Best Buy Learns The Downside To Locking Out E-mail Changes
Written by Evan SchumanA Best Buy (NYSE:BBY) online anti-fraud mechanism has unintentionally created a security hole. I was placing an order with a local Best Buy physical store, using the web site’s pickup-in-store option. Because the store only had one of the item left, the associate suggested that I give her all of the account information on the phone and she would enter the order right there.
Everything went fine except that she apparently did a one-character typo in the e-mail address. I didn’t discover this until a half-hour later when no confirmation note ever arrived. Using the order confirmation that she gave me, Customer Service was able to identify the order and spot the e-mail typo. Great! Except that Best Buy’s fraud procedure locks them out from changing the e-mail address. Wait a second. Best Buy now knows that the address is wrong and further knows that my sensitive order information is going out to someone else (assuming that typo-ed address belongs to a real person). Not only can’t they fix it, but they tell me that additional mails will go out to that incorrect e-mail address no matter what. Oops!
If the rule is so strict that an e-mail address can’t be changed—which seems odd—wouldn’t good policy require that a test message be sent and received before the address is permanently locked? Also, instead of preventing the e-mail from being changed, why not instead require a lot of authentication data from the shopper? Perhaps they have to answer the phone when the phone-number-on-file is called? Also, in terms of likely fraud, would a one-character change (of a letter that sounds very much like the more logical letter) be the typical fraud attempt, as opposed to offering an entirely new e-mail address with a different domain? Shouldn’t a supervisor (or a supervisor’s supervisor) have the authority to change the e-mail field if she/he feels it’s warranted?
By the way, this is not merely a risk if an associate makes a typo. What if the shopper makes a one-character typo? That’s not such a far-fetched scenario. (The “type your e-mail address” twice is a good way to avoid typos, unless it’s being done by an associate who thinks what was mis-heard is the correct address.)
It’s easy to guess the legitimate anti-fraud intent of the lock-out, to prevent anyone who learns of an order from changing the notification e-mail address. Then again, if the shopper needs a driver’s license or other identification plus the payment card used to tender the purchase to pick up the merchandise, is a falsified confirmation address going to help a thief that much?
I have always been nervous about anything that can’t be changed, even by a supervisor. It’s being far too trusting that everything will always work as planned. In retail, that generally doesn’t happen.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
