Scan strike again!

[Speedo]

I'll start at the beginning, so it might make a little sense.

I had an account with Scan last year, with which I made at least one order. When I went to make an order this year, the account was gone. Not a trace of it on their system. According to their website they had upgraded recently and older logins may not have been transferred.. so I didn't really think anything of it.

Come mid this year, I fancied a few things on 'Today Only', so I went to make an order. Account was gone, as I just said, so I made a new one. Same account details as the old one, but a more secure password. They managed to screw that order up and take over a week to sort out a bag of accessories, they didn't even reply to the 'customer service' emails, I had to get someone through the Hexus.net forums! That was sorted out only a few weeks ago and I was able to complete my computer build.

Yesterday, we were discussing purchasing a new server for our email/internet duties at work. The IT Manager was on about buying a tiddly little P4 3Ghz box with no highlights, I spec'd him up something better from Scan and said I would build it. So, yesterday evening I made the order, on my account.
Login, add the Company credit card + address (under the MDs name), delivery address changed itself. This was as expected, though it did ask for mothers maiden name (presumed to be for the credit card, it was on the same page) and email address (didn't think much of it at the time), I used the IT Managers details for both.
I attempted to login today, 'account not found'. I tried with a few passwords, and strangely my old password worked (I was confused, considering my old account wasn't there a few months ago). It had the details of my order from last year, but not the recent orders. I gave Scan a ring, it seems I now have an account under my MDs name, company address, IT Managers maiden name and email, and my password! It had also changed my entire order history to my MDs name and company address!
The 'customer service' lady on the phone had the cheek to say it was entirely my fault, their system was perfectly fine and there were no errors/bugs to be found. She also assured me that previous invoices could not have their details changed, and it was impossible for this to happen.. (she also rambled on for quite a long time and ignored me trying to interrupt). I tripped her over however when I said 'I have paper invoices at home, with these invoice numbers, but they have MY name and address on them, would you like to explain that?'.. she rambled about contacting the IT department, and that was pretty much the end.
However, one other thing she did do.. was ask for my account password (surely no real company should ever do this), I obviously refused. She then told me what my password was over the phone! Have these people never heard of encryption?!

So, from this experience, Scan have a completely open computer system, with your name, address, email, password plain to see to any employee, and easily changable (not sure if they store cc information). They also know my forum login, due to it being associated with the Scan account for free delivery (password is the same.. it's actually encrypted on the forum and more secure!). There is also the issue that anyone can seemingly change their entire order history and account information.

If anyone steals a Scan computer, which just so happens to have the store login details cached (or they know them already), they can easily make the purchase seemingly theirs by changing the persons account history and login details!

What can I say except, Scan are a complete joke of a company.


Since writing this, my account details have been changed again. I was promised they would be fixed and reverted to my previous details.. they have not been. I now have no idea what my account login details are. I have an order in progress which is urgently required (and was also promised would arrive tomorrow on the phone), and I cannot check the progress of it.. bravo!

[DavidM]

Confidential information is encrypted, and is not stored on local computers.

Please PM me your real name, and any other details, and i'll look into the above.

[herulach]

If you change your deliver address teh postcode you log into the account with also changes. SO what youre saying is, you logged into your account, changed all your details to something else.

As far as the password goes, how else would you verify your identity? I dare say if they hadnt asked youd be complainging that anyone could ring up and change account details.

Now i dont know the details of scans computer system, but i know the system where i used to work (quite a major high street electronics store) then if you had the correct login credentials (manager/assistant manager/anyone who happened to walk past the pc that was never logged off) would have access to any and all details on a customer, including credit card information.

I dont quite get the comment about stealing a computer, but if youre that concerned about it, why would you have your login details cached?

Youd also be surprised how easy to get at (for an administrator) the password is on a phpbb forum.

[Speedo]

If you change your deliver address teh postcode you log into the account with also changes. SO what youre saying is, you logged into your account, changed all your details to something else.

As far as the password goes, how else would you verify your identity? I dare say if they hadnt asked youd be complainging that anyone could ring up and change account details..

It seems you can do some very selective reading. A login account should be unique, it should not change whenever you use a different delivery address (how on earth would you keep track of it), if you address it to someone else (say your next door neighbour) because you're at work, you then expect to login as your neighbour? Would you then expect all your PAST orders to have the invoice details change? What planet are you on?
These details were all asked for on the 'payment information' screen, where you enter your credit card details. This is where it was all asked for, and my password was never asked for at any point to suggest I was doing major changes to my account, nor creating a new one. There were also no 'are you sure, please confirm', nada.
Your password should never be known, it should be encrypted for your login purposes and not retrievable, if you lose it, you do the security questions and generate a random one, which you can then change. You have various other details in your account which can be used to confirm who you are, there are also previous invoice slips you can refer to, dates money changed hands, amounts. I (like many others do i'm sure) use one password for several things, to realise a mere customer services employee can get my password caused me to panic, and I have been going around changing passwords since.
I realise, herulach, that you are some form of Scan 'fanboy' who also rushed to their defense when I could not get in contact regarding missing accessories from my Chenbro case, and logic also seemed to be missing from that response as well. However I will not refrain myself from replying this time, please think before you type.

