From the technological "What The???" files this week...

Forums › Off topic › From the technological "What The???" files this week...

1 | 2

HarmLessSolutions

1237 posts

Uber Geek
+1 received by user: 829

Subscriber

#3286765 26-Sep-2024 18:59

richms:

cddt:

A similar "glitch in the matrix" thing happened to my wife. She was buying things using the "Shop Pay" button from Shopify, the items were getting delivered, but her sister's credit card was being charged. Meanwhile the sister (who lives elsewhere) was disputing the charges because she thought her account had been hacked etc... Took a long time to put the pieces together, and we're still not sure how Shopify managed to confuse/link their accounts on the back end.

Shop pay is horrible to use from a user side of things with you logging into a place and then it wanting to send a login code to a mobile number you have never used on that website because you used it on a different website ages ago.

My latest experience with Shop Pay resulted in the vendor contacting me after the order processed requesting a rural surcharge to be paid. After some research it goes like this:

Shop Pay is part of the Shopify platform which many, if not most, e-commerce websites use for their layout and checkout. Shopify is a 'software as a service' model where you pay them for server space, transaction fees and as it seems the Shop Pay facility.

Having checked with our web designer who also does Shopify based websites (ours uses OpenCart) the collection of customer data 'for faster future checkouts' is promoted by Shopify. Our web designer is confident that the security of their database is up to speed but my main issue is that the address data 'harvested' by Shop Pay in our case wasn't applicable or preferred for a subsequent purchase as it lead to:
a.) Our rural address being used for a seller that requested a rural surcharge once the sale completed. I usually opt for an alternative address to avoid such charges.
b.) The address details on the item lacked the Rural Delivery run number so I was then contacted to correct this shortfall of info to avoid further delivery delay.
c.) I choose between 3 different delivery addresses to avoid rural charges if preferred, and whether the delivery service can do so to our PO Box. The automation in play by Shop Pay denies my the ability to 'customise' my delivery address as required for individual purchases.

I have now deleted/cancelled my Shop Pay account but will now have to check that address details aren't again harvested when I next purchased through a Shopify based website. In many cases Shopify is not readily identified within a website's displayed data.

If you have received emails requesting you download the Shop Pay app following a purchase in order to more easily track your deliveries in one place this is an indication that the transaction has been processed by Shopify and Shop Pay, and that it is too late to rectify the situation. In my case I do not download any e-commerce or payment related apps to my phone as I complete all such business on my laptop due to my doubts about security in smartphone transactions. In the last case I already had tracking available via the GoSweetSpot CourierPost system so ignored the Shop Pay prompt.

IMO Shop Pay is a dog and one I'd prefer to have nothing to do with.

https://www.harmlesssolutions.co.nz/

MadEngineer

4597 posts

Uber Geek
+1 received by user: 2577

Trusted

#3286775 26-Sep-2024 19:56

Has anyone seen the vulnerability in stored browser data where a webpage may have a form with all the commonly filled fields that you may have saved personal data to made available to the browser but ‘hidden’ except for what you think is required for the transaction?

So for example a webpage asks your your name and your name only. You start typing your name and your browser suggests your full name. “That’s convenient” you say out loud and click your name to save typing it. Your browser has however just given the website all your details including your postal address that was saved along with your name. You’re not aware of this as the address fields in the form were hidden.

You're not on Atlantis anymore, Duncan Idaho.

HarmLessSolutions

1237 posts

Uber Geek
+1 received by user: 829

Subscriber

#3286796 26-Sep-2024 21:30

MadEngineer: Has anyone seen the vulnerability in stored browser data where a webpage may have a form with all the commonly filled fields that you may have saved personal data to made available to the browser but ‘hidden’ except for what you think is required for the transaction?

So for example a webpage asks your your name and your name only. You start typing your name and your browser suggests your full name. “That’s convenient” you say out loud and click your name to save typing it. Your browser has however just given the website all your details including your postal address that was saved along with your name. You’re not aware of this as the address fields in the form were hidden.

When that stored information includes credit card details, including the CCV number, that definitely concerns me.

A database from somewhere that I had made payment a few years back had its info harvested which resulted in a fraudulent shopping spree that left us $1,900 out of pocket for the three months it took Visa to reverse the funds. That fraud was with a UK jewellery store that required CCV verification as it turned out.

