 Poster: A snowHead
|
Like David Goldsmith's, my latest issue of Ski&Board has just arrived, together with this year's membership "pack". I note that my membership number and post code are included on the address label. These are all the details that anyone who wishes to log in to the SCGB site as "me" requires.
Should I be concerned about this? I think maybe I should.
|
|
|
|
|
|
Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
|
But why would anyone want to log into the SCGB website when there are far superior alternatives? 
|
|
|
|
|
|
Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
|
|
boredsurfin,
|
|
|
|
|
|
You need to Login to know who's really who.
You need to Login to know who's really who.
|
|
Alan Craggs, There is a option to create a password instead of using a postcode to log in with in the members only section to increase your security. I changed mine when I logged onto the forum first time. However I agree they should not send correspondence with your membership number clearly displayed.
|
|
|
|
|
|
Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
|
Russell, thanks, I log on so infrequently over there that I hadn't noticed that option. I shall nip over and change it. boredsurfin, 
|
|
|
|
|
|
You'll need to Register first of course.
You'll need to Register first of course.
|
Aha, stymied - on the "make password" page it says that my postcode logon will still work even if I create a password 
|
|
|
|
|
|
|
|
|
Alan Craggs, not noticed that one definitely one to bring to their attention me thinks.
|
|
|
|
|
|
|
|
|
Russell, I have emailed the Club expressing my concern.
|
|
|
|
|
|
You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
|
1 week and no-one has seen fit to reply to my email 
|
|
|
|
|
|
|
|
|
Alan Craggs, situation normal then, they're very good at trying to sell you their holidays but not so good at answering questions on other (more important ?) subjects
|
|
|
|
|
|
snowHeads are a friendly bunch.
snowHeads are a friendly bunch.
|
|
|
|
And love to help out and answer questions and of course, read each other's snow reports.
And love to help out and answer questions and of course, read each other's snow reports.
|
| Scrumpy wrote: |
Personally I haven't noticed anyone sitting on my doorstop waiting to pinch my membership no. so that they can log onto the ski club website  |
You haven't noticed them because they have successfully stolen your identity. In fact, how do we know that this is you posting?
|
|
|
|
|
|
|
|
|
Kramer,
|
|
|
|
|
|
You know it makes sense.
|
Scrumpy, anyone from whoever prints and packages the mailouts to my neighbourhood postperson has access to this information (I shred everything with my name and address on it so after it leaves my house it should be OK). If you use an internet banking service would you be happy to have your login details printed on the outside of letters from your bank?
So maybe my or your postman isn't a skier - but why should we be exposed needlessly to this risk, however small?
Last edited by You know it makes sense. on Wed 5-10-05 11:42; edited 1 time in total
|
|
|
|
|
|
Otherwise you'll just go on seeing the one name:
Otherwise you'll just go on seeing the one name:
|
It indicates a general lack of attention to security. I should change my password now it is possible and it would be secure again (from my point of view) assuming that SCGB hasnt made any other small slip-ups I am not aware of ?
Is this a consequence of the change from the postcode-as-a-password system to a more modern user-id & password made a year or two back ?
|
|
|
|
|
|
Poster: A snowHead
|
Response received from the SC today:-
"Thank you for the e-mail sent to us on 25th September. In the past we have been requested by members to include membership numbers on mailings, hence the format of the carriers. As you will see from your carrier, we do not specify that it is a membership number and it is not the only number on the carrier. The belief has been that the number would mean nothing to anyone but the member themselves. I have noted your concerns though and due to this and the fact that the numbers have now been publicly identified as membership numbers in external chatrooms (so causing a very real potential problem), we will need to reconsider this policy."
Hmm - this sounds to me that they're saying it's (at least partly) my fault for raising the issue here  or am I just being a sensitive little flower?
Oh well, at least they recognise that it is a "very real potential problem" whatever that means in single speak.
Could any other member explain to me why we would request our membership numbers to be printed on the outside of mailings? I can't think of a reason for it.
|
|
|
|
|
|
Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
|
Oooh, looks like you've been told off good and proper, you naughty boy 
Very strange how they recognise that is a real potential problem - but you do know Alan that this is all YOUR fault!
I can only think members may have asked for their membership number to be included on letters, maybe? But you wouldn't expect it to be on the outside of mailing material though. There seems to be a real lack of awareness of how serious identity theft can be. By logging on to the SCGB website using my membership number & postcode and going to my personal details page there is my DoB, address, phone numbers, email address for any potential thief to see. We are pretty aware of identity theft and ALWAYS shred any material which has personal info on it. Is this paranoid? I don't think so.
|
|
|
|
|
|
Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
|
|
Nice to see that the person raising the issue, is in typical Ski Club style told to behave
|
|
|
|
|
|
You need to Login to know who's really who.
