BCM Mail Website BIG security issue!

Van Living Forum

Help Support Van Living Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.

Katt

Well-known member
Joined
Feb 21, 2021
Messages
96
Reaction score
16
Just a warning to anyone who uses BCM. Seems like a good service, and I signed up this morning. Already have my new address. But being an IT/tech type, a immediately found a HUGE security hole with that service that they need to fix, and I plan on talking to them about it and maybe even helping them with it if they need help and want it.

First of all, they send you all your login info in an unencrypted email, so the first thing you need to do is change your password. Even worse, they send you a link to log in using unsecure, unencrypted http transport. This means that if you're on public wifi and not on a vpn, anyone with an ounce of networking savvy can see your password and login info right out in the open. They can then log in as you, read your mail, and even see your payment info.

I urge anyone who uses this service or signs up for it to make sure to add the "s" to http in the URL when logging in. So if you add that "s" so it's https:// instead of http:// BEFORE you log in, you should be OK. The site does not redirect to https, but at least it has a valid security certificate, even if it never really gets used. But you'll have to remember that if you follow any links, make sure you're going to https and NOT http.

I opened a ticket with the company in the hopes that they will fix this, as it is a huge liability for them and anyone who uses the service.

K
 
Well, this was the response. Maybe this is not a company I wish to do business with. I find this really sad, that they're willing to just overlook a security issue that WILL bite them in the ass someday, just like it has many others.

Screenshot from 2021-02-25 12-52-54.png
 

Attachments

  • Screenshot from 2021-02-25 12-52-54.png
    Screenshot from 2021-02-25 12-52-54.png
    14.9 KB
To add insult to injury, my husband clicked on the support ticket reply link and was able to read the entire support ticket exchange without ever having logged in to the site and without entering any login info. That means that it's possible anyone can read any support ticket info you've ever sent or received from them. This is really poor business practice and should have been updated over a decade ago.

My intent is not to be a jerk here. This is a real issue for them and their users. It's too bad they just want to blow it off.
 
FACEPALM!!!!

Even worse, changing your password is pretty much useless. Password requirements are terribly insecure, but even worse, when you manually change your password, they then send you your new credentials including the password you just set, in an unsecure, unencrypted email.

Wow. Just wow. I mean, it would be one thing if they were like "Yeah, we know it's an issue and we're trying to fix it or just not sure how," but they're actually arrogant about their unwillingness to update the site and fix these major security holes because "we've been in business 20 years."

Holy crap. This is gonna be a fun ride.
 
Many of their customers don’t care about security as they have little to lose if someone does see their information. Sad but true, as the saying goes you can’t get blood out of a turnip. Cheap mail service is just that. Not really any different than people grabbing information from a physical mail box. There are much more secure means available of communicating than the mail for individuals. Most that are on the road that require that use those instead. In our case physical mail goes through several hands before it gets to us due to our remote location. We are prepared for and used to things happening understanding the risks as anyone should be using a mail service.
 
The fixes are super easy to implement. I just don't want anyone, rich, poor or whatever, to get burned by this. I don't view it as something to take lightly. Hoping there's another service nearby, because I'd like a QS maildrop and one that isn't run by people who don't care about their customers.
 
Escapees club has one you might want to check out. They will forward to any local post office or location.
 
Thank you. I will check them out! Heard of them, but hadn't done much research.
 
Katt said:
Well, this was the response. Maybe this is not a company I wish to do business with. I find this really sad, that they're willing to just overlook a security issue that WILL bite them in the ass someday, just like it has many others.
Yea.... That would definitely be a no thank you response for me. I think if I had received that email, I would reply back to them letting them know that I don't want to be the first casualty.

Sent from my Pixel 3a using Tapatalk
 
Their response seems very unprofessional. Sadly many companies only are interested in their own security.
 
Top