Since then I no longer allow credit card details to be 'saved for next time' (particularly by Trade Me) and have added a low credit limit credit ($1,000) card to our collection which we use just for online payments so our exposure can only ever be whatever remaining balance that card has.

https://www.harmlesssolutions.co.nz/

cddt

1981 posts

Uber Geek
+1 received by user: 1927

#3286923 27-Sep-2024 09:13

MadEngineer: Has anyone seen the vulnerability in stored browser data where a webpage may have a form with all the commonly filled fields that you may have saved personal data to made available to the browser but ‘hidden’ except for what you think is required for the transaction?

To be fair it's each user's choice whether to store personal data in their browser for convenience. Easily disabled.

My referral links: BigPipe | Mercury

Behodar

11117 posts

Uber Geek
+1 received by user: 6116

Trusted

Lifetime subscriber

#3286927 27-Sep-2024 09:30

cddt:

To be fair it's each user's choice whether to store personal data in their browser for convenience. Easily disabled.

True, but the complaint is that the autofill will put data into hidden fields, making the user unaware that the site is "harvesting" certain things.

HarmLessSolutions

1237 posts

Uber Geek
+1 received by user: 829

Subscriber

#3286929 27-Sep-2024 09:32

cddt:

MadEngineer: Has anyone seen the vulnerability in stored browser data where a webpage may have a form with all the commonly filled fields that you may have saved personal data to made available to the browser but ‘hidden’ except for what you think is required for the transaction?

To be fair it's each user's choice whether to store personal data in their browser for convenience. Easily disabled.

The problem is more that the data seems to have been harvested by Shopify by way of Shop Pay and then retained on their database, which is not made immediately apparent during the checkout process when this data grab occurs.

https://www.harmlesssolutions.co.nz/

Dell

Shop now for Dell laptops and other devices (affiliate link).

KiwiSurfer

1732 posts

Uber Geek
+1 received by user: 999

ID Verified

Lifetime subscriber

#3286945 27-Sep-2024 10:48

Having used Shop Pay many times I'm not sure why I'm not seeing these issues. Up to the user to check the correct address is being used -- they make this clear during the order process AFAIK. I've just tried one Shopify retailer I use every now and then and the first step of the checkout process is to ask for the address as they need the address to work out the correct shipping prices. It is only after entering my address that it calculates the options available. There is a tick box to save info for quicker checkout which is unticked by default. But perhaps different retailers set up their Shopify platform differently.

As for credit card details -- I find the autofill for credit card details to be fairly hit and miss as many sites seem to capture credit cards in different ways -- including some which seem to try and do clever things like automatically move to the next field, add the slash between month/year automatically, as well as different ways of capturing month (some use 01...12, some do Jan...Dec, some do both, etc). This often breaks the autofill feature for at least one field (or even all the fields) so I normally just enter all the details manually as that's often faster than autofill + enter missing info. If you don't want websites capturing your credit card details, easiest solution seems to be to not use that particular feature -- just disable it in your browser and/or password manager. I personally disable the autofill in all browsers I use and rely only on a password manager.

richms

29117 posts

Uber Geek
+1 received by user: 10231

Trusted

Lifetime subscriber

#3286956 27-Sep-2024 11:11

KiwiSurfer:

Having used Shop Pay many times I'm not sure why I'm not seeing these issues. Up to the user to check the correct address is being used -- they make this clear during the order process AFAIK. I've just tried one Shopify retailer I use every now and then and the first step of the checkout process is to ask for the address as they need the address to work out the correct shipping prices. It is only after entering my address that it calculates the options available. There is a tick box to save info for quicker checkout which is unticked by default. But perhaps different retailers set up their Shopify platform differently.

When you put in your email address it will often replace the details with the ones that it saved from somewhere else, and provide the merchant a mobile number that you may not want to have given them.

Richard rich.ms

KiwiSurfer

1732 posts

Uber Geek
+1 received by user: 999

ID Verified

Lifetime subscriber

#3286959 27-Sep-2024 11:16

richms:

KiwiSurfer:

Having used Shop Pay many times I'm not sure why I'm not seeing these issues. Up to the user to check the correct address is being used -- they make this clear during the order process AFAIK. I've just tried one Shopify retailer I use every now and then and the first step of the checkout process is to ask for the address as they need the address to work out the correct shipping prices. It is only after entering my address that it calculates the options available. There is a tick box to save info for quicker checkout which is unticked by default. But perhaps different retailers set up their Shopify platform differently.

When you put in your email address it will often replace the details with the ones that it saved from somewhere else, and provide the merchant a mobile number that you may not want to have given them.

It still shows the address for me after inputting my email address. This is really my point -- they don't hide the address and make you deliver to an unknown address. It may automatically populate it based on your last order etc but other non-Shopify platforms do this too (Trade Me is one example that comes to mind). Generally this is what most people want so can't see the issue here TBH.

1 | 2