Or that in general SSL isn't used any place Personal Private Information (PPI) is transmitted. This site has: My email address My name My local address Purchase history etc...
I opened a ticket on this subject and got a polite reply but was essentially told they have thought about it but no ETA.
I would AT LEAST expect that the login process would occur over SSL (Or even better hash the passwords in the db and hash before they are submitted) and I would hope that any page that shows my home address be encrypted but neither seems to be done.
they have your name and address, but many other mailing lists have that so I don't see the big deal. If you ask them, I'm sure they will purge your membership so they don't have any info. BTW the info they do have YOU provided to them under no SSL which YOU provided so the blame falls on YOU.
dalbers
New Member
posted: Jul. 9, 2009 @ 1:10p
FrugalFreak said: It isn't like they have credit card info
they have your name and address, but many other mailing lists have that so I don't see the big deal. If you ask them, I'm sure they will purge your membership so they don't have any info. BTW the info they do have YOU provided to them under no SSL which YOU provided so the blame falls on YOU.
Correct I registered without thinking and I should have known better but most people do not realize the risk and any company that collects this data should do the right thing and ensure that it is encrypted when transmitted. Are they legally required to encrypt? Not according to most of the new state laws that are popping up, they generally only require it if financial account information is also stored with the PPI.
Lets look at this more simply though, many of us rely on Fatwallet to process some form of financial transactions for us, why shouldn't we expect them to encrypt that data when it is transmitted over a public network? I never reuse passwords but most people do, so they might be sending their email password in the clear with their address without thinking about it!
Honestly, we don't have any "really" personal information. Sure, theres your address if you enter it, but we don't have your CC info or anything else other than your email. If you're that worried about your email, you can always use a junk account.
dalbers
New Member
posted: Jul. 9, 2009 @ 4:37p
MVP9596 said: *Takes notes on KK's info*
Honestly, we don't have any "really" personal information. Sure, theres your address if you enter it, but we don't have your CC info or anything else other than your email. If you're that worried about your email, you can always use a junk account.
You require my address to send a check correct? So the very act of participating in the services the site provides requires that I send PPI. Obviously I am in the minority here and my concern is greater than the average user here but it concerns me when any organization attempts to rationalize against the use of using something so basic as encrypting customer PPI when it is in transit.
The phone book also has your name, phone number and address. That is IF you have a landline.
I would be more worried about user names here. Many people reuse the same one and/or have very unique user names. Very easy to do a Google search and find your real name, address and phone number. Not to mention all the sites you visit ,comments and videos you post.
dalbers said: MVP9596 said: *Takes notes on KK's info*
Honestly, we don't have any "really" personal information. Sure, theres your address if you enter it, but we don't have your CC info or anything else other than your email. If you're that worried about your email, you can always use a junk account.
You require my address to send a check correct? So the very act of participating in the services the site provides requires that I send PPI. Obviously I am in the minority here and my concern is greater than the average user here but it concerns me when any organization attempts to rationalize against the use of using something so basic as encrypting customer PPI when it is in transit.He has a point, MVP. Seriously.
dalbers said: MVP9596 said: *Takes notes on KK's info*
Honestly, we don't have any "really" personal information. Sure, theres your address if you enter it, but we don't have your CC info or anything else other than your email. If you're that worried about your email, you can always use a junk account.
You require my address to send a check correct? So the very act of participating in the services the site provides requires that I send PPI. Obviously I am in the minority here and my concern is greater than the average user here but it concerns me when any organization attempts to rationalize against the use of using something so basic as encrypting customer PPI when it is in transit.
would you like FW to rid you of your SSL Issues?
