FerrariStore.com E-mail Questions

VERY poor form emailing out username and passwords...pretty much guaranteed they'll never get an order from me.

 

Add another one to the receipt of email list. Had same reaction as most here, although I did save myself the hassle of full fraud alert mode.

Alberto

 

+1 I got the same email. And I replied saying I had not registered.

 

I dont know whether to be happy or bummed, but I didnt get one. So I'm either a loser or Ferrari likes me more than some of you guys, lol.

 

I received it, too.

There goes any chance that I'll ever buy anything from them.


Not happy.

 

If it don't smell right.

I don't eat it.

 

OK stupid question here, what is the problem with emailing a password to the user? Is email that unsecured or is it something else? Just trying to edumacate myself.

-F

 

Out of all of the people who posted in this thread, how many of you remember receiving an email from the Ferrari Owner's Site, a few weeks ago announcing the upcoming opening of the online Ferrari Store Site and that access details would be provided at a later date (which seems to be today)? Here's the announcement email I received (take note of the date):

From: "Ferrari Owners' Site" <[email protected]>
To: ****@*****.com
Subject: Ferrari Owners' Selection
Date: Fri, 08 Aug 2008 12:36:28 +0200

NEWSLETTER
Maranello 8 August 2008

The range of services aimed at Ferrari Owners has been extended with the Owners' Selection, the new dedicated entry point to the FerrariStore.com

Dear Ferrarista,

We are delighted to inform you that henceforth we will be channelling the sales of all Ferrari Limited Edition products through FerrariStore.com, the only official Prancing Horse online store. This change will allow you to choose from an even wider and more diverse range of products whilst still enjoying the convenience of online shopping.

Don't forget that all Ferrari owners are entitled to a 10% discount on purchases from the range. To view the discounted prices, simply go to the My FerrariStore area and log in using the user name and password you'll soon be receiving by email from FerrariStore.com, before preceding with your purchase.

We hope will enjoy this new service.


And today, I received the FerrariStore.com email just like the rest of you, but was not surprised by it because I was expecting it! No, I did not ask or register for it, but, as I understood, because I'm a member of the Owner's site, I'm automatically signed-up for this new Store site (I have bought on the Owner's site before and at the store in person in Las Vegas, so they know who I am ).

Now I admit, I was expecting to be provided with a new ID & PW, but, I figured upon seeing my current info in today's email, they must feel it would be less hassle to just provide the Owner's current info to streamline the function of the site (maybe because it's the same service provider/server?...).

 

Yes, it is unsecured (ie: plain text) and will pass through intermediate servers to get to your inbox.

It is bad idea to send both username and password in the email without prompting them to change it immediately.

Best way to think of email is like sending a postcard to someone.

That is why there are methods to encrypt emails, but it is not widely adopted.

 

+1 me too and NOT impressed.

Subscribed to the www.owners.ferrari.com site some years back and info has been passed to www.ferraristore.com without permission.
E

 

Not impressed either. I leave my details to register to a factory owners site, the next thing some other entity confronts me with my own username and PASSWORD?

Well, with all the action F is taking against infringements regarding their brand and registered trade marks, as well as their intellectual property, they are more than careless with my details.

Very disappointed.

 

Just got it in an hour! Looking OK to me, they might collect these info from my last order or owner's site.

 

I got it also but I think they know my info from ferrariowner site because they use the same psw and that is the only site I have this psw.

mmm........

 

Saw this thread b/f looking at my e-mail inbox.

When I did, I saw I had an e-mail from Ferraristore.com

I simply deleted the e-mail w/o opening it.

Better safe than sorry!

 

Dont bet on it!!!

This is a list that any cons would be very interested in getting their hands on. Profiling at its peak as most owners can be considered pre-qualified. Same goes for service records... I see them passed around with all of the owners data. Folks have to look at this information and protect it far better these days.

