March 31st, 2004

Wall Street Journal: website not so secure?

All mail sent to any address @gammon.com winds up in my mailbox. This means that I routinely get mail that should have gone to addresses @gammonhk.com, gammonindia.com, gammoninsurance.com, gammonrecords.com, gammin.com and a few other places.

Today I got a message from WSJ.com addressed to smith AT gammon.com (not the real address, but it was very clearly lastname AT gammon.com) about my Wall Street Journal subscription. This felt like misaddressed mail rather than spam, so I wandered out to their website.

In the upper left corner of http://services.wsj.com/ there's a box that allows you to log in with your account number, and below that there's a button that says "I don't know my account #".

I clicked that button, expecting that I'd feed it an email address and it would send the information via email to me... that's fairly common, and has allowed me to manage a lot of subscriptions that were misaddressed to @gammon.com addresses.

The screen I got, however, was very surprising. It asked for an email address and a last name. I made an educated guess that the last name was smith, and voila! I now know that a certain Linda Smith at a university in Pennsylvania has a paid subscription to WSJ through 10/6/2004. I can suspend delivery, renew her subscription, change her address, and any one of a myriad of other interesting and potentially troublesome things. All it would take for me to do this for any subscriber would be to guess their email address and last name.

I've fired off email to what would seem to be the logical address for her (@gannon.edu rather than @gammon.com), asking her to please correct the email address. If I wasn't such a nice person...