WARNING ~ FYI about Bike Nashbar

[sandra]

I have never had a security problem with nashbar, but I always use my secure log in.

I'm sure user error is correct.

When I placed the stuff in my cart and went to checkout, I entered all of my information and really thought I was creating an account. I didn't realize I was logged into someone else's. I had no idea something like this was possible.

I certainly will pay better attention from now on.

Nashbar was great about it and told me several times to watch my credit card and if any balance other than the balance she gave me today was charged to my card, to call them back.

[Zen]

That's good to know.

If you followed a link posted here, you were taken to that persons information.
There was no ill intent but...
it is nice to know that if you're going to post a link here you shouldn't be logged in to that website.

And when you do order, just make sure you log in as you.
Problem solved.

[jobob]

Yikes, how bizzare ! I'm glad they were able to help you out in the end. And I hope after all that hassle, the pedals work out well for you.

[quint41]

Sandra, make sure you download and run some good, solid Spyware scan software on your computer like Spybot or Spy Doctor, and keep your virus scan up-to-date and scan regularly. It could be that you have Spyware on your computer and someone's hijacked you, not Nashbar's fault.

I'm not a computer expert by any means, but I do have two teenagers and have had more than my share of viruses, trojans and spyware to deal with. It's a jungle out here.

[sandra]

Right after that happened, I DID run a virus scan check and also Spy Sweeper. Everything seemed to be OK.

The Nashbar site appears to be down today. Maybe they are working on the problem.

[susiej]

And when you do order, just make sure you log in as you.
Problem solved.

Problem solved for Sandra, but not the other customer ...

One web site user should never be able to access another user's session or account information. What if Sandra hadn't been prompted for a credit card, and had accidentally charged the other customer's card? That's a nightmare for her to prove she didn't mean to commit fraud. What if someone less honest had gotten the other customer's session, someone who thought, hey, great, free money and maxed out the credit card with an order? Nashbar's web site is responsible for making sure the session is from the right user.

That isn't to say that everyone's advice is wrong; the advice is very good and should protect you from badly designed websites. I would also suggest not using those "remember me on this computer" feature so that automatically being logged on feels wrong. It's like biking defensively to avoid the crazy drivers.

Security exposures from bad design are just a pet peeve of mine -- especially when user error is blamed. I tend to get a bit ranty. And I won't be ordering on the web from Bike Nashbar.

[mimitabby]

Problem solved for Sandra, but not the other customer ...

One web site user should never be able to access another user's session or account information. What if Sandra hadn't been prompted for a credit card, and had accidentally charged the other customer's card? That's a nightmare for her to prove she didn't mean to commit fraud. What if someone less honest had gotten the other customer's session, someone who thought, hey, great, free money and maxed out the credit card with an order? Nashbar's web site is responsible for making sure the session is from the right user.

That isn't to say that everyone's advice is wrong; the advice is very good and should protect you from badly designed websites. I would also suggest not using those "remember me on this computer" feature so that automatically being logged on feels wrong. It's like biking defensively to avoid the crazy drivers.

Security exposures from bad design are just a pet peeve of mine -- especially when user error is blamed. I tend to get a bit ranty. And I won't be ordering on the web from Bike Nashbar.

better, don't share links from Bike Nashbar when you are logged in.

M

[meridian]

I caught this once when I sent a link to my friend/co-worker from nashbar when I was logged in. He replied with something like "sweet thanks.. I can even order it under your account!" I looked, and sure enough, he was logged in as me on his pc and had access to all my account info on nashbar.... Now I'm very careful about not doing that anymore.

Coming from system admin and development experience, it is very poor coding and design to allow a flaw such as that on any site, and the risk Nashbar is placing on their unknowing end users/customers is as unprofessional as it gets.