This is from Fatwallet's TOS/website use policy that you agreed to adhere to when you joined. Your joining and continued use means you agreed to this;
FatWallet DOES NOT MAKE ANY REPRESENTATIONS THAT ACCESS TO THIS SITE WILL BE UNINTERRUPTED OR ERROR-FREE, AND FatWallet ASSUMES NO RESPONSIBILITY FOR ANY DAMAGE CAUSED BY YOUR ACCESS, OR INABILITY TO ACCESS, THIS SITE, INCLUDING, BUT NOT LIMITED TO, YOUR INABILITY TO RECEIVE FatWallet Cash Back BY PURCHASING ITEMS WITH A PARTICIPATING MERCHANT.IN NO EVENT SHALL FatWallet BE LIABLE FOR ANY DAMAGES, CLAIMS OR LOSSES INCURRED (INCLUDING WITHOUT LIMITATION COMPENSATORY, INCIDENTAL, INDIRECT, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES), HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY ARISING IN CONNECTION WITH YOUR USE OF FatWallet.com; ANY ACT OR OMISSION BY FatWallet IN ADMINISTERING THE WEBSITE OR THE PROGRAM; OR THE PURCHASE OR USE OF ANY GOODS OR SERVICES OF MERCHANTS OR SUPPLIERS, EVEN IF FatWallet HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, CLAIMS, OR LOSSES AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. NOTWITHSTANDING THE FOREGOING, IN NO EVENT SHALL FatWallet BE LIABLE TO YOU FOR DIRECT DAMAGES CAUSED BY FatWallet IN EXCESS OF THE Cash Back EARNED BY YOU DURING THE MOST RECENT SIX (6) MONTHS. SOME STATES DO NOT ALLOW LIMITATIONS ON INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
Honestly, we don't have any "really" personal information. Sure, theres your address if you enter it, but we don't have your CC info or anything else other than your email. If you're that worried about your email, you can always use a junk account.
You require my address to send a check correct? So the very act of participating in the services the site provides requires that I send PPI. Obviously I am in the minority here and my concern is greater than the average user here but it concerns me when any organization attempts to rationalize against the use of using something so basic as encrypting customer PPI when it is in transit.
would you like FW to rid you of your SSL Issues?
This is from Fatwallet's TOS/website use policy that you agreed to adhere to when you joined. Your joining and continued use means you agreed to this;
FatWallet DOES NOT MAKE ANY REPRESENTATIONS THAT ACCESS TO THIS SITE WILL BE UNINTERRUPTED OR ERROR-FREE, AND FatWallet ASSUMES NO RESPONSIBILITY FOR ANY DAMAGE CAUSED BY YOUR ACCESS, OR INABILITY TO ACCESS, THIS SITE, INCLUDING, BUT NOT LIMITED TO, YOUR INABILITY TO RECEIVE FatWallet Cash Back BY PURCHASING ITEMS WITH A PARTICIPATING MERCHANT.IN NO EVENT SHALL FatWallet BE LIABLE FOR ANY DAMAGES, CLAIMS OR LOSSES INCURRED (INCLUDING WITHOUT LIMITATION COMPENSATORY, INCIDENTAL, INDIRECT, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES), HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY ARISING IN CONNECTION WITH YOUR USE OF FatWallet.com; ANY ACT OR OMISSION BY FatWallet IN ADMINISTERING THE WEBSITE OR THE PROGRAM; OR THE PURCHASE OR USE OF ANY GOODS OR SERVICES OF MERCHANTS OR SUPPLIERS, EVEN IF FatWallet HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, CLAIMS, OR LOSSES AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. NOTWITHSTANDING THE FOREGOING, IN NO EVENT SHALL FatWallet BE LIABLE TO YOU FOR DIRECT DAMAGES CAUSED BY FatWallet IN EXCESS OF THE Cash Back EARNED BY YOU DURING THE MOST RECENT SIX (6) MONTHS. SOME STATES DO NOT ALLOW LIMITATIONS ON INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
no, if, and or butt.
Does the TOS forbid them from rethinking their policy or from someone pointing out to them that they should reconsider? Throwing the TOS into this thread solves nothing and has no relevance, I am raising the concern in this forum in hope that it might help Fatwallet make the decision to change their practice.
