It’s 2005 and there’s still online merchants that just don’t get it? Beware of MemorytoGo.com. Their totally insecure site publishes complete credit card numbers (with billing addresses and expiration date) on non-encrypted webpages— easily viewable by not only you but by the crafty l33t people that steal credit card numbers (click the thumbnail to the left).
To add the the scariness — I placed an order with them for a 1 Gig memory upgrade for the surprising free Mac Mini I received. After not receiving the memory Next Day, I check my order status and was SHOCKED to see my full credit card available to the world to intercept. I immediately contacted them— and the first thing they said was that Next Day orders hadn’t been processed because their online store had crashed (maybe they said “went down”?) yesterday, and they’re just getting to processing orders now. Wait a minute— what do you mean went down? I hope that doesn’t mean that their obvious disregard for end user security lead them to be hacked as well.
I forcefully requested that my credit card be removed from their site ASAP, and was told “we can’t do that, the [clear text] credit card number is needed for the accounting people.” Wha? After arguing with me that this wasn’t a threat- and repeatedly telling me I wasn’t listening to them… they reluctantly assured me my credit card would be taken down in a couple of hours— after they reached their web developer. You have to be kidding? And is just mine coming down or are they securing the whole site?
I’ve alerted American Express Merchant Services, but feel like I got the blow off from them. I hope something gets done. If you’ve shopped with MemorytoGo.com— beware, your credit card numbers and personal information are exposed to the world.
Update: A day later and this site is still publishing American Express card member’s identities, card numbers and expiration dates in clear text— just waiting for a Man-in-the-middle attack. The lack of action by American Express is shocking. Membership doesn’t have the security privilege.
Update 2: Three days later and Memorytogo.com has just deleted my order… Aside from placing a new order, I can no longer confirm that everyone’s credit card numbers are exposed on unsecured pages— though it appears they still aren’t using SSL, so my guess is that credit card information is still being published in clear text over the internet. It’s also 2 days after I wrote and called AMEX. No response from them. We should setup a test: Someone place an order, and everyone else try to snag the card number and expiration date. Just kidding.
UPDATE 3/18: Memorytogo has now begun encrypting with SSL the account/order status pages. Their CEO left a message to let me know that their web developer says “it’s always been that way.” Clearly from the screen shot above— it hasn’t. Either way, their site is now partially secure— the account login page is not encrypted, so your account username and password are passed over the net in clear text and can still be intercepted. This could give packet sniffers access to your encrypted account pages. I can’t confirm- but hopefully they’re keeping credit card numbers offline now.
For the record: aside from this partially corrected problem— I didn’t mention that they did fulfill my order, and I happy with that aspect of their service.