You need to Login to know who's really who.
|
|
|
|
Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
|
Cathy Coins, yes I feel well and truly ashamed to have brought such trouble to my Club, I think they should double my membership fee as punishment. But it's not just the theft aspect - with that information anyone could log on to their forum as "you" or "I" and say terribly nasty things about other users of the site - and how would we prove that it wasn't us?
Hmm... now there's a thought
(PS as far as I know not even admin can "see" anyone's password here, they are encrypted in the database)
|
|
|
|
|
|
You'll need to Register first of course.
You'll need to Register first of course.
|
Just to put slightly the other perspective - I tend to know that my membership number is printed on the outside of things.
Which means that every couple of year when I need to know it I can find it! Fine by me if it is the ski club membership or my
dodgy magazine subscription (New Scietist at the mo).
Course I might feel differently about bank account numbers n such.
|
|
|
|
|
|
|
|
|
Mark Lehto, how dare you know such things!!! Why you're practically hacking the SCGB security systems.
|
|
|
|
|
|
|
|
|
Mark Lehto, I'll have to check but afaik I do not log on to the New Scientist site using my subscription number. Even if I do my password is not printed openly on the mag. Not being argumentative, just trying to be factual.
|
|
|
|
|
|
You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
|
|
Nice to know that the SCGB monitor 'external chatrooms' so closely
|
|
|
|
|
|
|
|
I think the problem is not so much printing the subscription number on the outside - the problem is that the two credentials should *never* be together.
What SCGB did that was wrong was to use a (publicly available) address element and a publicly available subscription number.
As always it's about acceptable risk - I don't know what you can do once you're logged on - but to be honest this kind of mistake should be beyond even a half-baked techy nowadays. Sadly it's not.
And I think you do need your NS subscription to log on - but I think you need something else too. And in any case all that gives you is access to content.
|
|
|
|
|
|
snowHeads are a friendly bunch.
snowHeads are a friendly bunch.
|
The RISKS forum, see http://www.risks.org or its Usenet equivalent comp.risks, has been discussing matters of identity theft and a host of other issues in its "Forum On Risks To The Public In Computers And Related Systems". In the main, the RISKS forum has reports of actual events, plus some discussion. The topic of mails and emails sending out account numbers with easily guessed passwords often occurs. A common problem in the USA has been system that use the SSN (Social Security Number) as a password or unique identity. Several major companies, including banks worldwide, have made security gaffs in such matters.
For anyone interested in computers and problem resulting from their interactions with people I would recommend the RISKS forum as a regular part of their reading list.
|
|
|
|
|
|
And love to help out and answer questions and of course, read each other's snow reports.
And love to help out and answer questions and of course, read each other's snow reports.
|
|
|
|
|
|
Just had a phone conversation with the SCGB-
| SCGB wrote: |
| I put it to you, that only a very wily person would be able to get hold of your membership number and postcode from our mail, and use that for identity theft. |
| Kramer wrote: |
| I put it to you that the type of people who steal identities are well known for being quite wily... |
I have to say that the whole tone of the conversation was along the lines of this being a storm in a teacup.
|
|
|
|
|
|
You know it makes sense.
|
|
I think you meant a snowstorm in a skiclup
|
|
|
|
|
|
Otherwise you'll just go on seeing the one name:
Otherwise you'll just go on seeing the one name:
|
I don't understand - why would they have to be wily? They just read the outside of the mailing which is also emblazoned with SCGB logos. There seems to be a very blinkered attitude in the SCGB as to the 'real world'. Who would have thought identity theft can happen from the rubbish you chuck away? Have they not heard of people who live in flats with a shared front door where the post sits in a heap along with everyone else's to be collected by the owner?
Why not just admit their current practice is wrong and now it's been brought to their attention they will rectify it?
|
|
|
|
|
|
Poster: A snowHead
|
ALthough I should know all about it - how does the data protection act prevail in this case ?
I assume it applies because they hold data about us on computer.
|
|
|
|
|
|
Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
|
Just Googling around, found this.