I'm no programmer. Looks like the only liability to me is the strength of your password on this site, and with your email. All identifiable info looks to be kept on the back end.
SSL would be nice too, but I don't keep any CC's or SSN's or bank info here.
Honestly, we don't have any "really" personal information. Sure, theres your address if you enter it, but we don't have your CC info or anything else other than your email. If you're that worried about your email, you can always use a junk account.
You require my address to send a check correct? So the very act of participating in the services the site provides requires that I send PPI. Obviously I am in the minority here and my concern is greater than the average user here but it concerns me when any organization attempts to rationalize against the use of using something so basic as encrypting customer PPI when it is in transit.
would you like FW to rid you of your SSL Issues?
This is from Fatwallet's TOS/website use policy that you agreed to adhere to when you joined. Your joining and continued use means you agreed to this;
FatWallet DOES NOT MAKE ANY REPRESENTATIONS THAT ACCESS TO THIS SITE WILL BE UNINTERRUPTED OR ERROR-FREE, AND FatWallet ASSUMES NO RESPONSIBILITY FOR ANY DAMAGE CAUSED BY YOUR ACCESS, OR INABILITY TO ACCESS, THIS SITE, INCLUDING, BUT NOT LIMITED TO, YOUR INABILITY TO RECEIVE FatWallet Cash Back BY PURCHASING ITEMS WITH A PARTICIPATING MERCHANT.IN NO EVENT SHALL FatWallet BE LIABLE FOR ANY DAMAGES, CLAIMS OR LOSSES INCURRED (INCLUDING WITHOUT LIMITATION COMPENSATORY, INCIDENTAL, INDIRECT, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES), HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY ARISING IN CONNECTION WITH YOUR USE OF FatWallet.com; ANY ACT OR OMISSION BY FatWallet IN ADMINISTERING THE WEBSITE OR THE PROGRAM; OR THE PURCHASE OR USE OF ANY GOODS OR SERVICES OF MERCHANTS OR SUPPLIERS, EVEN IF FatWallet HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, CLAIMS, OR LOSSES AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. NOTWITHSTANDING THE FOREGOING, IN NO EVENT SHALL FatWallet BE LIABLE TO YOU FOR DIRECT DAMAGES CAUSED BY FatWallet IN EXCESS OF THE Cash Back EARNED BY YOU DURING THE MOST RECENT SIX (6) MONTHS. SOME STATES DO NOT ALLOW LIMITATIONS ON INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
no, if, and or butt.
Does the TOS forbid them from rethinking their policy or from someone pointing out to them that they should reconsider? Throwing the TOS into this thread solves nothing and has no relevance, I am raising the concern in this forum in hope that it might help Fatwallet make the decision to change their practice.
it IS relevant. I'm sure FW will consider but will not be moved to act just because you raise the issue. They CTA and I just wanted to point that out in case you had devious thoughts concerning lawsuits, etc...
DangerBoy said: I'm no programmer. Looks like the only liability to me is the strength of your password on this site, and with your email. All identifiable info looks to be kept on the back end.
SSL would be nice too, but I don't keep any CC's or SSN's or bank info here.
Seems like it could be a "finger in chili" issue to me.
Yeah, I can say that I would prefer that SSL be used while our passwords and PPI are in transit. Honestly, it shouldn't be all the difficult to implement and would just keep our minds at ease a bit.
dalbers
New Member
posted: Jul. 9, 2009 @ 5:40p
FrugalFreak said:
it IS relevant. I'm sure FW will consider but will not be moved to act just because you raise the issue. They CTA and I just wanted to point that out in case you had devious thoughts concerning lawsuits, etc...
I am sure that Fatwallet appreciates your zealous responses to this thread and your "protection" of their interests.... I am sure that if thread violates their TOS in any way they will handle it. Now back to the original topic...
