Ski Club 2.0 Home
Snow Reports
FAQFAQ

Mail for help.Help!!

Log in to snowHeads to make it MUCH better! Registration's totally free, of course, and makes snowHeads easier to use and to understand, gives better searching, filtering etc. as well as access to 'members only' forums, discounts and deals that U don't even know exist as a 'guest' user. (btw. 50,000+ snowHeads already know all this, making snowHeads the biggest, most active community of snow-heads in the UK, so you'll be in good company)..... When you register, you get our free weekly(-ish) snow report by email. It's rather good and not made up by tourist offices (or people that love the tourist office and want to marry it either)... We don't share your email address with anyone and we never send out any of those cheesy 'message from our partners' emails either. Anyway, snowHeads really is MUCH better when you're logged in - not least because you get to post your own messages complaining about things that annoy you like perhaps this banner which, incidentally, disappears when you log in :-)
Username:-
 Password:
Remember me:
👁 durr, I forgot...
Or: Register
(to be a proper snow-head, all official-like!)

SCGB snailmail and possible identity theft?

 Poster: A snowHead
Poster: A snowHead
Like David Goldsmith's, my latest issue of Ski&Board has just arrived, together with this year's membership "pack". I note that my membership number and post code are included on the address label. These are all the details that anyone who wishes to log in to the SCGB site as "me" requires.

Should I be concerned about this? I think maybe I should.
ski holidays
 Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
But why would anyone want to log into the SCGB website when there are far superior alternatives? snowHead
latest report
 Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
boredsurfin, snowHead
snow conditions
 You need to Login to know who's really who.
You need to Login to know who's really who.
Alan Craggs, There is a option to create a password instead of using a postcode to log in with in the members only section to increase your security. I changed mine when I logged onto the forum first time. However I agree they should not send correspondence with your membership number clearly displayed.
snow report
 Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
Russell, thanks, I log on so infrequently over there that I hadn't noticed that option. I shall nip over and change it. boredsurfin, Laughing
snow report
 You'll need to Register first of course.
You'll need to Register first of course.
Aha, stymied - on the "make password" page it says that my postcode logon will still work even if I create a password Confused
snow report
 Then you can post your own questions or snow reports...
Then you can post your own questions or snow reports...
Alan Craggs, not noticed that one definitely one to bring to their attention me thinks.
latest report
 After all it is free Go on u know u want to!
After all it is free Go on u know u want to!
Russell, I have emailed the Club expressing my concern.
ski holidays
 You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
1 week and no-one has seen fit to reply to my email rolling eyes
snow report
 Ski the Net with snowHeads
Ski the Net with snowHeads
Alan Craggs, situation normal then, they're very good at trying to sell you their holidays but not so good at answering questions on other (more important ?) subjects
snow conditions
 snowHeads are a friendly bunch.
snowHeads are a friendly bunch.
Personally I haven't noticed anyone sitting on my doorstop waiting to pinch my membership no. so that they can log onto the ski club website Madeye-Smiley
There may be a bit of paranoia here ? Who do you really think is out there just waiting to log onto the Ski Club website as YOU ??? Laughing Laughing Laughing
snow report
 And love to help out and answer questions and of course, read each other's snow reports.
And love to help out and answer questions and of course, read each other's snow reports.
Scrumpy wrote:
Personally I haven't noticed anyone sitting on my doorstop waiting to pinch my membership no. so that they can log onto the ski club website Madeye-Smiley


You haven't noticed them because they have successfully stolen your identity. In fact, how do we know that this is you posting?
snow report
 So if you're just off somewhere snowy come back and post a snow report of your own and we'll all love you very much
So if you're just off somewhere snowy come back and post a snow report of your own and we'll all love you very much
Kramer, Laughing
ski holidays
 You know it makes sense.
You know it makes sense.
Scrumpy, anyone from whoever prints and packages the mailouts to my neighbourhood postperson has access to this information (I shred everything with my name and address on it so after it leaves my house it should be OK). If you use an internet banking service would you be happy to have your login details printed on the outside of letters from your bank?
So maybe my or your postman isn't a skier - but why should we be exposed needlessly to this risk, however small?


