Recently there has been a series of Shoppers Drug Mart Optimum Points thefts that were a result of several factors, including people giving out their Optimum account numbers without knowing that is almost enough for their accounts to be hacked into. Although the reasons behind the thefts can be attributed to poor judgment on the customer’s side, I believe there’s a major loophole in the Optimum points system that attracted so many scammers. So I decided to investigate the root of the problem:
Why are Shoppers Optimum points so easy to steal?
First, I analyzed the online login system, which can be .
As a Computer Engineer with more than 8 years of experience in developing (programming) websites, I figured I’d be able to understand the backend and the logical problem behind the system. However, I quickly learned that it doesn’t require backend analysis, or in fact much computer knowledge at all, to see the huge loopholes and problems in the system.
At login, after inputting your Shoppers Optimum Card number, you have 3 options to log in:
- Date of Birth OR
- Postal Code OR
The very simple combination of Shoppers Optimum Card number and postal code are two things that are relatively easy to get.
Another potential weakness in the system: the Shoppers Optimum Card number is not really a secret. Although Shoppers Drug Mart is finally starring-out the Optimum number on receipts, it didn’t do that in the recent past. And unlike credit cards, I never personally felt or treated my Shoppers Optimum Point Card number as a secret. I think many people share the same feeling, and have operated the same way.
Furthermore, customers don’t feel secure entering their date of birth on the website. Unfortunately, it’s just a very poorly designed website system.
And a weak system leaves the door open for scamming and social engineering, the art of manipulating people into performing actions or divulging confidential information.
One Shoppers customer recently provided a nice illustration of what’s at stake and how easy it is to become the victim of Optimum Point theft on the Shoppers Facebook Fanpage:
I have many different cards in my wallet and I really do appreciate the Optimum Points program. However even though I have not given out my card number to anyone, I am very aware that the simple act of leaving my Optimum card on the counter or losing my wallet means that the points could be gone in the blink of an eye. No identification whatsoever is required to use the card and just a postal code is sufficient to access my account. For those whose cards have 350,000 points on them it is like carrying close to $1,000 cash in your wallet. Not something most of us would do….