I ordered pedals last night online from Bike Nashbar. WARNING: If you are going to order from them, I suggest ordering by phone.

Something in their website is not secure and I have been on the phone the last hour with Customer Service straightening out a mess. Hopefully it is all corrected now, but it was scary. She was nice enough to offer me an additional 10% discount plus free shipping because of the error, but then again, their error put me in serious financial security risk.

Whew! :eek:

well, cool that you got a discount. The lady I spoke to yesterday there was really nice too. I'll be shipping my shoes back there in the next day or so...

That's a nice little warning and all, but what about it was "scary" and "a serious financial risk"?
I have used their online charging services before (a few times) and had no issues. Stating a warning without proper backgrounding is a bit gray, yo.

I was wondering the same thing. Like Meg, I've ordered things online from Nashbar with no problems. Could you elaborate on what happened?

OK, sorry, let me see if I can explain what happened. (And I could be the only person that this ever happens to, but it was really weird.)

I've never ordered a thing from Nashbar. I've looked at things several times recently, sometimes by links in posts on this forum.

Last night I placed my first order. I noticed at the top right it said welcome XXXXX(name) and I thought "how weird" because it was also my husbands name, but he goes by a nickname. I was wondering HOW they knew. I should have known better and I should have clicked "log out", but it was late and I was just trying to order pedals. It stuck in the back of my mind all day as weird.

I went back today to the site today. It still said "welcome XXXX" I clicked to check the status of the order (entered the order number and my zip code from the confirmation email) and the order was under someone that I've never heard of in another state not even close to me for a billing address and the shipping address was listed as mine with my name.

Sometime in all that time, I logged out of XXX and tried to sign in with my email address. Nashbar did not recognize me as having an account. I thought maybe I just forgot my password, so I clicked to have them send me my password. It did not recognize my email.

I called Nashbar. Talked to one person...transferred me on to another person. They think that what happened was that when I clicked a link on a thread, somehow it took me to the page IN NASHBAR under THAT PERSON'S account!!! Which I didn't think could possibly happen.

I placed my order and entered ALL OF MY CREDIT CARD information and it went on HIS ACCOUNT. So basically he had all of my credit card info.

The lady was finally able to cancel my order since it was just last night and get all of my credit card information off of the other account.

The lady said she wished she could explain to me how and why that happened, but she was going to report it to her supervisor. I don't know if this is all in the correct order or if it makes any sense, but that's what happened. Of course, if you already have a Nashbar account and it stays logged in all the time on your computer, this would never happen to you. I don't think. I'm really not sure. :(

Thank you for the explanation; I've never had any problems with ordering from them. I think what happened was a serious glitch, but the lady sounded like she'd never heard of this occurance before.

It does sound like at least some of the problem was user error, that is you entered personal information without completing a secure login. Yeh, you never should have been logged in as this guy, but that should have alerted you that something was up before you entered all your info. I have never had a security problem with nashbar, but I always use my secure log in.

I have never had a security problem with nashbar, but I always use my secure log in.

I'm sure user error is correct.

When I placed the stuff in my cart and went to checkout, I entered all of my information and really thought I was creating an account. I didn't realize I was logged into someone else's. I had no idea something like this was possible.

I certainly will pay better attention from now on.

Nashbar was great about it and told me several times to watch my credit card and if any balance other than the balance she gave me today was charged to my card, to call them back.

That's good to know.

If you followed a link posted here, you were taken to that persons information.
There was no ill intent but...
it is nice to know that if you're going to post a link here you shouldn't be logged in to that website.

And when you do order, just make sure you log in as you.
Problem solved.

Yikes, how bizzare ! I'm glad they were able to help you out in the end. And I hope after all that hassle, the pedals work out well for you. :)

Sandra, make sure you download and run some good, solid Spyware scan software on your computer like Spybot or Spy Doctor, and keep your virus scan up-to-date and scan regularly. It could be that you have Spyware on your computer and someone's hijacked you, not Nashbar's fault.

I'm not a computer expert by any means, but I do have two teenagers and have had more than my share of viruses, trojans and spyware to deal with. It's a jungle out here.

Right after that happened, I DID run a virus scan check and also Spy Sweeper. Everything seemed to be OK.

