Attention Shoppers Drug Mart: Simple solution to Optimum Points theft
Recently there has been a series of Shoppers Drug Mart Optimum Points thefts that were a result of several factors, including people giving out their Optimum account numbers without knowing that is almost enough for their accounts to be hacked into. Although the reasons behind the thefts can be attributed to poor judgment on the customer’s side, I believe there’s a major loophole in the Optimum points system that attracted so many scammers. So I decided to investigate the root of the problem:
Why are Shoppers Optimum points so easy to steal?
First, I analyzed the online login system, which can be
found here.
As a Computer Engineer with more than 8 years of experience in developing (programming) websites, I figured I’d be able to understand the backend and the logical problem behind the system. However, I quickly learned that it doesn’t require backend analysis, or in fact much computer knowledge at all, to see the huge loopholes and problems in the system.
At login, after inputting your Shoppers Optimum Card number, you have 3 options to log in:
- Date of Birth OR
- Postal Code OR
- Password
The very simple combination of Shoppers Optimum Card number and postal code are two things that are relatively easy to get.
Another potential weakness in the system: the Shoppers Optimum Card number is not really a secret. Although Shoppers Drug Mart is finally starring-out the Optimum number on receipts, it didn’t do that in the recent past. And unlike credit cards, I never personally felt or treated my Shoppers Optimum Point Card number as a secret. I think many people share the same feeling, and have operated the same way.
Furthermore, customers don’t feel secure entering their date of birth on the website. Unfortunately, it’s just a very poorly designed website system.
And a weak system leaves the door open for scamming and social engineering, the art of manipulating people into performing actions or divulging confidential information.
One Shoppers customer recently provided a nice illustration of what’s at stake and how easy it is to become the victim of Optimum Point theft on the Shoppers Facebook Fanpage:
I have many different cards in my wallet and I really do appreciate the Optimum Points program. However even though I have not given out my card number to anyone, I am very aware that the simple act of leaving my Optimum card on the counter or losing my wallet means that the points could be gone in the blink of an eye. No identification whatsoever is required to use the card and just a postal code is sufficient to access my account. For those whose cards have 350,000 points on them it is like carrying close to $1,000 cash in your wallet. Not something most of us would do....
All Shoppers Drug Mart developers needed to do to prevent this situation was require what almost every system in the world has right now: an email address and password to log into the Optimum system. And for recovery of a lost Shoppers Optimum login password, an email would simply be sent to the customer’s email address on file. I’m really not proposing anything unusual or out of the ordinary here. I’m suggesting that Shoppers use a system that has been tested and is known to work properly. Facebook, Twitter, Google Services, Best Buy—and many others—all use this type of login mechanism.
Shoppers Drug Mart, your developers created a system that is vulnerable to social engineering and scams. If not corrected, it will continue to result in a lot of angry customers and you will spend a lot of money on customer support trying to fix problems and catch scammers. I humbly suggest doing yourself and your customers a favour: hire a good web development team and fix the Shoppers Optimum login interface to prevent further problems.