Last edited by You know it makes sense. on Wed 5-10-05 11:42; edited 1 time in total
ski holidays
 Otherwise you'll just go on seeing the one name:
Otherwise you'll just go on seeing the one name:
It indicates a general lack of attention to security. I should change my password now it is possible and it would be secure again (from my point of view) assuming that SCGB hasnt made any other small slip-ups I am not aware of ?
Is this a consequence of the change from the postcode-as-a-password system to a more modern user-id & password made a year or two back ?
snow report
 Poster: A snowHead
Poster: A snowHead
Response received from the SC today:-


"Thank you for the e-mail sent to us on 25th September. In the past we have been requested by members to include membership numbers on mailings, hence the format of the carriers. As you will see from your carrier, we do not specify that it is a membership number and it is not the only number on the carrier. The belief has been that the number would mean nothing to anyone but the member themselves. I have noted your concerns though and due to this and the fact that the numbers have now been publicly identified as membership numbers in external chatrooms (so causing a very real potential problem), we will need to reconsider this policy."

Hmm - this sounds to me that they're saying it's (at least partly) my fault for raising the issue here Puzzled or am I just being a sensitive little flower?

Oh well, at least they recognise that it is a "very real potential problem" whatever that means in single speak.

Could any other member explain to me why we would request our membership numbers to be printed on the outside of mailings? I can't think of a reason for it.
ski holidays
 Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
Oooh, looks like you've been told off good and proper, you naughty boy wink

Very strange how they recognise that is a real potential problem - but you do know Alan that this is all YOUR fault!

I can only think members may have asked for their membership number to be included on letters, maybe? But you wouldn't expect it to be on the outside of mailing material though. There seems to be a real lack of awareness of how serious identity theft can be. By logging on to the SCGB website using my membership number & postcode and going to my personal details page there is my DoB, address, phone numbers, email address for any potential thief to see. We are pretty aware of identity theft and ALWAYS shred any material which has personal info on it. Is this paranoid? I don't think so.
ski holidays
 Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
Nice to see that the person raising the issue, is in typical Ski Club style told to behave wink
snow report
 You need to Login to know who's really who.
You need to Login to know who's really who.
Alan Craggs, No I think they're having a dig Smile

Of course people in the security business will know that anyone who was deluding themselves that "the number would mean nothing to anyone but the member themselves" haven't got a clue about real security. Security through obscurity is not security.

And I wouldn't worry anyhow - witha touch of social engineering someone could probably phone them up and just ask for the pasword Laughing
latest report
 Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
Cathy Coins, yes I feel well and truly ashamed to have brought such trouble to my Club, I think they should double my membership fee as punishment. But it's not just the theft aspect - with that information anyone could log on to their forum as "you" or "I" and say terribly nasty things about other users of the site - and how would we prove that it wasn't us?

Hmm... now there's a thought wink

(PS as far as I know not even admin can "see" anyone's password here, they are encrypted in the database)
snow report
 You'll need to Register first of course.
You'll need to Register first of course.
Just to put slightly the other perspective - I tend to know that my membership number is printed on the outside of things.
Which means that every couple of year when I need to know it I can find it! Fine by me if it is the ski club membership or my
dodgy magazine subscription (New Scietist at the mo).

Course I might feel differently about bank account numbers n such.
ski holidays
 Then you can post your own questions or snow reports...
Then you can post your own questions or snow reports...
Mark Lehto, how dare you know such things!!! Why you're practically hacking the SCGB security systems.
snow report
 After all it is free Go on u know u want to!
After all it is free Go on u know u want to!
Mark Lehto, I'll have to check but afaik I do not log on to the New Scientist site using my subscription number. Even if I do my password is not printed openly on the mag. Not being argumentative, just trying to be factual.
snow report
 You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
Nice to know that the SCGB monitor 'external chatrooms' so closely wink
latest report
 Ski the Net with snowHeads
Ski the Net with snowHeads
I think the problem is not so much printing the subscription number on the outside - the problem is that the two credentials should *never* be together.
What SCGB did that was wrong was to use a (publicly available) address element and a publicly available subscription number.

