WARNING ~ FYI about Bike Nashbar

**VeloVT** · 08-01-2007, 10:34 AM

Maybe one of you gals with programming knowledge oughtta drop Nashbar a line alerting them to this issue... I know I know they should catch it on their own, but I wouldn't necessarily assume that the customer service rep, or even her supervisor, would take the time to submit a bug report to whomever that sort of thing goes to there. As far as they're concerned, the issue is probably resolved (because Sandra''s got her order now).

**meridian** · 08-01-2007, 10:38 AM

Originally Posted by liza

Maybe one of you gals with programming knowledge oughtta drop Nashbar a line alerting them to this issue... I know I know they should catch it on their own, but I wouldn't necessarily assume that the customer service rep, or even her supervisor, would take the time to submit a bug report to whomever that sort of thing goes to there. As far as they're concerned, the issue is probably resolved (because Sandra''s got her order now).

I just finished sending an email to the web admin concerning this issue. You're right, the issue probably isn't flying on anyone's radar over there as it should be. And it is likely that the web admin won't even acknowledge the issue because it's probably outside of their area of responsibility.

I'll wait a day or so to see if a response is received. If not, I may be able to find the time to give them a call and see if we can get through to someone that can address the issue, unless someone beats me to the punch.

**sandra** · 08-01-2007, 10:59 AM

Thank you! The lady that I spoke to was going to pass it along to her supervisor. I hope they get it resolved.

**sandra** · 08-01-2007, 11:04 AM

Originally Posted by meridian

I caught this once when I sent a link to my friend/co-worker from nashbar when I was logged in. He replied with something like "sweet thanks.. I can even order it under your account!" I looked, and sure enough, he was logged in as me on his pc and had access to all my account info on nashbar.... Now I'm very careful about not doing that anymore.

Well, that IS good to know because for a while I thought maybe this was a little bit crazy and kept wondering if it could really happen! So someone else HAS experienced it!

I keep wondering now which one of you I was logged in under. I've clicked Nashbar links a lot and it could have logged me in on the first links I clicked and left me logged in ???

Weird. I'm just happy I discovered it.

**Tuckervill** · 08-01-2007, 11:11 AM

That's pretty scary. However, nowhere on Nashbar is my credit card information stored. It's not in my account information, or in the order status information. (I ordered tires on Monday and I just looked.) So, even if I did log into your account or you into mine, neither of us would be able to order stuff on the other's credit card. The best I could do would be to get your name, address, email and phone number.

It's not cool to be able to log into someone else's account through a link, but I don't think there was real danger there.

Karen

**sandra** · 08-01-2007, 11:30 AM

That's good to know. That's one reason I wanted to post the warning but was also scared to post the details. The lady TOLD me that she had removed my credit card from their account, but I was still scared it was there.

I was able to see the name, address, phone and email. That is correct.

**xeney** · 08-02-2007, 06:50 AM

Thank you for sharing this, Sandra. That is such monumentally crappy security/programming that it is enough to make me not trust anything else about Nashbar's shopping cart/account system. No way would I enter my credit card over there now after reading this.

This isn't "user error." This is a company that doesn't know or care enough to protect their users' privacy and financial info.

**ShubieGA** · 08-02-2007, 09:56 AM

I wonder if the info is in a "cookie" on your system? It's a pain to delete all your cookies in IE, but it would confirm if it's on your computer vs. Nashbar. I have ordered from them, and have not seen this issue "so far".

**xeney** · 08-02-2007, 10:58 AM

No, it wouldn't be a cookie stored in your system -- that would be the RIGHT way to do this. Instead, Nashbar is including the info in a non-encrypted page on their website, so that anyone with the right link can see your account information -- even without logging in as you. That is the only way this could have happened.

And it's really bad. It's beyond stupid. Websites that store much less sensitive information than addresses and phone numbers and possibly credit card numbers do a better job of hiding private information. See, for instance, Team Estrogen -- if I send you a link to a page in this forum, when you follow the link, you are still logged in (or not) to your own account; you don't see the page the way I see it when I'm logged into my own account. That's the proper way to do things, and I don't even understand how someone at Nashbar.com could have screwed it up so badly. Somebody needs firin'.

