they mistyped your DOB in our system. It’s all fixed now. Sorry for the inconvenience”
It REALLY is that easy and the customer will thank the “representative” for helping resolve the “problem”, and it’s only that easy because all of that information is available.
P.S. We take all of the boxes to any expensive items and put them in front of some neighbor’s house that we don’t like. We do this regardless if it’s Xmas or the like. So this year I imagine that some crackhead will break in trying to find their new Wii.
Re: Re: Sears
I am going to agree with you on this. If I make a major purchase …what is my guarantee that the person checking my purchases is not staking me out in order to commit a crime of burglary?
To some this kind of info looks innocent enough, but to others it looks like a gold mind. Look up a neighborhood of names from mailboxes, or discarded mail, and have a field day on the few Holidays we do have each year. Just by checking out whom bought what, when, and how much that product may be worth on the streets.
I get the shivers just thinking about this. Bad idea on the part of Sears.
Oh come on now...
I’d like to know if this community site was
created in house by Sears, of if they hired
a developer to do the work. That sort of
defect in security is for n00bs. It’s the
developer that should be castigated.
I do not work at Sears. I do not shop at
Sears. There is no Sears store within
fourty miles of my home. But here’s the
news…
Sears is in business to sell stuff- and most
of the stuff they sell is ok. The hand tools
are almost good. So the community web site
was botched. Yeah, it’s a problem, Sears should
thank people for bringing it to their attention
and fix it now. I don’t see it as a rational
basis to impune the entire company’s reputation.
This seems to excite the knee jerk reaction
“big company, bad!” from some people. It
seems that Big has become a pejorative term
in nearly any case but government and fast
food.
just tried it
I just tried it, and I didn’t see the “search your purchases” link. Either they removed it, or I just didn’t see it because I’m sorta in a rush.
Interested in Class Action
Check this out. A case was filed on Friday—
http://blog.washingtonpost.com/securityfix/2008/01/class_action_suit_alleges_sear.html
Yes, the real buffoon here is Jim Hilt the director of Manage My Home. See this article that Ben highlighted in his article about what Manage My Home was doing. Jim is freely talking about the benefit.
http://findarticles.com/p/articles/mi_qn4155/is_20071109/ai_n21104858
This guy definitely gets the award for the stupidest web marketer of the year! Think I’ll shoot him and Alwyn an e-mail and let them know what I think about them giving out my personal information to the general public. Since they were so free with my info, I don’t have a problem sharing their info — I got Alwyn’s e-mail address from a posting on the ca website Alewis1@searshc.com — I would guess that Jim’s e-mail address is Jhilt00@searshc.com or jhilt01@searshc.com.