I've emailed this to the webmaster as well, but it's serious enough for me to try every channel available to bring it to your attention:


Hi

I'd like to alert you to the security flaw in your email reminder service. You sent me my actual password in an email! For security reasons, you should only ever allow me to reset my password. The fact that you are able to retrieve it from your database is a security flaw in itself (you should store a non-reversable encrypted version such as SHA256). But to make it worse, you then sent my password over an insecure channel (email) that would give any listener access to my account, where you had my credit card details stored.

From a company that uses the tag line "People who know computers trust Novatech", I expected more. I expected to be able to trust you. Now I don't. I've logged back in and removed my credit card details, but I suspect that they're probably stored in plain text in your database, and the record is just marked as deleted rather than actually removed. My assumption might be a little unfair, but my experience so far has caused this.

Please, for your own reputation and for the protection of your customers, fix this as your highest priority.

Thank you

:td:

Hi,

To be able to process and store card details we have to abide by a very strict code of conduct called PCI-DSS which is written by Mastercard and Visa. Every procedure we have regarding data and access is controlled by this document including encryption of all sensitive data

Without this level of safety we would not be allowed to process any payments.

And the "Remind me of my password" facility has always been popular with our customers. And I again I can assure you all the data is encrypted in line with the credit card company policies.

Should you wish to discuss this further you can PM me.

Regards,
Dean Williams