Memory To Go risks your Credit Card To Go

By Laurie A. Duncan

Identity theft and the safety of your personal and financial data has been
in the news a lot lately, but this story hits Mac users where it hurts.

Long-time Mac RAM vendor Memory to Go has a serious problem on their hands, which translates into an even more serious problem for you if you buy from them.
Studio2f reports that Memory To Go publishes complete credit card numbers (with billing addresses and expiration dates) on non-encrypted webpages which are easily viewable by not only you but pretty much anyone who bothers to look*.

To make matters worse, even though the vulnerability was brought to their attention by
Jonathan Hudson, a customer (and the man behind
Studio2f) who "forcefully requested " that his card number be removed from their site ASAP, they still haven't secured the data, and they insist that they HAVE TO store the plain-text card numbers so that their accounting people can see it! Surprisingly, according to Hudson, even American Express doesn't seem to care that their cardmember's accounts are at risk.

"Well over 5 hours since I requested they remove my full credit card number, expiration date, name and billing address from their non-encrypted, not secure website.

No go. It's still up. I'm not sure what to do... Amex doesn't seem to care. The vendor isn't doing anything to protect my card, my account or my identity"

This is absolutely insane. I have purchased from Memory To Go in the past, although it's been a few years. I plan to contact them myself and see where they store old order information and if my personal data is at risk due to their insecure practices. I encourage you to do the same. I also encourage you to never buy anything on the internet from a URL that doesn't have https in it.

Thanks to my friend David for the link to this disturbing news.

*Update:  Just to clarify, you can't just go to the URL shown in the picture and see a bunch of credit card numbers. But the numbers are being stored in plain text, which means anyone with access to the server
(legally or otherwise) can see them and do gawd only knows what with them. This is a major major NO-NO
and I think it's even illegal. A commenter on Hudson's article also points this out, that all merchants may be legally required to obscure full credit card numbers on receipts, etc. I have to run for now, but I have an email into an internet security expertI know and am hoping he can shed some more light on this for me. – LD

Recommended