Rang subway , because I accidentally logged out of their windows phone version of the app and my subcard would not register inside the main subway app after logging in. I logged in via the subway website and it would not accept my subcard number and the 4 digit access code that is printed on the card. The app told me to ring an 0800 SUBCRD number to troubleshoot the subcard regisitration for the app and on the main subway website itself.


CSR picked up, asked me to spell out my full name and date of birth. Puts me on hold for a few minutes, comes back to me and said that the password I set for my subcard registration was xxxxxxxx. It then came to my mind that I must have changed by subcard password from their standard 4 digit access code to something different. I told the lady that this is very poor security from subway's end that you can see a user's password instead of only having the option to just reset it. She said this is normal.

I am sure this is not normal. Have my full name, DOB, password and my registered email address. Go for gold subway staff. Go for gold. 

     

ps - Luckily 90+% of my sites are controlled via lastpass with a random password. However for certain sites that I consider to be low risk, I go for a common password that I remember which in this case was the subcard password. My main subway account password was totally random and maybe subway staff can prob see that too but I am not sure about that one.