This is page 2 of:
Loading Dock Chaos: CIO Had No Idea What His Passwords Could Do
When we used the password, the screen asked for a wide range of shipment details for verification, which is good, including warehouse, the assigned carrier, the department number and the vendor name. Unfortunately, the screen had a prominent note in red lettering that said a date range was required but that the user could “skip [other fields] to show all loads.” We set the date from January 1 through April 30, and it poured out more than 5 MB of ASCII text, detailing the purchase order (P.O.) number, unit number, reference number, vendor name and location, the carrier name and a half-dozen interim ship dates of every shipment within the chain, including future scheduled shipments.
And then using the information from that data dump, other screens allowed extensive shipment editing, including fields to change the chain’s P.O. numbers, pick-up name and address, number of pieces, weight, pallets, the product ready date and the vendor call date.
“In our company, there was a misunderstanding of what [the password] gets you,” said the chain’s CFO, after reviewing the files we accessed from the site. “It’s not intended to be very specific. It’s not intended to give as much information as it does. This is obviously a poorly controlled program and is extremely poorly done.”
On a very lengthy laundry list of problems associated with this type of data leakage is the unnerving possibility that people may have already started using the information against the chain. Done subtly, the type of glitches that could be caused might be dismissed as simple site hiccups. “There will be a data verification where we will be checking the data out there and verifying its accuracy,” the CFO said.
The chain put much of the blame on a third-party company that hosted the chain’s logistics management, coordinating freight movements from various freight companies. An executive with that vendor said the system can’t do anything dangerous and promised to check and get back to us. No one ever called back.
There are four key issues. The first is that the PDF manual should never have had the live password printed in it. The second is that the confidential password-containing PDF manual should not have been discoverable by a search engine. The third is that a single password should never have been used by the tons of people in the retailer’s supply chain. And the fourth is that generic passwords should have had much more limited access.
As for the Google spiders finding the document, that could have been made much less likely had the retailer placed a robots.txt file in the Web site’s root directory, specifying that this directory shouldn’t be indexed, in addition to putting a blank index.htm file in the directory itself, so it couldn’t be browsed. Then, unless people knew the exact name of the file they were looking for, it wouldn’t show up.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