[VeloVT]

Maybe one of you gals with programming knowledge oughtta drop Nashbar a line alerting them to this issue... I know I know they should catch it on their own, but I wouldn't necessarily assume that the customer service rep, or even her supervisor, would take the time to submit a bug report to whomever that sort of thing goes to there. As far as they're concerned, the issue is probably resolved (because Sandra''s got her order now).

[meridian]

Maybe one of you gals with programming knowledge oughtta drop Nashbar a line alerting them to this issue... I know I know they should catch it on their own, but I wouldn't necessarily assume that the customer service rep, or even her supervisor, would take the time to submit a bug report to whomever that sort of thing goes to there. As far as they're concerned, the issue is probably resolved (because Sandra''s got her order now).

I just finished sending an email to the web admin concerning this issue. You're right, the issue probably isn't flying on anyone's radar over there as it should be. And it is likely that the web admin won't even acknowledge the issue because it's probably outside of their area of responsibility.

I'll wait a day or so to see if a response is received. If not, I may be able to find the time to give them a call and see if we can get through to someone that can address the issue, unless someone beats me to the punch.

[sandra]

I caught this once when I sent a link to my friend/co-worker from nashbar when I was logged in. He replied with something like "sweet thanks.. I can even order it under your account!" I looked, and sure enough, he was logged in as me on his pc and had access to all my account info on nashbar.... Now I'm very careful about not doing that anymore.

Well, that IS good to know because for a while I thought maybe this was a little bit crazy and kept wondering if it could really happen! So someone else HAS experienced it!

I keep wondering now which one of you I was logged in under. I've clicked Nashbar links a lot and it could have logged me in on the first links I clicked and left me logged in ???

Weird. I'm just happy I discovered it.

[invsblwmn]

I share your caution with Nashbar. They were purchase awhile ago by performance. At first I loved a couple of their products and shopped the returns section often. Suddenly almost every purchase had a problem. First it was product not in stock after getting a confirmation. Then I had a billing problem with them AND with Performance. I discovered that they were fraudulently over billing my credit card. It was by $0.01 or $0.05 cents usually. I looked through ALL of my receipts and double checked with credit card statements and found over 25% were over billed. One was for over $6 on a $20 order.
I had to file a BBB report as customer service only replied by commenting "What was the reason you were overbilled?" I tried to explain that my receipt and credit card charges didn't match and this happened on two different cards(citi and chase). They just stopped responding, my performance points disappeared and the BBB is trying to get a response from them. I also filed a report with my credit card companies which immediately issued refunds to me and indicating they were investing the issue. I lastly notified the FTC as this is illegal actively and performance inc is a little arrogant about it. It would have been dropped if they had just refunded the overcharges to me.
It makes me sad because a couple of their products are exceptional, but I will not do business with them unless I can send a check or use pay pal as they cannot be trusted to bill appropriately to the credit card. Careful!!!

[sandra]

Another wierd thing that happened to me since my order:

Back when this happened, I logged out of the other person's account. I didn't save a link to Nashbar, so this week I did a google search for "Nashbar" and clicked on Nashbar, it said "hello XXXX" at the top again. I could see what he had in his cart!!

Yes, it could be cookies on my computer, but on any other site if I log out and go back to the site I am STILL logged out.

[emily_in_nc]

First it was product not in stock after getting a confirmation.

I had the same problem with Nashbar -- a pair of shoes in my size showed up as on sale, I got a confirmation, yay, then the next day an email that that item could not be fulfilled. Thank you very much, have a nice day. VERY rare for any online retailer to advertise something on their site and then simply not have it at all (not even by back order). I admit that I've ordered from them once or twice since if I couldn't find something elsewhere or if the sale was amazing, but I'm not crazy about them.

I'm not happy with Performance automatically renewing my Team Performance membership and charging it to my CC either. I got two emails from them saying they were doing it, and it took three emails to customer service to have the charge reversed. I am sure I am not the only one who finds these kind of "automatic" charges that we don't even have a chance to opt-in for VERY annoying!

Emily