Dave

 

Not to scare anyone, but in my case, I have a different situation:

I too got the email today from Ferraristore. Here are my facts. I'm still wrestling with this.
- They sent me a username that is a username I've never used for any website, but it is a valid email address for me
- They sent me a password which has never been associated with the username they sent me, but it is my password for the Ferrari Owners Site
- My username for the Ferrari owners site is not in the format of an email address - it is an 8 character username with no "@" sign in it
- I went to www.ferraristore.com - both my old username/password there (which I've used to buy stuff) and the new one sent today, work to log in
- I went to the Ferrari Owners site - only my old 8 character ID and password (same as new password) works to log me in there. The new ID is unknown.
- I checked my personal info on Ferraristore, and they have my correct address
- I checked my personal info on the Ferrari Owners site, and they still have my old address of 12 months ago, which was the correct address when I bought my F430
- When I bought my F430, I doubt I gave them a password. And I did not give them my current address as I hadn't bought the house yet.
- So where is this info coming from?
- I suspect some is from the owners site (password) and some is from some other database they have: could it be the registration info for the Ferrari California website? I don't know. There was no password there, but they did ask for address and other info, which I would have entered as current
- I have emailed [email protected] to ask where they got the information to create my new account. I will post back if I hear back.
- I also asked [email protected] to not email passwords in clear text (very bad) and to delete my new account. My old one is fine.

Anyone else have this set of circumstances? Clearly something is very wrong here. Thanks.

 

Another interesting thing:
- Since my address is wrong on the owners site, I tried to update it, as I'd like to look at the other personal info they have on me. I can't though - they have some address confirmation tool that keeps rejecting my home address as they have only one zipcode for the city in which I live, and it isn't my zipcode. Nice. Since I can't get past this screen, I can't see what email address(es) they might have for me, to see if one matches the new username at the Ferraristore.

 

One last thing, and I'm done for now:
- I was able to override the address verification and get to the contact info page of the Ferrari Owners site. There, email was selected as my primary method of contact, and an email address for me was poopulated in the form. It is a work email address for me, but not the same work email address that the Ferraristore sent the email to or used for the new username.
- I received an invite to the World Premiere if the California in Santa Monica, and that was sent to the email in the Ferrari Owners site.
- I just checked the "to" on the Ferraristore email, and it was also sent to the email in the Ferrari Owners site.
- So - where did they get the username from? The username in the email does not match the "to" that they sent it to: yet both are valid work emails for me.

This is all very confusing.

 

A few people on this thread have said that it's no big deal that they've been sent an e-mail containing their own password. It is actually a big deal, and here is the reason why:

It should never be possible for a secure site to be able to determine what a user's password is. The very fact that they've been able to do this shows that the passwords are being stored in their database as plain text. And this is a security risk because as many of you will already know, should a hacker be able to get into their database (which would seem likely given their lax approach to security) then they would be able to harvest the usernames and passwords of all users and make some other use of them. I don't know if ferraristore keep credit card details but you can see where this *could* go.

The proper way to store passwords in a database is to encrypt them using something like MD5 encryption. This is a one way encryption technique - meaning that by doing some number crunching on the password you can create the MD5 checksum, but you can't generate the password if you start with the MD5 sum. So the password verification step at login would be to take the password you entered and generate the MD5 sum from it, then compare it to the one in their database which they would have generated when you originally registered. Using this technique the original password is never stored and thus can't be harvested.

So it's a big deal not because someone might have intercepted the password as the e-mail hit several servers on the way to you, but because it points to an insecure approach to password storage and management which could lead to other nasties as already suggested.

 

Add me to the list. I"m really displeased with this as someone who has been the victim of CC fraud overseas. This is completely unacceptable in my view. I sent them an email requesting an explanation as to why usernames and passwords were transmitted unencrypted. No response as of yet. Has anyone else tried contacting them?

 

I got it. Dont even know what it is they may sell there as I did not look.


Either way it will be a long time before I move my business from Ricambi.

 

HOLY SH*T !!!! You're right!!! I'll get worried about it right now.... I might not sleep well again knowing that FERRARISTORE.COM's database might be hacked into and some very old info (in my case, the info is at least 5 years old) about moi might be out there in cyberspace....

RUN FOR YOUR LIVES EVERYBODY!!!!!

 

What, you don't think anyone would find you interesting?

 

It's not about what I think, it's all about you & what you think

I'd hate to take the spotlight from ya, darth

 

Cool, thanks Bart.