About two years ago my dad lend me his credit card so I could buy a PC from BestBuy.com, we entered all the information, address, credit card number and the 3 security numbers from the back of the card (CVV). The purchase was made and I got my computer in less than a week.
Some time later I got my own debit card which I used to do all my purchases (BestBuy.com, Amazon, eBay, Paypal…) For more than a year I’ve had my card and I have never had any trouble with it, I use it to buy in stores, pump gas, restaurants and online, and for every purchase I’ve maid, my banking app has always being up to date.
A Little more than a month ago I decided to take advantage of the Black Friday offers and I bought about 100 dollars in videogames and a controller. The weird thing? I didn’t got charged on my card, at the beginning I thought the charge was taking so long because of the huge amount of purchases made on Black Friday so it would take maybe a day to go trough, but after 5 days I knew something was wrong, At that time I had my money, and like 400 from friends that wanted some stuff bough with my card so I even thought I had “misplaced” those 100 bucks. After two weeks I decided to buy a Playstation 4 for a little more than 400 dollars. I added the item in mi shopping cart and since my card was already saved I only had to put my security code (CVV) “359” (an example), the order was accepted, the payment was validated and I got an email with the tracking number, but once again my card was not charged (it was impossible I would misplaced 400 dollars on my debit card).
After a week, I became suspicious, how could Best Buy, a technology giant, give away more than 500 dollars by mistake. After carefully going through all the buying process I was able to come across some frightening stuff:
For all this time Best Buy had being charging my dad’s credit card and I did not notice this because all the purchases I made I was entering the security code from my debit card, which is totally different from the on that my dad has.
I contacted BestBuy.com and after almost an hour and a half with several representatives they could only gave me 2 possible scenarios. That it was IMPOSSIBLE that their payment system accepted any 3 random numbers as a valid CVV or that my dad’s credit card was defective and he must contact his bank ASAP to fix that.
I also talked with a VISA representative and they told me that for them to complete a sale online the merchant must ask the buyer for the security code and that they should not keep record of them.
The tests I made:
Test 1: I bought something on BestBuy.com with my dad’s credit card, and when they asked for the CVV I entered “123” (which is not his code, my code or I think is anybody’s security code), the order was placed and my package is on its way.
Test 2: To know if my dad’s card is the problem y placed an order with my own debit card (debit and from a different bank), which was also saved on my BestBuy.com user. When it asked me for my CVV I entered “123”(again), the order was placed and my package is on its way.
This is unbelievable because Best Buy keeps in their servers your address, name, telephone, credit card number and the security code (CVV), so somebody could access your BestBuy account and made all the purchases he wants and send them all across the US. The second scary thing is that they could get hacked (like it happened to Target and Hannaford Brothers), the hackers could get access to what makes your card “safe” to use just because that information is stored on a BestBuy server.
I still haven’t gotten any answer from Best Buy about this security issue with their Site and the way they manage personal information.
What do you think? Should a store chain store that much personal information on their servers?