Volkswagen点评失信门:
我的账号 通常都是在家上网或者公司上网,一般都是银行卡刷卡 从不敢在大众点评里存钱。 But this time I returned a 79 yuan volume during the Spring Festival, thinking that always in the public to buy things this time I will trust the public comment , the money returned directly to the account of the public comment.
Because it is the Spring Festival, a series of relatives are busy, more meals in a few days did not go on the public comment, 3 days or so to my phone bound to the public comment on a text message (your refund has been refunded to the account) thought quite humane text message reminder, and so a few days and then consume.
Results and then the account of the money was returned almost a week time, this day I suddenly want to get up to go to the public to see the results found yesterday my public account in the money was consumed. (And yesterday I have been busy have not logged into the public Dianping) Even more strange things are not only so, I in the public Dianping tied to the cell phone number actually was also changed this is how incredible ah (even my girlfriend and I account information we do not know each other).
First of all, I would like to talk about the consumption process of Dianping, in which there will be a consumption reminder sent to the cell phone with the content of (your so-and-so volume has been used in the where and when, what time of the day and what time of the day, and what time of the day, and what time of the day, and what time of the day, and what time of the day, and what time of the day, and what time of the day and what time of the day.
And the thief knew the process of Dianping very well, not only logged into my account, he knew that even if I consumed my money, if the use of the volume will also send me a reminder. I would have rushed over there to find out what was going on or called the police. So he not only logged into my account, but he also changed my cell phone number at the same time. So that my phone won't receive any alerts for yesterday's purchases. It's a clever thief.
So, it's either a very clever hacker, or it's one of their own technicians.
The first loophole 1: may be in the purchase of the volume after the point to send a text message when the first will show my default binding phone, can be all displayed by anyone to see. (Because of the public comment, when you change the phone number, you have to fill in the original phone number.) So after being modified to cause me not to receive the thieves consumption volume when the SMS consumption prompts.
The second loophole 2: in the modification of the binding phone easily, as long as you fill in the old binding phone can be changed to the new phone, even to the old phone to send a verification code to confirm the old phone did not, that is not the hacker from the data to see my phone, you can modify my binding phone. (If you send a verification code when modifying even if the hacker sees my phone, he can't do anything without the verification code in my phone when modifying).
The third loophole 3: As long as the customer calls and says to change the phone number, tell the three most recent purchases, the customer service will help to change the phone number within two days. (Even if it is a hacker, he logged on to the account and called the computer to look at the three previous purchases to help modify the things?)
The fourth loophole 4: generally I am at home and the unit on the public, first of all, the public Dianping is now a site that can be deposited cash. It's the same as a bank's website. How can you easily set up cookies and sessions to save logins? How can I easily set up cookie and session to save login and set up one month free login? Even if I am in my office and I turn off my computer, others can automatically log in and spend my money at will when they turn on their computers. Can the bank set up a month of no login like this? Banks can not have this face login function ah. If the public Dianping is not a deposit site just browse the information then you can have this long-term no login function, but the public Dianping is an account can be deposited on the site, (and when as long as the login can be free to use the money in the account to spend.) So we should plug the loophole (even if you save the information , a month without logging in can only browse some unclassified information, even if you can see what to buy can not see the consumption of volume password, purchase to spend money in the account when you have to send a verification code or fill in the password to log in again.
Since you can deposit money in your account, you should keep a close eye on your customers' belongings like a bank. You can't say that you can't keep less money and let your guard down on your customers' belongings.