Spam emails from the club

cafcfan

Okay, just to add to the story. Mrs cafcfan received just the one email with her correct reference number/user name but an entirely different password. I received two emails. One had a new (to me) user name but my actual password. The other had my original user name but an entirely new password. Confusing or what?

Splodge

I got three different e-mails, all with different log-in details to my actual log-in details.

stonemuse

I've not got one either, must be the protest shirt I wore Saturday

soapy_jones

I got an email.

I replied "Please do not contact me until the Belgians have left!"

"Charlton fan of 47 years"

Of course that was un-returnable but I got a jolly out of typing it.

More worrying is the pleading email from Peter Garston "Defend Our Den"... when did I sign that petition and what was I under the influence of at the time?

mistrollingin

I've not received anything from the club in over a year.

Praise the Lord!

IdleHans

My two emails had my name on them, one in full form, the other in its diminutive. I suspect the second one was set up in frustration with the original CAFC registration system, which lends weight to the club's explanation in this instance.

AddicksAddict

Airman Brown said:

LuckyReds said:

Erhh... There should be no reason they could even access a plain-text version of ANYONEs password, let alone transmit it via email. This is basic development 101, I'd reprimand even a junior developer if I saw any application whereby user authentication credentials were stored in plain-text. The erroneous emailing of them is completely and utterly unforgivable though, and I would imagine a severe DPA breach.

Second question; if anyone has bought tickets recently, do the payments go via the CAFC site or via a third party payment gateway? If they handle payments directly, then I would imagine storing user login credentials in plain-text may cause a compliance issue with PCI-DSS? (As I think that extends beyond the storage of payment details, and in to the security of any system which handles payments; if anyone here works in compliance perhaps they could shed some light on that?)

Alas, I understand that this isn't actually the club - but most likely their vendor. But still... WTF?

It is the club.

All downhill since you left.

Coyotejohn1947

Splodge said:

I got three different e-mails, all with different log-in details to my actual log-in details.

I think I've cracked it.

Katrien wants everyone to buy their ticket on-line.

By doubling and in some cases triplicating the same database entry the company responsible for managing this can report back to her with up to three times the real number of fans entered onto the ticket ordering database.

Great progress, original target more than handsomely overtaken,
Result.

rikofold

Addickted2TheReds said:

rikofold said:

Addickted2TheReds said:

I've had one.

It's addressed to me but I'm not happy that it has my password, that I use for almost everything, written in plain text.

That is a big no no and asking for disaster.

Forward it unedited to me and I'll sort it out for you...

Username:
A2TR

Password:
R1ch1sATw@t

Same as my password

Off_it

I got three.

Different account numbers, different passwords.

Used one to order a block of season tickets and have been sent a blow up doll instead.

Handy.

Chizz

Everone seems to be getting a set of wrong details, but for some reason I've been left out. So if anyone has a spare set of wrong details, can I have them?

Henry Irving

No emails but I rang up to buy 7 Oxford tickets today and was told I had 4 records in my name on their system.

When they said tickets were still on restricted sale of two per person so I'd need to provide details of others I asked why can't I buy 2 tickets under each of my entries? He didn't get the joke but very efficient service.

bobmunro

AddicksAddict said:

Airman Brown said:

LuckyReds said:

Erhh... There should be no reason they could even access a plain-text version of ANYONEs password, let alone transmit it via email. This is basic development 101, I'd reprimand even a junior developer if I saw any application whereby user authentication credentials were stored in plain-text. The erroneous emailing of them is completely and utterly unforgivable though, and I would imagine a severe DPA breach.

Second question; if anyone has bought tickets recently, do the payments go via the CAFC site or via a third party payment gateway? If they handle payments directly, then I would imagine storing user login credentials in plain-text may cause a compliance issue with PCI-DSS? (As I think that extends beyond the storage of payment details, and in to the security of any system which handles payments; if anyone here works in compliance perhaps they could shed some light on that?)

Alas, I understand that this isn't actually the club - but most likely their vendor. But still... WTF?

It is the club.

All downhill since you left.

That reminds me - my grandfather had a chronic bad back and the doctor said put duck fat on it - didn't work - he's been going downhill fast ever since.

Missed It

Received my email from the club. No idea where they got the username from but I was very childishly pleased to see the club send me an email which includes the password rolandblowsgoats!!

MrOneLung

Did anyone try and log in with the details they were sent?
Did they work?

killerandflash

MrOneLung said:

Did anyone try and log in with the details they were sent?
Did they work?

Yes...

LuckyReds

No acknowledgment that sending passwords in plain-text by email was staggeringly stupid though.

MrOneLung

the regime are the gift that keeps on giving.