January 4, 2008
Want to know what a given customer has purchased from Sears? It's surprisingly easy to find out. Here's the procedure:
1) Go to the Sears "Manage My Home" site, www.managemyhome.com . Create an account and sign in. Screenshot.
2) On the Home menu, choose Home Profile. In the Search Purchase History section, choose Find Your Products. Screenshot.
3) Enter the name, phone number, and street address of the customer whose purchases you wish to view. Press Find Products. Screenshot.
Sears then displays all purchases its database associates with the specific customer -- typically major appliances and other large purchases. See examples from Washington, DC, Brookline, Massachusetts, and Lincoln, Massachusetts.
|The information required to retrieve a customer's purchase history||A customer's purchase history - showing specific items and purchase dates|
Sears Fails to Protect Customer Information
Sears offers no security whatsoever to prevent a ManageMyHome user from retrieving another person's purchase history by entering that person's name, phone number, and address.
To verify a user's identity, Sears could require information known only to the customer who actually made the prior purchase. For example, Sears could require a code printed on the customer's receipt, a loyalty card number, the date of purchase, or a portion of the user's credit card number. But Sears does nothing of the kind. Instead, Sears only requests name, phone number, and address -- all information available in any White Pages phone book.
These Disclosures Are Contrary to Sears's Explicit Promises
Sears's Privacy Breach in Context
Sears's exposure of customer purchase history fits within a long history of unintended web site disclosures. For example, in October 2000 I showed that Buy.com's return system was revealing customer names, addresses, and phone numbers at publicly-available URLs. But Sears's disclosure is more troubling: Sears discloses the specific products users purchased. Sears's disclosures apply to all users, not just those who return products. And Sears's disclosures come some 7+ years after Buy.com's breach -- a period of great advance in online security.
The combination of data Sears provides could open the door to serious harms to Sears customers. ManageMyHome reports the specific products customers purchased, as well as the dates of each such purchase. With this information, a miscreant could approach a customer and pretend to be a Sears representative. Consider: "Your washing machine was recalled, and I need to install a new motor." Or, "I'm here to provide the free one-year check-up on your dishwasher."
Assessing Sears's IT Strategy
The ManageMyHome site offers some useful services: Consolidated information about dates of purchase, clear listing of warranty status, and easy links to product manuals. Sears touted these benefits in its recent coverage of ManageMyHome.
But as soon as Sears resolved to provide online access to customers' purchase histories, Sears staff should have recognized the need to determine which users are truly authorized to see this information. Sears's failure to effecitvely authenticate users is therefore puzzling. Did Sears staff fail to notice the problem? Decide to ignore it when they couldn't devise an easy solution to protect users' purchase histories? Resolve to argue that purchase history merits no better protection than the current system provides?
I wrote to Sears ManageMyHome via the addresses on their Contact Us page. To their credit, they responded quickly (less than ninety minutes). However, their reply does not address the seriousness of this situation. Their reply follows:
"We appreciate that you have a security concern. Thank you for taking the time to share your comments with us. We appreciate hearing feedback from our customers, and will pass this information to the appropriate area to research."
Update (January 4, 5pm): Sears has disabled the search feature described above. Attempts to retrieve a purchase history now yield the message "We're sorry, this feature is currently disabled."
Thanks to an anonymous contributor, using pseudonym Heather H, for the tip that led to this article.