The Nashbar site appears to be down today. Maybe they are working on the problem.

And when you do order, just make sure you log in as you.
Problem solved.

Problem solved for Sandra, but not the other customer ...

One web site user should never be able to access another user's session or account information. What if Sandra hadn't been prompted for a credit card, and had accidentally charged the other customer's card? :eek: That's a nightmare for her to prove she didn't mean to commit fraud. What if someone less honest had gotten the other customer's session, someone who thought, hey, great, free money and maxed out the credit card with an order? Nashbar's web site is responsible for making sure the session is from the right user.

That isn't to say that everyone's advice is wrong; the advice is very good and should protect you from badly designed websites. :) I would also suggest not using those "remember me on this computer" feature so that automatically being logged on feels wrong. It's like biking defensively to avoid the crazy drivers.

Security exposures from bad design are just a pet peeve of mine -- especially when user error is blamed. I tend to get a bit ranty. And I won't be ordering on the web from Bike Nashbar.

Problem solved for Sandra, but not the other customer ...

One web site user should never be able to access another user's session or account information. What if Sandra hadn't been prompted for a credit card, and had accidentally charged the other customer's card? :eek: That's a nightmare for her to prove she didn't mean to commit fraud. What if someone less honest had gotten the other customer's session, someone who thought, hey, great, free money and maxed out the credit card with an order? Nashbar's web site is responsible for making sure the session is from the right user.

That isn't to say that everyone's advice is wrong; the advice is very good and should protect you from badly designed websites. :) I would also suggest not using those "remember me on this computer" feature so that automatically being logged on feels wrong. It's like biking defensively to avoid the crazy drivers.

Security exposures from bad design are just a pet peeve of mine -- especially when user error is blamed. I tend to get a bit ranty. And I won't be ordering on the web from Bike Nashbar.
better, don't share links from Bike Nashbar when you are logged in.

M

I caught this once when I sent a link to my friend/co-worker from nashbar when I was logged in. He replied with something like "sweet thanks.. I can even order it under your account!" I looked, and sure enough, he was logged in as me on his pc and had access to all my account info on nashbar.... Now I'm very careful about not doing that anymore.

Coming from system admin and development experience, it is very poor coding and design to allow a flaw such as that on any site, and the risk Nashbar is placing on their unknowing end users/customers is as unprofessional as it gets.

Maybe one of you gals with programming knowledge oughtta drop Nashbar a line alerting them to this issue... I know I know they should catch it on their own, but I wouldn't necessarily assume that the customer service rep, or even her supervisor, would take the time to submit a bug report to whomever that sort of thing goes to there. As far as they're concerned, the issue is probably resolved (because Sandra''s got her order now).

Maybe one of you gals with programming knowledge oughtta drop Nashbar a line alerting them to this issue... I know I know they should catch it on their own, but I wouldn't necessarily assume that the customer service rep, or even her supervisor, would take the time to submit a bug report to whomever that sort of thing goes to there. As far as they're concerned, the issue is probably resolved (because Sandra''s got her order now).

I just finished sending an email to the web admin concerning this issue. You're right, the issue probably isn't flying on anyone's radar over there as it should be. And it is likely that the web admin won't even acknowledge the issue because it's probably outside of their area of responsibility.

I'll wait a day or so to see if a response is received. If not, I may be able to find the time to give them a call and see if we can get through to someone that can address the issue, unless someone beats me to the punch.

Thank you! The lady that I spoke to was going to pass it along to her supervisor. I hope they get it resolved.

I caught this once when I sent a link to my friend/co-worker from nashbar when I was logged in. He replied with something like "sweet thanks.. I can even order it under your account!" I looked, and sure enough, he was logged in as me on his pc and had access to all my account info on nashbar.... Now I'm very careful about not doing that anymore.


Well, that IS good to know because for a while I thought maybe this was a little bit crazy and kept wondering if it could really happen! So someone else HAS experienced it!

I keep wondering now which one of you I was logged in under. I've clicked Nashbar links a lot and it could have logged me in on the first links I clicked and left me logged in ???

Weird. I'm just happy I discovered it.

That's pretty scary. However, nowhere on Nashbar is my credit card information stored. It's not in my account information, or in the order status information. (I ordered tires on Monday and I just looked.) So, even if I did log into your account or you into mine, neither of us would be able to order stuff on the other's credit card. The best I could do would be to get your name, address, email and phone number.