[herulach]

It seems you can do some very selective reading. A login account should be unique, it should not change whenever you use a different delivery address (how on earth would you keep track of it), if you address it to someone else (say your next door neighbour) because you're at work, you then expect to login as your neighbour? Would you then expect all your PAST orders to have the invoice details change? What planet are you on?
These details were all asked for on the 'payment information' screen, where you enter your credit card details. This is where it was all asked for, and my password was never asked for at any point to suggest I was doing major changes to my account, nor creating a new one. There were also no 'are you sure, please confirm', nada.
Your password should never be known, it should be encrypted for your login purposes and not retrievable, if you lose it, you do the security questions and generate a random one, which you can then change. You have various other details in your account which can be used to confirm who you are, there are also previous invoice slips you can refer to, dates money changed hands, amounts. I (like many others do i'm sure) use one password for several things, to realise a mere customer services employee can get my password caused me to panic, and I have been going around changing passwords since.
I realise, herulach, that you are some form of Scan 'fanboy' who also rushed to their defense when I could not get in contact regarding missing accessories from my Chenbro case, and logic also seemed to be missing from that response as well. However I will not refrain myself from replying this time, please think before you type.

I dont think of myself as a fanboy, and ill admit i was trolling a little in the previous post. I was merly pointing out, that however you think scans login system should work, and how it actually does work are 2 entirely different things. And a great deal of their computer system is pretty terrible, (stock system for example). However, as they dont implement usernames, they have to ask for some kind of logon credentials.

I agree with you on the password point, but again, theres no information on there beyond your address (which anyone can find out pretty easily, and ive never been able to get it to save my cc details).

As far as a 'mere' customer services employee being able to get your password, personally id rather do it like that than by email, which is slightly less secure than just mailing it on a postcard.

Id also point out, that you have to change the mothers maiden name on the security details screen, and just changing the delivery address would not have been a problem, the details only change when you use a different account holder address (theres an option at payment time to change delivery address). So one would imagine when the system was thought up, it wasnt set up for people who wanted to change their name.

Playing around with the details myself, theres also a not on the previous invoices page to the effect that only the current account addresses are specified, unless you chose a different delivery address at payment time.

* PLEASE NOTE ONLY UPDATED ADDRESS WILL BE DISPLAYED HERE.
**ONLY ACCOUNT ADDRESS WILL BE DISPLAYED HERE UNLESS AN ALTERNATIVE DELIVERY ADDRESS SELECTED WHILE PLACING THE ORDER.

[Speedo]

As far as a 'mere' customer services employee being able to get your password, personally id rather do it like that than by email, which is slightly less secure than just mailing it on a postcard.

Id also point out, that you have to change the mothers maiden name on the security details screen, and just changing the delivery address would not have been a problem, the details only change when you use a different account holder address (theres an option at payment time to change delivery address). So one would imagine when the system was thought up, it wasnt set up for people who wanted to change their name.

Playing around with the details myself, theres also a not on the previous invoices page to the effect that only the current account addresses are specified, unless you chose a different delivery address at payment time.

If the password/confidential information is encrypted as DavidM claims, then it should not be decryptable (It is not possible with MD5, afaik). No-one should be able to check what my password is, and they should have appropriate information stored to be able to check who a person is before any password is reset. There is no excuse for being able to know a customers password. Ever admin'd a vbulletin forum? Can you check the users password? No. You can change/reset it, but that's about the extent of it. This leads me to think that a vbulletin forum is more secure than Scans online system.
I have had a look at the online interface just now on my 'old' account (still no idea where the other one is), and like you say the online system is incredibly open. I didn't believe it would be designed that way, but it seems so. Have you ever ordered with for example, your brothers credit card? You change to the cardholders name, and seemingly that is now your login.. this really is beyond sense. However the lady on customer services accusation does make a little more sense now that I see this is the 'norm' - it is still very worring that their system is in such a state.
If someone at work has a grudge, they can slip a keylogger on your computer, get your password and completely remove the account from having any link to yourself. It would be confusing to find that A64FX you bought last month is not covered by warranty, because apparently you didn't buy it. Joe Bloggs in the IT section did...