As always it's about acceptable risk - I don't know what you can do once you're logged on - but to be honest this kind of mistake should be beyond even a half-baked techy nowadays. Sadly it's not.

And I think you do need your NS subscription to log on - but I think you need something else too. And in any case all that gives you is access to content.
latest report
 snowHeads are a friendly bunch.
snowHeads are a friendly bunch.
The RISKS forum, see http://www.risks.org or its Usenet equivalent comp.risks, has been discussing matters of identity theft and a host of other issues in its "Forum On Risks To The Public In Computers And Related Systems". In the main, the RISKS forum has reports of actual events, plus some discussion. The topic of mails and emails sending out account numbers with easily guessed passwords often occurs. A common problem in the USA has been system that use the SSN (Social Security Number) as a password or unique identity. Several major companies, including banks worldwide, have made security gaffs in such matters.

For anyone interested in computers and problem resulting from their interactions with people I would recommend the RISKS forum as a regular part of their reading list.
ski holidays
 And love to help out and answer questions and of course, read each other's snow reports.
And love to help out and answer questions and of course, read each other's snow reports.
And if such things appeal (and frankly they can be fascinating) then have a quick look at this latest monthly bulletin by Bruce Schneier. He's a leading security expert who puts it into human tems very nicely.
snow report
 So if you're just off somewhere snowy come back and post a snow report of your own and we'll all love you very much
So if you're just off somewhere snowy come back and post a snow report of your own and we'll all love you very much
Just had a phone conversation with the SCGB-

SCGB wrote:
I put it to you, that only a very wily person would be able to get hold of your membership number and postcode from our mail, and use that for identity theft.


Kramer wrote:
I put it to you that the type of people who steal identities are well known for being quite wily...


I have to say that the whole tone of the conversation was along the lines of this being a storm in a teacup.
snow report
 You know it makes sense.
You know it makes sense.
I think you meant a snowstorm in a skiclup
latest report
 Otherwise you'll just go on seeing the one name:
Otherwise you'll just go on seeing the one name:
I don't understand - why would they have to be wily? They just read the outside of the mailing which is also emblazoned with SCGB logos. There seems to be a very blinkered attitude in the SCGB as to the 'real world'. Who would have thought identity theft can happen from the rubbish you chuck away? Have they not heard of people who live in flats with a shared front door where the post sits in a heap along with everyone else's to be collected by the owner?

Why not just admit their current practice is wrong and now it's been brought to their attention they will rectify it?
snow report
 Poster: A snowHead
Poster: A snowHead
ALthough I should know all about it - how does the data protection act prevail in this case ?
I assume it applies because they hold data about us on computer.
snow report
 Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
Just Googling around, found this.

Apart from the fact that I hadn't realised that the SC were subsidising members of the Manchester Ski Club (yes yes Cathy, my fault obviously, I should have looked for that info), presumably the database of member's details maintained by the Manchester Club (for internal use only as they say) also includes the SC number if provided by the member. How many of these databases are there I wonder?
snow conditions
 Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
Although the Data Protection Act may be relevant to the visible disclosure of a membership number it's probably not the main concern here. I write this in a slightly dispassionate way as, although I'm a member of the SCGB, I'm personally not hugely concerned about someone else seeing my membership number. However, my personal lack of concern is irrelevant to someone else's personal concern. Everyone has a right to the level of privacy they choose.

The simple point is this: a member of the Club raised a valid security concern on 25 September. It was responded to on 5 October and part of the blame was put on the member concerned. That was unreasonable and buck-passing.

A simple and courteous response would have been: "Thank you for bringing this to our attention. We acknowledge that this is of concern to you, and may be to others. We are now endeavouring to remove membership numbers from open view on any future mailings."

