While I am not into public service but this is such a huge goof-up that I had to point this out to customers of Payback / ICICI Cards. Here is the problem with the www.payback.in website that you should know about (in short):
- The website allows anyone to enter a “username” and view how many points they have in their account
- Their recently changed policy has made the date of birth i.e. Date and Month i.e. 1001 in my case to be the default PIN to access an account in its entirety. Once in, anyone can view and edit the following info:
- Order Tracking of items already shipped / redeemed
- Past orders and points against which they were redeemed
- One can literally redeem these points and change and even change the shipping address and have the redeemable items shipped there!
Basically, you don’t need to be a genius to figure out how vulnerable this is. Anyone you know in your network or circle can access your account by guessing your username (which is pretty simple to guess because as soon as they put in the username it will show them your full name above on the right top corner and show the number of points you have in your account) and if that person knows your date of birth, he can just do what he or she wants.
How to prevent this from happening to your Payback.in account?
- Login immediately by putting in your username or card number
- They will ask for your default pin which is your Date of birth
- Then go ahead and change your pin from the “My Account” page
I contacted Payback.in Corporate office and the Receptionist did not think that it was an urgent matter. Rather I was called back and asked how I knew about the vulnerability (LOL! Like I had to be a genius to know that) and I was even questioned why I was interested in helping – because I am your customer DUH.
Depending on how they respond to this public note, I am willing to consider cancelling my account with them because I do not want to be relying on such a naive development team to keep screwing up the privacy of my account.
Whether you are a Payback / ICICI customer or not, I highly encourage you to share this note. The Payback team does not seem to care about these security and privacy issues.
Update: I am no TechCrunch but it seems that what I posted caught the “Customer Service” department’s eyes at Payback and they called as they had my number from my call earlier today morning. While they seemed to have called to assure me about the matter being taken up and to be rectified soon i.e. the vulnerability he also mentioned that the idea of being able to see the points when you put your username was an attempt to make things easy for members which is ridiculous. The very fact that the customer rep executive called me it seems that this was more of a PRO activity rather than an attempt to take the matter seriously. He requested me to delete this note as I might attract a lot of attention of criminal minds.