First they stole your avatar and now your intrawebs? OMGODZORZ!!!11!!111!!1!1!!!!!111!
dalbers
New Member
posted: Jul. 9, 2009 @ 6:12p
Wineaux said: Yeah, I can say that I would prefer that SSL be used while our passwords and PPI are in transit. Honestly, it shouldn't be all the difficult to implement and would just keep our minds at ease a bit.
This seems to be the general response, most people think it makes sense to use Encryption when passwords and PPI are in transit. At the very least I would hope that Fatwallet would at least give people the option of using SSL for such sessions.
dalbers
New Member
posted: Jul. 9, 2009 @ 6:14p
Kandykornhead said: Shouldn't this thread be in FWFW?
It probably should, I wasn't sure where to place it but if someone wants to move it I would have no objections.
dalbers said: Wineaux said: Yeah, I can say that I would prefer that SSL be used while our passwords and PPI are in transit. Honestly, it shouldn't be all the difficult to implement and would just keep our minds at ease a bit.
This seems to be the general response, most people think it makes sense to use Encryption when passwords and PPI are in transit. At the very least I would hope that Fatwallet would at least give people the option of using SSL for such sessions.
general response?
buffalobreath said: dalbers said: Am I the only one bothered by this?Apparently. DenverDiver said: Damn, I used my SS# as my password KayK said: Mine is my CC # with Exp Date in MM/YY format and CVV at the end. 0AfterRebates said: The phone book also has your name, phone number and address. That is IF you have a landline. I would be more worried about user names here. Many people reuse the same one and/or have very unique user names. Very easy to do a Google search and find your real name, address and phone number. Not to mention all the sites you visit ,comments and videos you post.
oh yea some "General Response".
dalbers
New Member
posted: Jul. 9, 2009 @ 6:34p
FWIW it looks like the site does utilize session cookies so there the login forms and the account page would be the only place requiring the changes.
buffalobreath said: dalbers said: Am I the only one bothered by this?Apparently. oh yea some "General Response".That was just a snarky smart-ass remark on my part, before the thread even got started, so please don't take that comment too seriously. Of course, you're welcome to take none of my comments, here or elsewhere, seriously. On a more serious note, although I myself am not concerned about *my* personal information on FW, I do feel that since a real name and mailing address need to be provided for CashBack, and that is, after all, related to FW's revenue, this could be a business issue. FW can decide whether they're at risk for losing potential customers because they don't secure certain connections.
DangerBoy said: I'm no programmer. Looks like the only liability to me is the strength of your password on this site, and with your email. All identifiable info looks to be kept on the back end.
SSL would be nice too, but I don't keep any CC's or SSN's or bank info here.But isn't the act of logging in itself, and all other activity, including viewing your profile, where your address and real name might be stored for CashBack purposes, in the clear?
I don't know. That is why I prefaced my post with "I am not a programmer".
I know my "tombstone" is in the clear, but my info is called called from somewhere else. The paypal feature uses paypals security.
I would like to have an ssl feature. Most forums I am apart of has it. Then again, I just don't know what security precautions FW is doing on the back end.
dalbers
New Member
posted: Jul. 9, 2009 @ 9:13p
DangerBoy said: I don't know. That is why I prefaced my post with "I am not a programmer".
I know my "tombstone" is in the clear, but my info is called called from somewhere else. The paypal feature uses paypals security.
I would like to have an ssl feature. Most forums I am apart of has it. Then again, I just don't know what security precautions FW is doing on the back end.
SSL is largely irrelevant from the overall security of a site. It's intent is to just encrypt the traffic from point to point. So if Fatwallet is vulnerable to a SQL injection attack or something similar the use of SSL will make no difference. Where SSL does help is in the day to day security of your transactions. Without SSL (Or some other method of protecting the login like using password hashes in the db and hashing the passwords before posting them) anytime you access Fatwallet your login and personal details are at risk of being seen by anyone in the path. This is most frequently if you are using open wifi at a hotel or cafe or just checking fatwallet from your iPhone while at Starbucks on their wifi.
