Sunway launched these cards a few weeks ago but I only got around to picking mine up yesterday and the concept is cool - you buy your goods and card is scanned which credits your card/account with money for every sub you purchase and these can be used towards the purchase of a product once you have a minimum of $3. You will also be able to top this card up over the internet in the new year so it will end up being a prepaid card and there will apparently be lots of bonus points features occuring over time.
You can log into the subway website to view your card balance. The first time you log on you are prompted to enter your personal details including name, date of birth, gender, address, contact numbers and email address.
The scary part? Access to the website is by entering the 16 digit card number and 4 digit security code that is printed ON THE BACK of your Subcard for anybody to see! http://thor.evolution.co.nz/Subway-Customer/Login.html
If you lose your card anybody who finds it now has access to your personal details and can change them instantly online to be their own and also has access to any credit you have loaded onto the card.
Subway say they can replace registered cards
You must notify us immediately by calling [0800 78 222 73] if your SUBCARDTM is lost, stolen or destroyed. Provided your old SUBCARDTM was registered, we will issue you with a replacement SUBCARDTM and freeze the remaining SUBWAY® Reward Dollars and cash balance on your old SUBCARDTM from the time that you report to us that your SUBCARDTM is lost, stolen or destroyed.
To credit a replacement SUBCARDTM with previously earned SUBWAY® Reward Dollars or a previously loaded cash balance we will require proof of your identity (including photo identification). The crediting of a replacement SUBCARDTM is at our sole discretion.
But if somebody gets hold of my card and changes my details before I notify them the card is no longer mine because it will have somebody else's details on it so I have absolutely no hope of getting my credit back.
Sorry Subway I think you've blown it big time with your customer privacy this time. Like Pago who fail to impliment security procedures to stop accounts being hijacked you're now exposing your customers private details to anybody who wants to see them. This is simply not good enough. To access the web page users should have been requested to enter an account password which would have been so simple to add at the time the project was developed. Whoever worked as a Business Analyst for this project should go back to school and retrain as something else.
Other related posts:
Using PriceSpy to check for Boxing Day rip-offs
Lime Scooters launch in the Hutt Valley
Yet another Mikrotik RouterOS exploit is in the wild
comments powered by Disqus