Category Archives: Numbtastic

Stupid stuff.

Careful with that FedEx account number

Taken from RISKS Digest 24.43:

Date: Wed, 20 Sep 2006 10:45:49 -0700
From: Matt Wilbur <matt@efs.org>
Subject: Careful with that Fedex account number

Sending packages with Fedex is now easier than ever, thanks to the fedex.com website. Unfortunately, it’s too easy. In most cases, if you know a company’s account number, you can send whatever you like using the site, assuming you have a pulse, a browser, and access to the Internet.

We recently had an angry ex-employee use our account number to send multiple small dollar amount packages all over the place. The dollar value was too low for the authorities, and it was really just a nuisance. Our “Fedex
person” called Fedex to stop this, and customer service told her the only way was to change our account number. This would be painful, so we sent him letters telling him to stop. It didn’t. We called Fedex again, this time asking for security, using words/phrases like “fraud,” “theft,” and “you will have to pay when we reverse the charges.” We didn’t get anyone from Security, but they did begin to listen.

After being bounced around at fedex, we learned the following:

  • Unless you take specific action (enable and configure Shipping Administration for your account within Ship Manager on the website), anyone on the planet can create a fedex.com account, associate it with your account number, and ship whatever, wherever they way, third party included.

  • there is no way, even with shipping administrator, within fedex.com, to view the logins associated with your account. We had to call and insist on a list – for “security” reasons they could not email or otherwise send us a list, but were able to tell us logins, names, last login, and email of active accounts.

After setting up Shipping Administration, we verified that this ex-employee (or anyone else we don’t approve) can no longer set up a new login and associate it with our account.

After about an hour on the phone, we were able to get his login deleted (and learn all of this additional information about their system).

Risks? For Fedex? Not defaulting to a more secure configuration (like, want to use fedex on the web? First sign-in associated with that fedex account must set up “Shipping Administrator” to prevent unauthorized use). Building an application with all the shipping capabilities imaginable available, and very little for the account holder to manage access and security. Not having a security contact or phone number listed, or accessible by calling in to customer service. Money lost to fraud by abuse of this system.

For the Fedex user? Giving your fedex account number to third parties who may ship things to you, unless you know and trust them, and trust their handling of your account number. Not watching your bills closely. Signing up and using for a service that, when you think about it, is far too easy to use to have any built-in safety.

They do more than just protect you…

One of my co-workers called me over to his desk this afternoon to show me an e-mail thread that had been bouncing around between a few of his family members. It went something like this:

Original E-mail:

Save those old phone bills!

If you can’t access those articles for some reason, you can Google phone tax Spanish and get several articles that tell about the decision to end the 108-year-old tax that had been implemented to help pay for the Spanish-American war.

Bottom line – you may be able to get refunds on taxes paid. 3% – may be worth it to you. I don’t know how much hassle will be involved.

According to the USA Today article, you can file for refunds back to 3/1/03 (2003, not 1903).

Response #1:

Crap! I just shredded all of those.

Response #2:

Call up NSA – they should have the records [VBG]

Werd. I love the Internet.

A little bit of my inner child just died…

Go to LEGOS.com. Right now. Go ahead…I’ll wait. OK, back? Good. After nearly three decades of knowing and loving LEGOS as, well, LEGOS, the LEGO Group Companies have to go and destroy a little bit of my inner child:

The word LEGO® is a brand name, and is very special to all of us at the LEGO Group Companies. We would sincerely like your help in keeping it special. Please always refer to our producs as “LEGO bricks or toys” and not “LEGOS.” By doing so, you will be helping to protect and preserve a brand of which we are very proud, and that stands for quality the world over. Thank you!

Bugger off, LEGO Group Companies, I do believe I’ll continue to call my LEGOS LEGOS. And so will every other kid on the face of the planet that doesn’t know what ® means.