Simple, concise ... polite.
latest report
 You need to Login to know who's really who.
You need to Login to know who's really who.
I'm not particularly worried about someone seeing my membership number, if that was all they saw. What I am concerned about is that someone having my membership number and my postcode, both of which are visible on the outside of mailings, can then log onto the SCGB website and then see other personal details on my page, such as date of birth. This is the sort of information that is very valuable in identity theft.

But I'm afraid both of the responses from the SCGB shown above seem to be quite discourteous and unaware of the potential problem.
ski holidays
 Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
Quote:

Simple, concise ... polite.


Not things normally found with the SCGB
snow report
 You'll need to Register first of course.
You'll need to Register first of course.
I wouldn't like to see this become another SC "bashing" thread, although I know the subject stirs strong feelings wink Unusually for snowHeads perhaps, maybe we can strive to keep it on topic Laughing Laughing Having said that, I'm not sure that there is anything more to say at the moment - the issue has been raised, let's see what, if any, action is taken and when.
snow conditions
 Then you can post your own questions or snow reports...
Then you can post your own questions or snow reports...
It could be a needling thread
ski holidays
 After all it is free Go on u know u want to!
After all it is free Go on u know u want to!
I wouldn't want it to be a SC bashing thread either, and I wasn't that bothered until I realised that someone could access my personal details. The SC have changed my password, so hopefully that will sort the problem.
ski holidays
 You'll get to see more forums and be part of the best ski club on the net.
You'll get to see more forums and be part of the best ski club on the net.
Let's make make the password 'peace' then

Piste, love and vegetables
ski holidays
 Ski the Net with snowHeads
Ski the Net with snowHeads
SCGB wrote:
Thank you for your e-mail to the Information Department. In the past we have been requested by members to include membership numbers on mailings, hence the format of the carriers. As you will see from your carrier, we do not specify that it is a membership number and it is not the only number on the carrier. The belief has been that the number would mean nothing to anyone but the member themselves. Since the fact that one of these two unidentified numbers is a membership number has been circulated on public chatrooms has obviously changed the situation and we will need to reconsider our policy.

I am uncertain as to where you would like all your details apart from your name removed. If you are referring to mailings then it is impossible to treat one member differently from the others in excluding or including certain data fields. We will reconsider the policy due to your concern and one other member but we have to take a balanced view as to the wishes of the whole membership base and act in the best interests of everyone.


I wrote:
Thanks very much for your prompt response. I do believe that this issue goes beyond what the majority of members want, and I believe that the Ski Club has a duty of care to do everything possible to keep members personal details confidential. Identity theft is getting commoner, usually happening to people who don’t think that it will happen to them, until it actually does. As someone who has had a problem with someone getting access to my personal data in the past, with an unpleasant outcome, my personal security is something that I take very seriously. Relying on the obscurity of the membership number amongst other numbers is not an acceptable level of security, some of these people are very sophisticated, apparently with links to organized crime. As it stands, someone in the mailing office could easily note down some numbers and post codes, and it wouldn’t take too many attempts to find the correct log on, giving access to title, telephone number, and most importantly date of birth, which allows access to all sorts on information. This is the information that I would like removed from the “about you” section of the website.

Perhaps the ski club should be grateful that this problem was aired by a responsible member of society, rather than by someone having their identity stolen. It’s not rocket science, so it is likely that someone else could, or even has already, made the same conclusion. Even without circulation in a public forum, to assume that it’s safe that only the members themselves know about this would seem to be very optimistic. Of course we would like to think that all members of the Ski Club are fine upstanding members of the community, with no criminals amongst us, but with thirty thousand (?) members it’s difficult to know this for sure, don’t you think? Similarly the cost of a membership is not too high an investment for someone deliberately looking for a security weakness such as this. If they’ll rifle through bins to get old bills, then God knows what else they might do.

I would hate to think what the Ski Club’s liability may be if the worst does happen and it is proven that it played a part in allowing it to happen.

I look forward to your reassurance that prompt steps have been taken to resolve this (hopefully potential) problem.
snow report



Terms and conditions  Privacy Policy