WARNING ~ FYI about Bike Nashbar

**sandra** · 07-31-2007, 01:48 PM

I ordered pedals last night online from Bike Nashbar. WARNING: If you are going to order from them, I suggest ordering by phone.

Something in their website is not secure and I have been on the phone the last hour with Customer Service straightening out a mess. Hopefully it is all corrected now, but it was scary. She was nice enough to offer me an additional 10% discount plus free shipping because of the error, but then again, their error put me in serious financial security risk.

Whew!

**mimitabby** · 07-31-2007, 02:01 PM

well, cool that you got a discount. The lady I spoke to yesterday there was really nice too. I'll be shipping my shoes back there in the next day or so...

**Meg McKilty** · 07-31-2007, 04:06 PM

That's a nice little warning and all, but what about it was "scary" and "a serious financial risk"?
I have used their online charging services before (a few times) and had no issues. Stating a warning without proper backgrounding is a bit gray, yo.

**jobob** · 07-31-2007, 04:20 PM

I was wondering the same thing. Like Meg, I've ordered things online from Nashbar with no problems. Could you elaborate on what happened?

**sandra** · 07-31-2007, 04:33 PM

OK, sorry, let me see if I can explain what happened. (And I could be the only person that this ever happens to, but it was really weird.)

I've never ordered a thing from Nashbar. I've looked at things several times recently, sometimes by links in posts on this forum.

Last night I placed my first order. I noticed at the top right it said welcome XXXXX(name) and I thought "how weird" because it was also my husbands name, but he goes by a nickname. I was wondering HOW they knew. I should have known better and I should have clicked "log out", but it was late and I was just trying to order pedals. It stuck in the back of my mind all day as weird.

I went back today to the site today. It still said "welcome XXXX" I clicked to check the status of the order (entered the order number and my zip code from the confirmation email) and the order was under someone that I've never heard of in another state not even close to me for a billing address and the shipping address was listed as mine with my name.

Sometime in all that time, I logged out of XXX and tried to sign in with my email address. Nashbar did not recognize me as having an account. I thought maybe I just forgot my password, so I clicked to have them send me my password. It did not recognize my email.

I called Nashbar. Talked to one person...transferred me on to another person. They think that what happened was that when I clicked a link on a thread, somehow it took me to the page IN NASHBAR under THAT PERSON'S account!!! Which I didn't think could possibly happen.

I placed my order and entered ALL OF MY CREDIT CARD information and it went on HIS ACCOUNT. So basically he had all of my credit card info.

The lady was finally able to cancel my order since it was just last night and get all of my credit card information off of the other account.

The lady said she wished she could explain to me how and why that happened, but she was going to report it to her supervisor. I don't know if this is all in the correct order or if it makes any sense, but that's what happened. Of course, if you already have a Nashbar account and it stays logged in all the time on your computer, this would never happen to you. I don't think. I'm really not sure.

**Meg McKilty** · 07-31-2007, 05:43 PM

Thank you for the explanation; I've never had any problems with ordering from them. I think what happened was a serious glitch, but the lady sounded like she'd never heard of this occurance before.

**Triskeliongirl** · 07-31-2007, 05:49 PM

It does sound like at least some of the problem was user error, that is you entered personal information without completing a secure login. Yeh, you never should have been logged in as this guy, but that should have alerted you that something was up before you entered all your info. I have never had a security problem with nashbar, but I always use my secure log in.

**sandra** · 07-31-2007, 05:55 PM

I have never had a security problem with nashbar, but I always use my secure log in.

I'm sure user error is correct.

When I placed the stuff in my cart and went to checkout, I entered all of my information and really thought I was creating an account. I didn't realize I was logged into someone else's. I had no idea something like this was possible.

I certainly will pay better attention from now on.

Nashbar was great about it and told me several times to watch my credit card and if any balance other than the balance she gave me today was charged to my card, to call them back.

**Zen** · 07-31-2007, 06:09 PM

That's good to know.

If you followed a link posted here, you were taken to that persons information.
There was no ill intent but...
it is nice to know that if you're going to post a link here you shouldn't be logged in to that website.

And when you do order, just make sure you log in as you.
Problem solved.

**jobob** · 07-31-2007, 07:09 PM

Yikes, how bizzare ! I'm glad they were able to help you out in the end. And I hope after all that hassle, the pedals work out well for you.

**quint41** · 08-01-2007, 05:10 AM

Sandra, make sure you download and run some good, solid Spyware scan software on your computer like Spybot or Spy Doctor, and keep your virus scan up-to-date and scan regularly. It could be that you have Spyware on your computer and someone's hijacked you, not Nashbar's fault.

I'm not a computer expert by any means, but I do have two teenagers and have had more than my share of viruses, trojans and spyware to deal with. It's a jungle out here.

**sandra** · 08-01-2007, 06:14 AM

Right after that happened, I DID run a virus scan check and also Spy Sweeper. Everything seemed to be OK.

The Nashbar site appears to be down today. Maybe they are working on the problem.

**susiej** · 08-01-2007, 09:32 AM

Originally Posted by zencentury

And when you do order, just make sure you log in as you.
Problem solved.

Problem solved for Sandra, but not the other customer ...

One web site user should never be able to access another user's session or account information. What if Sandra hadn't been prompted for a credit card, and had accidentally charged the other customer's card?

That's a nightmare for her to prove she didn't mean to commit fraud. What if someone less honest had gotten the other customer's session, someone who thought, hey, great, free money and maxed out the credit card with an order? Nashbar's web site is responsible for making sure the session is from the right user.

That isn't to say that everyone's advice is wrong; the advice is very good and should protect you from badly designed websites.

I would also suggest not using those "remember me on this computer" feature so that automatically being logged on feels wrong. It's like biking defensively to avoid the crazy drivers.

Security exposures from bad design are just a pet peeve of mine -- especially when user error is blamed. I tend to get a bit ranty. And I won't be ordering on the web from Bike Nashbar.

**mimitabby** · 08-01-2007, 09:34 AM

Originally Posted by susiej

Problem solved for Sandra, but not the other customer ...

One web site user should never be able to access another user's session or account information. What if Sandra hadn't been prompted for a credit card, and had accidentally charged the other customer's card?

That's a nightmare for her to prove she didn't mean to commit fraud. What if someone less honest had gotten the other customer's session, someone who thought, hey, great, free money and maxed out the credit card with an order? Nashbar's web site is responsible for making sure the session is from the right user.

That isn't to say that everyone's advice is wrong; the advice is very good and should protect you from badly designed websites.

I would also suggest not using those "remember me on this computer" feature so that automatically being logged on feels wrong. It's like biking defensively to avoid the crazy drivers.

Security exposures from bad design are just a pet peeve of mine -- especially when user error is blamed. I tend to get a bit ranty. And I won't be ordering on the web from Bike Nashbar.

better, don't share links from Bike Nashbar when you are logged in.

M

**meridian** · 08-01-2007, 10:29 AM

I caught this once when I sent a link to my friend/co-worker from nashbar when I was logged in. He replied with something like "sweet thanks.. I can even order it under your account!" I looked, and sure enough, he was logged in as me on his pc and had access to all my account info on nashbar.... Now I'm very careful about not doing that anymore.

Coming from system admin and development experience, it is very poor coding and design to allow a flaw such as that on any site, and the risk Nashbar is placing on their unknowing end users/customers is as unprofessional as it gets.

Thread: WARNING ~ FYI about Bike Nashbar

Thread Tools

Display

WARNING ~ FYI about Bike Nashbar

Posting Permissions