In my opinion Fatwallet should be using encryption whenever a user logs in and whenever a user accesses any data that might be classified as PPI. So if someone grabbed your login when you accessed the site from your laptop at the local starbucks all the layered security that Fatwallet may or may not have would be irrelevant since they have all they need to access your account. Of course the amount of damage this could cause is relative, but I have seen first-hand the amount of damage someone can do with even basic information. Look at all the damage that occurred from the Monster.com breach and that was "Just" CV data. This type of data is just the jump point into larger attempts at fraud.
jcole21
Senior Member
posted: Jul. 9, 2009 @ 9:37p
It's pretty simple. As stated in the firm's response, your suggestion has been heard and dismissed. You can either leave if this is unacceptable to you, or you can stay and stop whining. You could also call the whambulance, or purchase some cheese to go with your wine.
It is what it is, take it or leave it.
dalbers
New Member
posted: Jul. 9, 2009 @ 9:51p
jcole21 said: It's pretty simple. As stated in the firm's response, your suggestion has been heard and dismissed. You can either leave if this is unacceptable to you, or you can stay and stop whining. You could also call the whambulance, or purchase some cheese to go with your wine.
It is what it is, take it or leave it.
What is wrong with having a discussion about it? I selected the off topic forum and this seems like as much of a valid topic as anything else. Again if the Fatwallet moderators have an issue with this discussion they have tools to handle it or someone from fatwallet can weigh in, until then it seems appropriate for it to be discussed.
Maybe the reason "it is what it is" is because nobody ever raised it as an issue enough to be considered? Maybe now is the time to have a discussion on the subject?
Not an issue for me. There are people here who have my phone number, others who have my address, many who have my email address. Pretty much all of you know my real name, or you should, and a (very) few know my last name. Most of you know generally where I live, if you've been paying attention at all. My CC number and my SSN aren't stored here, so I don't think there's much that could cause me problems.
chader144
New Member
posted: Jul. 10, 2009 @ 8:31a
Chiming in to point out that I run across a lot of bulletin boards that don't use SSL. Implementing ssl can become quite costly. I think last time I looked a good cert (verisign) ran around $400 - $1000 per server. In my mind it is not worth the performance and actual costs of the certs to protect the slim chance somebody wants to try and get your account. Plus if they want it that badly SSL probobably is going to help and there are much easier ways of obtaining it.
dalbers said: Maybe now is the time to have a discussion on the subject?OK, we've had the discussion, and now the meeting is over. Thank you for your time. Goodbye.
I agree that it's an issue for me. I travel a lot and often access the site from less than ideal places. For an operation the size of FatWallet, adding SSL isn't going to break the bank. It should be pretty much standard to use it for logins in this era.
For those people who have chided the poster, how is FatWallet supposed to know that its users' concerns are if no one posts them? It's not a matter of whining, it's a matter of letting those in charge know how we feel.
At first I admit I laughed but in reality, the ability to hijack someone's account and let's say cut a CashBack check to another address is a valid concern. If I recall correctly, I believe there have been users whose CashBack has reached hundreds or even thousands of dollars, correct? That's getting beyond petty amounts. You would only have to identify a user who makes alot of purchases, intercept their login credentials and when the time is right, cut yourself a massive check. Highly unlikely but since we are talking real money here, you've got my vote OP.
mudley said: I can assure you, your password is very salty and hashed As great as it is that you are protecting the data on your end, you are putting your customer's accounts at risk of being compromised by not using SSL. Granted, the information someone could obtain may not be of the utmost secrecy, but none-the-less, should remain confidential if that's what your members want. SSL adds a tremendous amount of overhead, both on bandwidth and server processing. I'm not advocating SSL for accessing all areas of FW, but it would be in everyone's best interest if you at least used SSL for login pages and anything having to do with personal information, CashBack, etc.
Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.
Members of our community may attach files to a post in accordance with the User Agreement. FatWallet is not responsible for the content, accuracy, completeness or validity of any information contained in any attached file. Files have *not* been scanned for viruses. Be especially wary of Excel files which may contain malicious content.
