First they stole your avatar and now your intrawebs? OMGODZORZ!!!11!!111!!1!1!!!!!111!

Kandykornhead said:Shouldn't this thread be in FWFW?

It probably should, I wasn't sure where to place it but if someone wants to move it I would have no objections.

FWIW it looks like the site does utilize session cookies so there the login forms and the account page would be the only place requiring the changes.

DangerBoy said:I'm no programmer. Looks like the only liability to me is the strength of your password on this site, and with your email. All identifiable info looks to be kept on the back end.

SSL would be nice too, but I don't keep any CC's or SSN's or bank info here.But isn't the act of logging in itself, and all other activity, including viewing your profile, where your address and real name might be stored for CashBack purposes, in the clear?

DangerBoy said:I don't know. That is why I prefaced my post with "I am not a programmer".

I know my "tombstone" is in the clear, but my info is called called from somewhere else. The paypal feature uses paypals security.

I would like to have an ssl feature. Most forums I am apart of has it. Then again, I just don't know what security precautions FW is doing on the back end.

SSL is largely irrelevant from the overall security of a site. It's intent is to just encrypt the traffic from point to point. So if Fatwallet is vulnerable to a SQL injection attack or something similar the use of SSL will make no difference. Where SSL does help is in the day to day security of your transactions. Without SSL (Or some other method of protecting the login like using password hashes in the db and hashing the passwords before posting them) anytime you access Fatwallet your login and personal details are at risk of being seen by anyone in the path. This is most frequently if you are using open wifi at a hotel or cafe or just checking fatwallet from your iPhone while at Starbucks on their wifi.

In my opinion Fatwallet should be using encryption whenever a user logs in and whenever a user accesses any data that might be classified as PPI. So if someone grabbed your login when you accessed the site from your laptop at the local starbucks all the layered security that Fatwallet may or may not have would be irrelevant since they have all they need to access your account. Of course the amount of damage this could cause is relative, but I have seen first-hand the amount of damage someone can do with even basic information. Look at all the damage that occurred from the Monster.com breach and that was "Just" CV data. This type of data is just the jump point into larger attempts at fraud.

jcole21 said:It's pretty simple. As stated in the firm's response, your suggestion has been heard and dismissed. You can either leave if this is unacceptable to you, or you can stay and stop whining. You could also call the whambulance, or purchase some cheese to go with your wine.

It is what it is, take it or leave it.

What is wrong with having a discussion about it? I selected the off topic forum and this seems like as much of a valid topic as anything else. Again if the Fatwallet moderators have an issue with this discussion they have tools to handle it or someone from fatwallet can weigh in, until then it seems appropriate for it to be discussed.

Maybe the reason "it is what it is" is because nobody ever raised it as an issue enough to be considered? Maybe now is the time to have a discussion on the subject?

Not an issue for me. There are people here who have my phone number, others who have my address, many who have my email address. Pretty much all of you know my real name, or you should, and a (very) few know my last name. Most of you know generally where I live, if you've been paying attention at all. My CC number and my SSN aren't stored here, so I don't think there's much that could cause me problems.

dalbers said:Maybe now is the time to have a discussion on the subject?OK, we've had the discussion, and now the meeting is over. Thank you for your time. Goodbye.

waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah

At first I admit I laughed but in reality, the ability to hijack someone's account and let's say cut a CashBack check to another address is a valid concern. If I recall correctly, I believe there have been users whose CashBack has reached hundreds or even thousands of dollars, correct? That's getting beyond petty amounts. You would only have to identify a user who makes alot of purchases, intercept their login credentials and when the time is right, cut yourself a massive check. Highly unlikely but since we are talking real money here, you've got my vote OP.