**WARNING** Subway Subcards Privacy Issues.

By Steve Biddle, in , posted: 28-Dec-2006 11:03

I've been a Subway fan since they first opened in NZ so was a little disappointed when their sticker program ended earlier in the year but was quite excited when a friend who works there told me it was being replaced by a new swipe card system that would offer a lot of extra benefits.

Sunway launched these cards a few weeks ago but I only got around to picking mine up yesterday and the concept is cool - you buy your goods and card is scanned which credits your card/account with money for every sub you purchase and these can be used towards the purchase of a product once you have a minimum of $3. You will also be able to top this card up over the internet in the new year so it will end up being a prepaid card and there will apparently be lots of bonus points features occuring over time.

You can log into the subway website to view your card balance. The first time you log on you are prompted to enter your personal details including name, date of birth, gender, address, contact numbers and email address.

The scary part? Access to the website is by entering the 16 digit card number and 4 digit security code that is printed ON THE BACK of your Subcard for anybody to see! http://thor.evolution.co.nz/Subway-Customer/Login.html

If you lose your card anybody who finds it now has access to your personal details and can change them instantly online to be their own and also has access to any credit you have loaded onto the card.

Subway say they can replace registered cards

You must notify us immediately by calling [0800 78 222 73] if your SUBCARDTM is lost, stolen or destroyed.  Provided your old SUBCARDTM was registered, we will issue you with a replacement SUBCARDTM and freeze the remaining SUBWAY® Reward Dollars and cash balance on your old SUBCARDTM from the time that you report to us that your SUBCARDTM is lost, stolen or destroyed.

To credit a replacement SUBCARDTM with previously earned SUBWAY® Reward Dollars or a previously loaded cash balance we will require proof of your identity (including photo identification).  The crediting of a replacement SUBCARDTM is at our sole discretion.

But if somebody gets hold of my card and changes my details before I notify them the card is no longer mine because it will have somebody else's details on it so I have absolutely no hope of getting my credit back.

Sorry Subway I think you've blown it big time with your customer privacy this time. Like Pago who fail to impliment security procedures to stop accounts being hijacked you're now exposing your customers private details to anybody who wants to see them. This is simply not good enough. To access the web page users should have been requested to enter an account password which would have been so simple to add at the time the project was developed. Whoever worked as a Business Analyst for this project should go back to school and retrain as something else.

Other related posts:
Using PriceSpy to check for Boxing Day rip-offs
Lime Scooters launch in the Hutt Valley
Yet another Mikrotik RouterOS exploit is in the wild

comments powered by Disqus

sbiddle's profile

Steve Biddle
New Zealand

I'm an engineer who loves building solutions to solve problems. I'll also a co-founder of the TravelTalk.nz travel site. 

I also love sharing my views and analysis of the tech world on this blog, along with the odd story about aviation and the travel industry.

My interests and skillset include:

*VoIP (Voice over IP). I work with various brands of hardware and PBX's on a daily basis
  -Asterisk (incl PiaF, FreePBX, Elastix)

  -xDSL deployments

*Structured cabling
  -Home/office cabling
  -Phone & Data

*Computer networking
  -Mikrotik hardware
  -WAN/LAN solutions

*Wireless solutions
  -Motel/Hotel hotspot deployments
  -Outdoor wireless deployments, both small and large scale
  -Temporary wireless deployments
*CCTV solutions
  -Analogue and IP

I'm an #avgeek who loves to travel the world (preferably in seat 1A) and stay in nice hotels.

+My views do no represent my employer. I'm sure they'll be happy to give their own if you ask them.

You can contact me here or by email at stevenbiddle@gmail.com