So, last week I was going to purchase a shiny new scanner from Newegg.com so that I might reduce the paper clutter that resides at my computer desk at home (more on that later). When I hit the “Finish” button to complete the transaction all seemed well and good until I got an e-mail from them saying that my credit card could not be charged. Long story short somehow someone had my credit card number and ran it into the ground buying — wait for it — Facebook games (funny, I know). Anyway, I got my new card, and I also thought that this was a good time to change all my passwords.
Most of my password changing went without a hitch. However, Paypal had an interesting process. To change my password I had to provide the number of the credit card I had linked to my account. Well, one problem here, I had cut up and discarded my old credit card because it was no longer active. Not one to let that stop me, I took the next reasonable action, I unlinked the credit card from my account. Honestly, I was happy to do that anyway because I hate linking credit cards to online account. Paypal tried to make it hard for me to not have a credit card linked, but I was able to click past everything.
This is the best part, though. When I went to change my password I was allowed to do it without providing any additional security information. Frankly, I think using a credit card number as a security measure is a terrible idea to begin with so I don’t care that once I log into my account, that password changing is easy. What I think is funny here is that they put in place a security measure that is trivial to circumvent. In other words, not a real security measure.
On the matter of storing credit cards in a database, I think that is also a big problem. If you don’t store the credit card — guess what — even if someone breaks in, it can’t be stolen! I think these companies should use more discretion when storing credit card numbers. I agree that sometimes numbers have to be stored for things like online monthly subscriptions, but short of that, why bother! I think online retailers shouldn’t even offer it as an option and make the customers aware that it is actually for their benefit. At the very least, don’t default to storing the card, make the user actively seek after that.
Anyway, that is my little tale about password changing, which is a practice I encourage everyone to do at least yearly. Also, I encourage different levels of password security. For instance I have one password I use for online retailer accounts (which I avoid creating if I can), one for e-mail, one for the blog, one for work, one for root access, etc. This way, if there is a breach, I don’t have to change all my passwords and just the ones within the security level that was broken.