Sign in to follow this  
  • entries
    557
  • comments
    1237
  • views
    421523

Generic Ranting

Sign in to follow this  
Evil Steve

61 views

GRAWR....


Some friends and I ordered flowers for a friend who's dad died on Saturday. We ordered the flowers from Flowers UK on Monday, and said that we wanted the flowers delivered on Wednesday. On Tuesday, I got an E-mail saying: "Your flower order has been received and will be sent for
delivery on Wednesday 6th December 2006". So on Thursday, she still hadn't recieved the flowers. Looking at the "track my shipment" thing which is done through Citylink:
16:34 Tuesday, December 5, 2006 Goods collected
03:27 Wednesday, December 6, 2006 On route to delivery branch
11:08 Wednesday, December 6, 2006 Goods loaded onto a van
11:14 Wednesday, December 6, 2006 Arrived at Delivery Branch
07:40 Thursday, December 7, 2006 Goods loaded onto a van
So apparently "sent for delivery" means "Sent to CityLink, who will then take a further day and a half to deliver them to you".

There's no mention of that on the website (It says "Select the day the flowers will be delivered"). Furthermore, when I just signed in to check that the website said the say they'll be delivered, I noticed that their PHP login page isn't secure HTTP. In fact, you can get right through to the confirmation page without once going into a HTTPS page - meaning that my credit card details are stored in a place that anyone sniffing HTTP traffic could easily see.

So, it's time for me to send them an E-mail complaining that the flowers were late, complaining that their website is insecure, and demanding that my details be immediately deleted from their server, since they don't seem to have any way of deleting my account...


EDIT:
Quote:
Dear John,

I would like to express some concern about the security of your website, www.flowersuk.org.uk. While I was able to order flowers without any problems, I see that when I log into your site, the login page is not secure HTTPS. This means that anyone who happens to be listening to HTTP traffic on my Internet connection - Such as any user at an Internet cafe I was to view your website from - is able to view my E-mail address and password as I log in.
While they would not be able to make any payments using my credit or debit card, since the payment is handled through a secure HTTPS site, they would be able to gain access to any information held on your server, such as my address, and the addresses of anyone whom I have sent flowers to. This is hardly a huge security flaw, I know, but it is still slightly concerning, particularly as many users will use the same E-Mail address and password for several online shopping sites, which may store card details.


The reason I logged into the site again, was to double check the text that says "Select arrival date". I ordered flowers on Monday evening, to be delivered on Wednesday for a friend's parents funeral, and I recieved an E-mail confirmation the following day (Quoted below) informing me that the flowers would be sent for delivery on Wednesday. I contacted my friend on Thursday (The day of the funeral) to check they recieved the flowers, but they told me they had not yet. Upon checking the delivery of my order from Citylink's website, I discovered that the flowers had been collected on the Tuesday, but Citylink took a further two days to deliver them.
I understand that you are not responsible for the time it takes Citylink to deliver a parcel, but I was under the impression that the flowers would arrive at my friends house on the day specified. As far as I could see, there was nothing on the website to say that the delivery would be handled by another company, and may arrive later than expected. Had I known this, I would have opted for the more expensive option of next day delivery, so that the flowers could arrive before the funeral.


Overall, I am not entirely satisfied, and would like to be removed from your user database due to the security concerns I have, as I could not find an option to do so myself on your site.


Sincerely,
Steve Macpherson


EDIT #2:
Quote:
We apologise that your flowers were delivered late, City Link are a
reputable nationwide delivery company and we get very few problems with
them - approximately 1% of all our deliveries.

We were not advised there was a problem and we will look into why they were
delivered late.

The web system we use is a standard package used by many thousands of
companies around the world, although we are aware there is internet fraud
nothing has ever been reported about this system and the payment system we
use is WorldPay the largest payment supplier in the world.

Your email address has been removed from our database, thank you for your
past custom.

Regards

Flowers UK
Sign in to follow this  


2 Comments


Recommended Comments

Ignorant shits. They should hire your ass as a consultant.

I remember contacting a smaller computer retailer about their shitty site security and got back an email basically accusing me of attacking their site and to give them my phone number so they could call the police. [rolleyes]

Share this comment


Link to comment
Guest Anonymous Poster

Posted

While working for a web-development company in Australia, I needed some pretty dull industrial-style database info from a client (times to deliver packages of different size/weight combos around the world) to populate their fancy new ASP-driven website (hey, it was years ago). In return I got a database full of previous customers' credit card details (ie. card number, name, expiry date, etc.). Thousands of them. Along with details of what they'd bought, which was pretty worrying in itself as the guy also sold "adult-oriented" material.

Sadly, no amount of encryption is going to make up for the fact that the person at the other end is probably running a small business from a server based in their front room and doesn't know or care about data security.

Share this comment


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now