Best Buy Learns The Downside To Locking Out E-mail ChangesWritten by Evan Schuman
A Best Buy (NYSE:BBY) online anti-fraud mechanism has unintentionally created a security hole. I was placing an order with a local Best Buy physical store, using the web site’s pickup-in-store option. Because the store only had one of the item left, the associate suggested that I give her all of the account information on the phone and she would enter the order right there.
Everything went fine except that she apparently did a one-character typo in the e-mail address. I didn’t discover this until a half-hour later when no confirmation note ever arrived. Using the order confirmation that she gave me, Customer Service was able to identify the order and spot the e-mail typo. Great! Except that Best Buy’s fraud procedure locks them out from changing the e-mail address. Wait a second. Best Buy now knows that the address is wrong and further knows that my sensitive order information is going out to someone else (assuming that typo-ed address belongs to a real person). Not only can’t they fix it, but they tell me that additional mails will go out to that incorrect e-mail address no matter what. Oops!
If the rule is so strict that an e-mail address can’t be changed—which seems odd—wouldn’t good policy require that a test message be sent and received before the address is permanently locked? Also, instead of preventing the e-mail from being changed, why not instead require a lot of authentication data from the shopper? Perhaps they have to answer the phone when the phone-number-on-file is called? Also, in terms of likely fraud, would a one-character change (of a letter that sounds very much like the more logical letter) be the typical fraud attempt, as opposed to offering an entirely new e-mail address with a different domain? Shouldn’t a supervisor (or a supervisor’s supervisor) have the authority to change the e-mail field if she/he feels it’s warranted?
By the way, this is not merely a risk if an associate makes a typo. What if the shopper makes a one-character typo? That’s not such a far-fetched scenario. (The “type your e-mail address” twice is a good way to avoid typos, unless it’s being done by an associate who thinks what was mis-heard is the correct address.)
It’s easy to guess the legitimate anti-fraud intent of the lock-out, to prevent anyone who learns of an order from changing the notification e-mail address. Then again, if the shopper needs a driver’s license or other identification plus the payment card used to tender the purchase to pick up the merchandise, is a falsified confirmation address going to help a thief that much?
I have always been nervous about anything that can’t be changed, even by a supervisor. It’s being far too trusting that everything will always work as planned. In retail, that generally doesn’t happen.