**Mr. Bloom** · 08-02-2007, 05:15 PM

Originally Posted by sandra

and the order was under someone that I've never heard of in another state not even close to me for a billing address and the shipping address was listed as mine with my name.

Sandra, first I'd like to thank you for the pedals...they arrived today. Second, I'd like to thank you for the European vacation I put on your credit card

Just kidding. My favorite spyware is free http://www.lavasoft.com/

I use this one to supplement the virus/spyware that I purchased...

**sandra** · 08-02-2007, 05:25 PM

Originally Posted by Mr. Silver

Sandra, first I'd like to thank you for the pedals...they arrived today. Second, I'd like to thank you for the European vacation I put on your credit card

Just kidding. My favorite spyware is free http://www.lavasoft.com/

I use this one to supplement the virus/spyware that I purchased...

Have fun. Be sure and at least send me a postcard.

I have lavasoft in addition to Spy Sweeper. You can't be too aggressive these days.

**invsblwmn** · 08-25-2007, 12:19 AM

I share your caution with Nashbar. They were purchase awhile ago by performance. At first I loved a couple of their products and shopped the returns section often. Suddenly almost every purchase had a problem. First it was product not in stock after getting a confirmation. Then I had a billing problem with them AND with Performance. I discovered that they were fraudulently over billing my credit card. It was by $0.01 or $0.05 cents usually. I looked through ALL of my receipts and double checked with credit card statements and found over 25% were over billed. One was for over $6 on a $20 order.
I had to file a BBB report as customer service only replied by commenting "What was the reason you were overbilled?" I tried to explain that my receipt and credit card charges didn't match and this happened on two different cards(citi and chase). They just stopped responding, my performance points disappeared and the BBB is trying to get a response from them. I also filed a report with my credit card companies which immediately issued refunds to me and indicating they were investing the issue. I lastly notified the FTC as this is illegal actively and performance inc is a little arrogant about it. It would have been dropped if they had just refunded the overcharges to me.
It makes me sad because a couple of their products are exceptional, but I will not do business with them unless I can send a check or use pay pal as they cannot be trusted to bill appropriately to the credit card. Careful!!!

**sandra** · 08-25-2007, 03:32 AM

Another wierd thing that happened to me since my order:

Back when this happened, I logged out of the other person's account. I didn't save a link to Nashbar, so this week I did a google search for "Nashbar" and clicked on Nashbar, it said "hello XXXX" at the top again. I could see what he had in his cart!!

Yes, it could be cookies on my computer, but on any other site if I log out and go back to the site I am STILL logged out.

**Tuckervill** · 08-25-2007, 06:38 AM

Nashbar got purchased by Performance? That's too bad. I guess that's why it took so long to get the pedals I bought a few weeks ago.

I know one thing, I've been inundated with emails from both places lately. If Performance is going to be running things, I probably won't using Nashbar anymore.

Karen

**emily_in_nc** · 08-25-2007, 06:09 PM

Originally Posted by invsblwmn

First it was product not in stock after getting a confirmation.

I had the same problem with Nashbar -- a pair of shoes in my size showed up as on sale, I got a confirmation, yay, then the next day an email that that item could not be fulfilled. Thank you very much, have a nice day. VERY rare for any online retailer to advertise something on their site and then simply not have it at all (not even by back order). I admit that I've ordered from them once or twice since if I couldn't find something elsewhere or if the sale was amazing, but I'm not crazy about them.

I'm not happy with Performance automatically renewing my Team Performance membership and charging it to my CC either. I got two emails from them saying they were doing it, and it took three emails to customer service to have the charge reversed. I am sure I am not the only one who finds these kind of "automatic" charges that we don't even have a chance to opt-in for VERY annoying!

Emily

Thread: WARNING ~ FYI about Bike Nashbar

Thread Tools

Display

Nashbar/Performance Inc:(

Posting Permissions