Hooo boy. Talk about a massive fail.
Be very careful about buying things from Eastwood Tools. And whatever you do, never, ever send copies of your personal IDs to someone you don’t know via email.
Situation Normal: AFU
Because of the situation with Porkchop, I’ve found myself in the position of needing to re-think how I’m going to address some of the tasks that lay out in front of me. As I’ve been researching different ways of solving the problem, and looking to avoid buying a single tool for every task, I came across Eastwood Tool’s “Surface Conditioning Tool.”
It’s an impressive piece of kit. I took a look at some videos on YouTube, read some reviews, and decided that I should really pull the trigger and get one.
So I ordered it from their website last night, along with a number of other items (such as additional drums, and some of their clearance items that would be useful).
Yup. Ordered from them the same way I’ve ordered from dozens of companies.
The Cybersecurity Scam/Fail
This afternoon I received an email from Eastwood. Effectively it mentioned that they were taking precautions against fraud, and as a result they needed some additional information.
I get it. No one wants to be the victim of fraud – that’s why I use an anonymous email system to help protect me as well. But what’s fascinating is how big of a fail Eastwood committed in their efforts.
When I called up Eastwood, as indicated in the email that I received, I found out that my 33mail.com flagged their security protocols and wouldn’t allow the transaction to go through.
However, as the customer service rep told me, their security program flagged the email as “invalid,” and yet they sent me the notice via email. Which I received.
What’s more, if you take a look at their email, you can see that they commit their own security problems as well. Notice that the email address does not belong to the person who penned their name to the bottom of the email. Kim Jackson, “Cybersecurity expert,” did not send the email. Someone named “Angie Clark” did.
This is a classic how-to reveal of spam, but that isn’t even the biggest problem.
The biggest problem is that they want me to send a photo ID via email.
Look, I understand that vendors are trying to protect themselves from fraudulent activity. Personally, I think that people who scam and defraud others deserve to be strung up by their short hairs.
But Eastwood compounds the problem in a “Security for me, but not for thee” manner, and it’s not acceptable.
I told the woman who answered the phone, who was simply the messenger and did not need to be shot, that I would not be sending my photo ID via insecure means across the Internet. The only issue I had with her handling of the situation was that she was forced to read from the script:
“The email only comes to me and it’s deleted as soon as it’s verified.”
“Well, whenever I go to the store I hand over my ID to the clerk.”
Perhaps, but you don’t pass the ID through a dozen people to get the clerk, now do you?
Remember, the initial email that came from Eastwood (pictured above) came from someone other than the person claiming to send it. So, the track record of Eastwood’s email system already has a strike against it. I also do not believe any company that says that they want your personal identifying government-issued ID “for security reasons” to be sent insecurely has a leg to stand on when it comes to scout’s honor, I promise, stick a needle in my eye, hope to die.
Fortunately, there are other sellers of the SCT, and I managed to submit an order with one of them. Ironically, it wound up being a little cheaper because this distributor did not charge me shipping.
Many people have had to deal with identity theft of varying degrees. For me, it’s been a relatively minor and minimal interruption – I say relatively because while my four-or-five weeks of hell was horrible, it’s nothing like some of the other issues some friends have had. It’s simply not worth giving up security for convenience.
In short, I’m not saying boycott or ban Eastwood from the list of vendors – I’m just saying don’t ever, ever send out information like what they’re asking for. Just don’t do it. Get it in your head that you have every right to protect your privacy and security as they do.