It's not cool to be able to log into someone else's account through a link, but I don't think there was real danger there.

Karen

That's good to know. That's one reason I wanted to post the warning but was also scared to post the details. The lady TOLD me that she had removed my credit card from their account, but I was still scared it was there.

I was able to see the name, address, phone and email. That is correct.

Thank you for sharing this, Sandra. That is such monumentally crappy security/programming that it is enough to make me not trust anything else about Nashbar's shopping cart/account system. No way would I enter my credit card over there now after reading this.

This isn't "user error." This is a company that doesn't know or care enough to protect their users' privacy and financial info.

I wonder if the info is in a "cookie" on your system? It's a pain to delete all your cookies in IE, but it would confirm if it's on your computer vs. Nashbar. I have ordered from them, and have not seen this issue "so far".

No, it wouldn't be a cookie stored in your system -- that would be the RIGHT way to do this. Instead, Nashbar is including the info in a non-encrypted page on their website, so that anyone with the right link can see your account information -- even without logging in as you. That is the only way this could have happened.

And it's really bad. It's beyond stupid. Websites that store much less sensitive information than addresses and phone numbers and possibly credit card numbers do a better job of hiding private information. See, for instance, Team Estrogen -- if I send you a link to a page in this forum, when you follow the link, you are still logged in (or not) to your own account; you don't see the page the way I see it when I'm logged into my own account. That's the proper way to do things, and I don't even understand how someone at Nashbar.com could have screwed it up so badly. Somebody needs firin'.

and the order was under someone that I've never heard of in another state not even close to me for a billing address and the shipping address was listed as mine with my name.


Sandra, first I'd like to thank you for the pedals...they arrived today. Second, I'd like to thank you for the European vacation I put on your credit card:D :D :D

Just kidding. My favorite spyware is free http://www.lavasoft.com/

I use this one to supplement the virus/spyware that I purchased...

Sandra, first I'd like to thank you for the pedals...they arrived today. Second, I'd like to thank you for the European vacation I put on your credit card:D :D :D

Just kidding. My favorite spyware is free http://www.lavasoft.com/

I use this one to supplement the virus/spyware that I purchased...

:eek: Have fun. Be sure and at least send me a postcard.

I have lavasoft in addition to Spy Sweeper. You can't be too aggressive these days.

:mad: I share your caution with Nashbar. They were purchase awhile ago by performance. At first I loved a couple of their products and shopped the returns section often. Suddenly almost every purchase had a problem. First it was product not in stock after getting a confirmation. Then I had a billing problem with them AND with Performance. I discovered that they were fraudulently over billing my credit card. It was by $0.01 or $0.05 cents usually. I looked through ALL of my receipts and double checked with credit card statements and found over 25% were over billed. One was for over $6 on a $20 order.
I had to file a BBB report as customer service only replied by commenting "What was the reason you were overbilled?" I tried to explain that my receipt and credit card charges didn't match and this happened on two different cards(citi and chase). They just stopped responding, my performance points disappeared and the BBB is trying to get a response from them. I also filed a report with my credit card companies which immediately issued refunds to me and indicating they were investing the issue. I lastly notified the FTC as this is illegal actively and performance inc is a little arrogant about it. It would have been dropped if they had just refunded the overcharges to me.
It makes me sad because a couple of their products are exceptional, but I will not do business with them unless I can send a check or use pay pal as they cannot be trusted to bill appropriately to the credit card. Careful!!!

Another wierd thing that happened to me since my order:

Back when this happened, I logged out of the other person's account. I didn't save a link to Nashbar, so this week I did a google search for "Nashbar" and clicked on Nashbar, it said "hello XXXX" at the top again. I could see what he had in his cart!!

Yes, it could be cookies on my computer, but on any other site if I log out and go back to the site I am STILL logged out.

Nashbar got purchased by Performance? That's too bad. I guess that's why it took so long to get the pedals I bought a few weeks ago.

I know one thing, I've been inundated with emails from both places lately. If Performance is going to be running things, I probably won't using Nashbar anymore.

Karen

:mad: First it was product not in stock after getting a confirmation.

