Several readers have posted comments wondering why the US Mint's online Track Order function has been unavailable for the past several days. The short answer is that this function is a serious security hole in the US Mint's website.
Mint News Blog readers who are members of Coin Network may already be aware of a situation that developed about a week ago. A Coin Network member named Tom had his Ultra High Relief Double Eagle order canceled by an unknown perpetrator. This action was performed using the US Mint's online Track Order function, which allows orders to be viewed and canceled by providing an order number and last name. His order number had been posted in the forum, and his last name had presumably been hunted down online.
I was honestly shocked and disappointed that something like this was possible, and even more so that someone had done it. I removed all other order numbers which users had posted on my sites and did what I could to rectify the situation.
I considered this to be a serious security flaw with the US Mint's website. Collectors often share their order numbers with others to estimate how many coins the US Mint is selling or to attempt to decipher the US Mint's shipping schedule. The US Mint has never indicated to customers that this number should be kept confidential, and last names increasing easy to discover online. Something more than these two bits of information should be required to cancel an order.
I sent an email to a contact at the US Mint to bring this to their attention. I also touched base with Susan Headley of About.com Coins. She had been aware of this issue for some time and had also reported it to the US Mint. With both of us expressing our concerns, they perhaps realized the seriousness of the issue and took the Track Order feature offline. (You can still call the US Mint by phone for an updated order status.)
Susan Headley describes the situation in detail on About.com Coins. She also discusses a separate US Mint issue related to shipping, which is currently in the spotlight.
Mint News Blog readers who are members of Coin Network may already be aware of a situation that developed about a week ago. A Coin Network member named Tom had his Ultra High Relief Double Eagle order canceled by an unknown perpetrator. This action was performed using the US Mint's online Track Order function, which allows orders to be viewed and canceled by providing an order number and last name. His order number had been posted in the forum, and his last name had presumably been hunted down online.
I was honestly shocked and disappointed that something like this was possible, and even more so that someone had done it. I removed all other order numbers which users had posted on my sites and did what I could to rectify the situation.
I considered this to be a serious security flaw with the US Mint's website. Collectors often share their order numbers with others to estimate how many coins the US Mint is selling or to attempt to decipher the US Mint's shipping schedule. The US Mint has never indicated to customers that this number should be kept confidential, and last names increasing easy to discover online. Something more than these two bits of information should be required to cancel an order.
I sent an email to a contact at the US Mint to bring this to their attention. I also touched base with Susan Headley of About.com Coins. She had been aware of this issue for some time and had also reported it to the US Mint. With both of us expressing our concerns, they perhaps realized the seriousness of the issue and took the Track Order feature offline. (You can still call the US Mint by phone for an updated order status.)
Susan Headley describes the situation in detail on About.com Coins. She also discusses a separate US Mint issue related to shipping, which is currently in the spotlight.
0 comments:
Post a Comment