[herulach]

I think he probably means encrypted in transit, but in principle i agree with most of your points. However, ill continue to use scan as:
a) Id rather have someone who works there (who i trust has a reasonable amount of nowse about them) have access to my cc details (if indeed they do) as opposed to anyone who works/empties the bins of the local pc world
b) i have different passwords for everything.
c) im pretty certain most other retailers systems are similarly 'insecure'

youve also got to bear in mind, that anyone with access to reset your password and see the generated one basically has access to your account, admittedly its a little more noticeable, but still, you only need it for 10 minutes if youre going about it properly (i.e. someone elses credit card too)

If the password/confidential information is encrypted as DavidM claims, then it should not be decryptable (It is not possible with MD5, afaik). No-one should be able to check what my password is, and they should have appropriate information stored to be able to check who a person is before any password is reset. There is no excuse for being able to know a customers password. Ever admin'd a vbulletin forum? Can you check the users password? No. You can change/reset it, but that's about the extent of it. This leads me to think that a vbulletin forum is more secure than Scans online system.
I have had a look at the online interface just now on my 'old' account (still no idea where the other one is), and like you say the online system is incredibly open. I didn't believe it would be designed that way, but it seems so. Have you ever ordered with for example, your brothers credit card? You change to the cardholders name, and seemingly that is now your login.. this really is beyond sense. However the lady on customer services accusation does make a little more sense now that I see this is the 'norm' - it is still very worring that their system is in such a state.
If someone at work has a grudge, they can slip a keylogger on your computer, get your password and completely remove the account from having any link to yourself. It would be confusing to find that A64FX you bought last month is not covered by warranty, because apparently you didn't buy it. Joe Bloggs in the IT section did...

[Speedo]

Seems my order I was ASSURED would go out yesterday for delivery today was strangely delayed.. it's now been picked today and for delivery tomorrow, great.

When you can quite happily assure a customer of something then not do it, there is something very wrong.

[leeglf]

Seems my order I was ASSURED would go out yesterday for delivery today was strangely delayed.. it's now been picked today and for delivery tomorrow, great.

When you can quite happily assure a customer of something then not do it, there is something very wrong.

same here man i have been more than happy with scans service in the past but yesterday i was told by two different people that my order had been picked and it would be sent out yesterday!

But i have not recieved anything today and my scan account does not even say that it has got past the payment stage!

ok i realise scan have got a lot of unusual problems at the moment but when i am told by 2 seperate people one at 9:30am and one at 4:30pm that my order is ready and will be leaving the building thats what i expect!

i would not have been bothered if they had told me it would be despatched at a later date but they told me i would get it today so i expected to get it today

[Jay]

hmmm

I have had a similar problem. I was told that LN12975 was due to be in yesterday and would be with me by Friday so I ordered it. I phoned up today and was told that it wasn't in stock but should be in later today but they may not get it to me until Tuesday next week.

[Carlh]

leeglf,

If you PM me your invoice number I shall look into this for you

jay_oasis

If you wish to PM me your invoice number, again I shall look into this, the card is still showing as being Out Of Stock at the moment, it was due to be here yesterday however it looks as tho the delivery date we have on our system was estimated from our suppliers.

Once I get your details I shall see if I can get an update from our purchasing dept to when the stock shall be with us, as soon as I do again I shall let you know.

[Jay]

Once again Scan show me how stupid I am to doubt them!! My card is now in stock and should be with me tomorrow.

Thanks Carlh

[Speedo]

Package recieved today, with nothing missing (yay) and as usual very well packaged. Now if only they could ship out on time (i.e. when they say they will, rather than quoted day +1) and their online system wasn't a heap of junk, i'd be a happy bunny!

[Chris P]

Glad you received the order,

Unfortunately estimated despatch dates are exactly that and not guaranteed

Regards

[Speedo]

Hi ChrisP

Estimated despatch dates are one thing, however if you had a poke at the essay above you will see I spoke to a lady on customer services and was assured the package would be out on the Tuesday evening. I even asked if there was likely to be any delay as you're rather busy lately, although she confirmed the recent dispatch delays I was also told mine was still on schedule to be out that evening! That was at ~4:45pm. Next morning I have an email for 'order delayed', not exactly a good show is it?

If I may ask (and anyone cares to answer) will there be any modifications coming to your online system to stop the above happening? i.e. Set login names (not a login that changes with each order!), no duplicate logins either (I have 2, created with the same details.. that surely shouldn't be possible), and ENCRYPTED PASSWORDS! Perhaps a realtime stock system too, but I know is rather more work to implement. I'm sure just those few implementations would give many customers more peace of mind, and not just me.

[Chris P]

I can only apologies for any delays you have experienced, we do try to stick to the estimated despatch dates and the majority of orders meet the estimated despatch date. As I have gone through already we are going through MAJOR changes to resolve these issues but this will take time.

Please bear with us in the meantime

"Log ins" do not change with every order?, the only way account details can be changed is if the account holder changes them. The issue you have experienced looks like happened as you made the order on your account but with the company CC details, which I presume is registered to a different address.

Also if you create the same account twice then yes you will get duplicate accounts, if this occurs we can cancel one of the accounts for you.

I preusme this issue has now been resolved if not please PM me the full details of how your account should be set up and I will sort this out for you

Regards