This is why I don’t use UPS for Tanglewood Turnings:
- 4/2/12: Opened a new account and requested shipping api credentials.
- 4/13/12: Finally gave up on getting WORKING credentials for the shipping api. Multiple calls, multiple emails, still not working. FedEx and USPS were both a matter of an email or web form.
- 4/13/12: Closed account via web.
- 8/13/12: Received invoice for $306.42 for shipping a package from China to Idaho.
- 8/14/12: Called UPS.
- Talked with 3 different people who all transferred me to someone else before the 4th person was the right area.
- Each person needed only my 6 digit account number to verify who I was – there were NO authentication questions whatsoever.
- The final person picked up the line, was silent, and only responded with “UPS.” when I finally said, “Hello?”.
- After investigating my account the representative started explaining that the receiver had accidentally transposed some digits and proceeded to tell me what their shipping number is.
I decided not to use them originally because of their inability to supply me with some simple, working api credentials. I refuse to use them going forward because of their total neglect for basic security protocol.
There is no way that I should be able to authenticate to a point where I can make changes or bill charges to my account with just my six digit shipper number. This is easy to obtain and by no means guarantees my identity.
There is no way that any representative should EVER give me information about someone else’s account. Had I been a hacker I could have easily written down the six digit number and started shipping goods (or illegal materials) using the shipping number for this company in Idaho.
There is no way that a company should be able to fat finger their account number and result in the charges going to someone else. There should be at least two levels of authentication on this. At the very least the account name should be entered to avoid fat fingering (thought this would do nothing to prevent true fraud).
If you use UPS now take these things into consideration:
- They make it easy to get your information or to use your account to ship things. While the charges are easily reversed you have to consider what is being shipped. Are they using it to ship drugs? Arms? Black market goods? Funding, plans, or materials for terrorists? Your name is on it so if it gets picked up, who do you think the feds are going to come for? Even if there are no legal ramifications, do you want that on your social conscience?
- They make it easy to get your information. A series of phone calls to various departments would give a hacker the ability to get enough information to open accounts in your company’s name, yet because of the way they have their departments broken up, there would be no easily traceable trail of the hacker’s actions.