Ceros switched banks and with that move our old credit cards were phased out. I went through every one of the recurring charges that were still being billed to my card and switched them all onto a new corporate card — all except for J2, which I’ve used since they were called Jfax in the ’90s, because I wasn’t able to sign in.
The password I set up for J2 more than a year ago had an exclamation point in it. Let’s say “inept!” was the password, for argument’s sake. When the sign-in for shows me an error, it shows one bullet point less in the field than what I typed: so inept! comes back as •••••. So my guess is that a year ago passwords with ! in them were fine and now they aren’t. No problem, I’ll just get them to reset my password, right?
I figured I could get J2 to send me a password reset link, but what they sent me was my own password in email. Just to be clear, this means that J2 stores user passwords in plaintext, unencrypted. This is astoundingly irresponsible. Member databases like theirs get hacked all the time and the only silver lining is that all of the credit card data and passwords are usually encrypted.
Here is what Wikipedia says about plaintext passwords:
Some computer systems store user passwords as plaintext, against which to compare user log on attempts. If an attacker gains access to such an internal password store, all passwords—and so all user accounts—will be compromised. If some users employ the same password for accounts on different systems, those will be compromised as well.
And there’s even a site called Plain Text Offenders where people send in screenshots of email to shame the services that store passwords in plaintext.
After several attempts to sign in and/or change my password got me locked out of their system, I wrote to their customer service. This was on August 14.
On August 21 I wrote them again asking if they check their email and could help me.
On August 27 they sent me an email with a link to unlock my account and sign in again. Here’s my angry reply:
Please re-read my email. This was NOT what I have asked for for 2 weeks now.
Your service will not let me login with the CORRECT password I have. Your login system sucks.
If you cannot change my password to a temporary NEW password and send it to me so I can update my billing information, I am done with your service.
They immediately replied to me — actually they replied to “Dear Brain” — with a form letter explaining how browsers and cookies work.
I wrote back telling them I’ve tried in multiple browsers and that I have the right password and that they should try signing in to see what I’m talking about, since obviously they can see my password. If they could just temporarily change my password to “12345” then I can sign in and update my billing information. They wrote back saying I would need to call their service center, that this was too involved for email.
So from my family vacation I called their service line. The rep failed to help me. I watched my inbox and saw that he got my account locked from his own repeated failed login attempts using my correct plaintext password. His manager was unable to help me too. For the next few days I continued to see an email alert trail showing that they were trying to sign in, probably using the same feeble tools that I have access to, and they were getting locked out of the account just like I was.
On October 4 I wrote them again, since this was the only service I was unable to move to the new credit card:
Another entire month has gone by.
I’ve emailed. I’ve called. The people I talk to are unable to do more than just try the same correct, non-working password.
I’ve seen more email alerts come through from your system saying someone at J2 was trying to sign in and getting locked out.
Do you have a tech team?
Can anyone there do a simple password reset?
Four days later on October 8 they told me to call their help line because this was something they couldn’t help me with over email. I called, knowing my time would be wasted again. Once again a rep failed to help me, got a manager involved and then both of them failed. He asked if he could go ahead and update my credit card information even though they could not reset my password or help me sign in.
I asked, “Why on earth would I keep paying you for this horrible, insecure system that won’t let me sign in to my account with the right password?” He didn’t have an answer for that one, but assured me they would send my problem along to someone who could figure out the issue. I told him I would seriously bet money against that happening, but understood that there was nothing he could do.
It’s a small hassle because many companies accept signed contracts via fax and not email and I have had this particular number for years. The good news is that there are a lot of cheaper fax-only services. J2 gave me a voicemail line straight into my inbox in addition to fax, but the voice messages I get over that number are 100% spam.
Yesterday I got an email from jConnect saying my service is going to be suspended because my credit card was declined.