I had the same problem with Nashbar -- a pair of shoes in my size showed up as on sale, I got a confirmation, yay, then the next day an email that that item could not be fulfilled. Thank you very much, have a nice day. VERY rare for any online retailer to advertise something on their site and then simply not have it at all (not even by back order). I admit that I've ordered from them once or twice since if I couldn't find something elsewhere or if the sale was amazing, but I'm not crazy about them.

I'm not happy with Performance automatically renewing my Team Performance membership and charging it to my CC either. I got two emails from them saying they were doing it, and it took three emails to customer service to have the charge reversed. I am sure I am not the only one who finds these kind of "automatic" charges that we don't even have a chance to opt-in for VERY annoying!

Emily

This might explain why there were MULTIPLE problems from June to Current with sales, shipping, etc....

Goldsmith Agio Helms Announces the Sale of its Client, Performance Bicycle
NEW YORK, NY – July 12, 2007:
Goldsmith Agio Helms is pleased to announce the recapitalization of its client, Performance, Inc. (“Performance Bicycle” or the “Company”), through a controlling equity investment by North Castle Partners (“North Castle”), and significant equity participation from the Company’s management team. Performance Bicycle is the largest independent bicycle dealer and direct marketer of bicycles and cycling accessories in the United States.


Bigger company, more marketing dollars, less concern about customer service.
I am banning them, sadly, just can't trust them. I use pricepoint.com now and others. That REI.com sale is really amazing. Got 3 jerseys, less than $20each. Try to do that at NONperformance.com! :p

Oh, goodie, I just got the "We are sorry, our computers were hacked 3 months ago and your credit card numbers, address, name, phone number, account name, and password were among the data stolen. Please notify your bank. Here's a 30% off coupon code good for the next 3 weeks."

Bah! :mad:

Look out for Google profit and the associated companies. Apparently, they got the ccard numbers from the security breach at Nashbar (and caused us all manner of cr*p).

CA

Oh, goodie, I just got the "We are sorry, our computers were hacked 3 months ago and your credit card numbers, address, name, phone number, account name, and password were among the data stolen. Please notify your bank. Here's a 30% off coupon code good for the next 3 weeks."

Bah! :mad:

Got that same letter too! I try to shop here where it's safe and secure.

Hey, maybe that's what happened to me. I got a letter from my cc company bout a month ago and they were issuing me a new card. Said the other one had been compromised by a merchant, but of course they can't tell me who. This fits. No more ordering there!

Isn't Performance connected to Nashbar somehow?

After people started noticing that Performance was playing games in terms of charging a few cents more to credit cards than the actual purchases, I stopped shopping there. I no longer buy from Nashbar either.

Oh, goodie, I just got the "We are sorry, our computers were hacked 3 months ago and your credit card numbers, address, name, phone number, account name, and password were among the data stolen. Please notify your bank. Here's a 30% off coupon code good for the next 3 weeks."

Bah! :mad:

Yep, exactly the same letter I received last week.
Unfortunately, it came almost two months after some losers in Florida used my credit card number (the same # I used to purchase a derailleur on Nashbar) to purchase local newspaper subscriptions and online dating! :mad:
Besides being thieves, what kind of losers have to date online instead of dating in the real world???
At the time I had to spend a whole day off work to deal with Police reports, bank investigations, changing all card numbers, placing fraud alerts on the credit report, etc
So much fun, yeah... :(
For what I am concerned, Bike Nashbar can run out of business tomorrow!

Luckily (according to the bank and my own records) what they hacked from Nashbar was my old credit card with my maiden name and a completely different number. That account was closed after I got married.

But I still would have liked to have known about the hacking SOONER than THREE MONTHS after the fact!!!

I won't be ordering from Nashbar anymore. Especially because I've found a local bike shop who will order anything I find on the internet for me, and meet the price posted on the internet. They also give me a discount (they have a lot of discounts: for Cascade bike club members, students, Team Survivor members, etc.) that almost exactly cancels out sales tax. No incentive for me to buy off the internet anymore, and I am able to support a local business while getting exactly what I want!

Besides being thieves, what kind of losers have to date online instead of dating in the real world???


My thieves had a sense of humor. I got a classic NetFlix movie and a subscription to a dating service.