Apart from the fact that I hadn't realised that the SC were subsidising members of the Manchester Ski Club (yes yes Cathy, my fault obviously, I should have looked for that info), presumably the database of member's details maintained by the Manchester Club (for internal use only as they say) also includes the SC number if provided by the member. How many of these databases are there I wonder?
|
|
|
|
|
|
Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
|
Although the Data Protection Act may be relevant to the visible disclosure of a membership number it's probably not the main concern here. I write this in a slightly dispassionate way as, although I'm a member of the SCGB, I'm personally not hugely concerned about someone else seeing my membership number. However, my personal lack of concern is irrelevant to someone else's personal concern. Everyone has a right to the level of privacy they choose.
The simple point is this: a member of the Club raised a valid security concern on 25 September. It was responded to on 5 October and part of the blame was put on the member concerned. That was unreasonable and buck-passing.
A simple and courteous response would have been: "Thank you for bringing this to our attention. We acknowledge that this is of concern to you, and may be to others. We are now endeavouring to remove membership numbers from open view on any future mailings."
Simple, concise ... polite.
|
|
|
|
|
|
You need to Login to know who's really who.
You need to Login to know who's really who.
|
I'm not particularly worried about someone seeing my membership number, if that was all they saw. What I am concerned about is that someone having my membership number and my postcode, both of which are visible on the outside of mailings, can then log onto the SCGB website and then see other personal details on my page, such as date of birth. This is the sort of information that is very valuable in identity theft.
But I'm afraid both of the responses from the SCGB shown above seem to be quite discourteous and unaware of the potential problem.
|
|
|
|
|
|
Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
|
| Quote: |
Simple, concise ... polite.
|
Not things normally found with the SCGB
|
|
|
|
|
|
You'll need to Register first of course.
You'll need to Register first of course.
|
|
|
|
|
|
|
It could be a needling thread
|
|
|
|
|
|
|
|
|
I wouldn't want it to be a SC bashing thread either, and I wasn't that bothered until I realised that someone could access my personal details. The SC have changed my password, so hopefully that will sort the problem.
|
|
|
|
|
|
You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
|
Let's make make the password 'peace' then
Piste, love and vegetables
|
|
|
|
|
|
|
|
| SCGB wrote: |
Thank you for your e-mail to the Information Department. In the past we have been requested by members to include membership numbers on mailings, hence the format of the carriers. As you will see from your carrier, we do not specify that it is a membership number and it is not the only number on the carrier. The belief has been that the number would mean nothing to anyone but the member themselves. Since the fact that one of these two unidentified numbers is a membership number has been circulated on public chatrooms has obviously changed the situation and we will need to reconsider our policy.
I am uncertain as to where you would like all your details apart from your name removed. If you are referring to mailings then it is impossible to treat one member differently from the others in excluding or including certain data fields. We will reconsider the policy due to your concern and one other member but we have to take a balanced view as to the wishes of the whole membership base and act in the best interests of everyone. |
| I wrote: |
Thanks very much for your prompt response. I do believe that this issue goes beyond what the majority of members want, and I believe that the Ski Club has a duty of care to do everything possible to keep members personal details confidential. Identity theft is getting commoner, usually happening to people who don’t think that it will happen to them, until it actually does. As someone who has had a problem with someone getting access to my personal data in the past, with an unpleasant outcome, my personal security is something that I take very seriously. Relying on the obscurity of the membership number amongst other numbers is not an acceptable level of security, some of these people are very sophisticated, apparently with links to organized crime. As it stands, someone in the mailing office could easily note down some numbers and post codes, and it wouldn’t take too many attempts to find the correct log on, giving access to title, telephone number, and most importantly date of birth, which allows access to all sorts on information. This is the information that I would like removed from the “about you” section of the website.
Perhaps the ski club should be grateful that this problem was aired by a responsible member of society, rather than by someone having their identity stolen. It’s not rocket science, so it is likely that someone else could, or even has already, made the same conclusion. Even without circulation in a public forum, to assume that it’s safe that only the members themselves know about this would seem to be very optimistic. Of course we would like to think that all members of the Ski Club are fine upstanding members of the community, with no criminals amongst us, but with thirty thousand (?) members it’s difficult to know this for sure, don’t you think? Similarly the cost of a membership is not too high an investment for someone deliberately looking for a security weakness such as this. If they’ll rifle through bins to get old bills, then God knows what else they might do.
I would hate to think what the Ski Club’s liability may be if the worst does happen and it is proven that it played a part in allowing it to happen.
I look forward to your reassurance that prompt steps have been taken to resolve this (hopefully potential) problem. |
|
|
|
|
|
|
|
|
FAQ
