Dear Walmart: Your Online Security Blows
Gather around kids, this is gonna be a fun one. I might even get sued, finally. Yay!!1
Recently, on some random news station, I heard about Walmart’s new “Money Card” which is nothing more than a prepaid Visa card. Just like any other such card, it has a website where you can check your balance, add funds to your account, etc. Alternatively, you can have your account information stolen, be exposed to hardcore XXX porn, or line the pockets of a bottom-feeding douche bag while trying to reach the site. Why? Because Walmart, just like most companies, is nothing short of retarded when it comes to internet security and protecting their brand in the online world.
Yeah, so what? I said that all those evil evil bad bad things could happen to a person while trying to reach the site. I never said that they’d actually make it there. Your good ol’ Uncle Buck or Aunt Charlene who’s not too savvy on that there interweb, but falls perfectly into the demographic of folks who would have a Wally World prepaid money card, is likely to mistype the web address. That’s why any security-minded company who wants to protect their customers and brand’s image would / should at the very least register all of the most common typo domains when setting up shop on a new domain – especially if it’s a financial kinda deal. In Walmart’s infinite wisdom, they did no such thing.
After hearing about this new Walmart card and the accompanying website, I checked to see if they had registered and were forwarding over traffic from one of the most common typos: the full web address prefixed with a “www”. Typing out “www” and then forgetting or simply missing the dot afterwards is commonplace among eTards and fast typers. Sure enough, wwwwalmartmoneycard.com was wide open. So, I registered it. Just for good measure, I went ahead and registered almartmoneycard.com today too. Missing the first letter of a domain is also pretty common. Luckily for Wally World, I snagged those domains with the sole intent of using them as an example for this blog entry. This could have played out much differently…
Stealing Account Information
It’d be super easy to setup an identical spoof website and steal account information when people try to login. After entering in their account info, I’d bounce their asses through a couple url forwards and plant them on the real site’s login error page. They’d think that they simply mistyped something (Yay! Irony) and reenter their info. In other words, I’d steal their login info, they’d never be the wiser, and Walmart would have no idea why people kept going directly to their login error page. I’d go into more details about how to pull this off without getting caught, but I’m not looking to draw a road map to success for any would-be asshats.
Don’t even start in with that lame “you couldn’t do anything with just the account numbers and expiration dates” nonsense. Even if I didn’t log into the accounts to get their names and whatnot, I could cash in on those puppies. And if I wanted to be super evil about the whole thing, I could add a field for their PIN numbers on my fake login page and literally cash in on those card numbers at ATMs. It ain’t no thang but a chicken wang to slap card numbers on some blank cards.
Trashing Walmart’s Brand
If I was a disgruntled ex employee, hated Walmart for “shutting down my business”, or simply wanted to screw with them for having bathrooms that smell like piss there’s a ton of stuff I could do with those domains. Slap visitors in the face with some hardcore gay anal porn, post anti-Walmart propaganda, redirect all the traffic to Target’s website, etc… Uncle Buck and Aunt Charlene couldn’t care less about all the technical details. They’d be “madder than hell” at Walmart if they got their eyes full of two grown men playing hide the submarine when they “went to Walmart’s website”.
Lining your pockets when outright theft isn’t your thing
The last option worth mentioning is what most likely would have ended up on those domains if I hadn’t grabbed them. Domain squatting (call it “cybersquatting” if you must, lamer) is a very real business in the gray market. Lame-tards register tons of domain names and typo domains and slap domain parking pages up. Typically, these pages are plastered wall-to-wall with text ads related to the domain name. Whenever someone visits one of these pages and clicks an ad, the owner of the domain makes anywhere from one cent to a couple of bucks depending on the page’s niche / ad type. Since credit card / financial ads pay well, the domains I have would be perfect for this.
Using the domains in such a fashion is pretty much harmless to the real site that you’re leaching off of. Uncle Buck will likely get that goofy look on his face as he clicks an American Express ad in hopes of finding Walmart’s site, but no kittens will be harmed. Regardless, there’s no excuse for a large company to allow douche-nozzles to be leaching off of them in this way. There are legal steps that can be taken to get domains from such people.
So, who’s at fault for this crap?
The only reason I’m picking on Walmart is because their site is new and I happened to see that news report. Tons of other companies are equally retarded when it comes to this stuff. Capital One, Discover Card, and countless others currently have lame-tards making money with domain parking pages sitting on the “www” prefixed versions of their domains and other typos. And, Walmart people aren’t the geniuses behind the Walmart Money Card. Their cards / website is all being taken care of by a third party: Green Dot – hereinafter to be known as the people Walmart is pissed at for making them look like retards.
The guys who should be blamed the most for this kinda stuff in general are the domain registrars: GoDaddy, et al. They should have systems in place to flag all domain registrations that have a trademarked name in them or begin with “ww” so that they require human review before the would-be owner gains possession of the domain. Domains like almartmoneycard.com would slip past such systems, but simple shit like this would still help out overall internet security health a bit.
I shit you not… After registering the “www” prefixed domain there was an issue. After setting up the DNS to point at my server space, it never resolved (started working). My host guys said that it was a “problem at the registrar level”, so I had to call GoDaddy to get it straight…
Which domain are you having these problems with?
W-W-W-W Yeah, four W’s… And then A-L-M-A-R-T-M-O-N-E-Y-C-A-R-D dot com.
So, it’s three W’s and then Walmart Money Card dot com, right?
Can you hold on one minute for me?
*totally expecting a manager to get back on the line and drill me about my planned use for the domain*
Hey, Mr. Williams… It looks like a server-side issue. Everything is working fine on this end.
That’s a paraphrase but I swear to strippers and one dollar bills it went down just like that. Shame on you GoDaddy. Oh yeah, please don’t screw with my domains over this blog entry :P
It doesn’t matter who’s really to blame. When you have an international brand / image and customers to protect, whoever people perceive to have screwed up is responsible. So, I repeat…
Dear Walmart: Your online security blows.
P.S. You can’t have the typo domains that I registered. Sue me, I dare ‘ya. The next thing I’ll teach you about is a neat little thing called “fair use”.