Blippy, a new social networking site which allows users to share their credit card purchases, unintentionally exposed the financial information of some of its members. 

How It Works

The site operates like Twitter, where members can follow other members.  Members sign up one of their credit cards to the site and any time a purchase is made with that card, the information is streamed, like a tweet or Facebook post, on the member’s page.

A member gives Blippy access to a card account (i.e. provides Blippy with access to the online bank account).  Blippy then obtains the transaction data, or raw data, from the card purchase and cleans it up for the web post.  For instance, “Starbucks USA 00075424 04/25 CARD #<XXXX> Purchase #<XXXXXXXXX> Newport Bch, CA”, would be converted to just “Starbucks”.

Members can also add accounts that Blippy has signed on (i.e., iTunes and Zappos), which can also include more details of the card purchase.  With some accounts, a member can choose to show full product details:

Michael purchased 1 app from iTunes (and then a graphic of the app, i.e., the iTunes song, is displayed below the stream)

Or just the amount spent:

Michael spent $3.75 at Starbucks

Members are using Blippy to find hot deals, compare costs (i.e. cable, utilities, cell phone), share restaurant experiences or post their own movie reviews.  Like Facebook, members and followers can comment on the post or hide posts from certain people.  (Maybe you don’t want a friend to know that you spent $80 golfing when you cancelled previously scheduled lunch meeting during the same time.)  Some see the revelation of spending habits as a conscience for shoppers.  Others see it as sharing too much information.  Certain purchases and excessive spending can be potentially damaging to someone’s reputation.  For consumers who want to share everything and have nothing to hide, this is perfect for them.

“Users who share information online are becoming slowly aware of the risks of this new technology.”

Like any social networking site, retailers and manufacturers could use the posted information to get feedback on products, shopping experiences and consumer behavior in general.  On the flip side, it could create more competition.  If full details of a purchase are posted, a competitor could lower prices to steal future business.

Privacy Concern and Security Risks

Information sharing and web collaboration were made possible with Web 2.0 technologies.  Users who share information online are becoming slowly aware of the risks of this new technology.    Companies who promote the sharing of information online need to ramp up security and take responsibility to help protect their users.

The exposure of members’ credit card data on Blippy was discovered during the site’s beta phase, when some raw data could be viewed on the HTML source page of a Blippy member’s page.  Experienced (and certainly determined) web users could see the raw data, which Blippy claims was mainly harmless (i.e. store numbers, etc.).  After that issue was discovered, the glitch was fixed quickly.

According to Blippy cofounder Philip Kaplan, there was a “’technical oversight’ in February which resulted in raw transactional data showing up within the HTML code on some Blippy pages for half a day.”  Because of the indexing power of Google, the HTML data, which included full card numbers of four Blippy members, turned up in close to 200 search results.  Even though Blippy’s site went through several modifications since then, the Google snapshots of these pages were not updated.  Blippy worked with Google immediately to remove the indexed pages.

Blippy then discovered another member’s card number in a web search on Saturday, which turned up in 20,000 pages.  The company again worked with Google to remove the data.  In both cases, Blippy also contacted – and apologized to – the members affected.

Blippy – and its members – were quite lucky.  The damage could have been a lot worse had the site been in a more viral stage, ala Facebook or Twitter.

Who is in Control?

Social networking has given people the power to open up that privacy door – all on their own.  At the same time, secure data is at risk when financial information is released into the air.

Amazon was leary of Blippy in the beginning, as it blocked buyers from publishing their purchases.  Blippy went around the roadblock by requesting members who used Gmail for access to their accounts to obtain the purchase data that Amazon emailed to them.  Other retailers have joined Blippy without as much concern, seeing it more like a promotional tool.

Even though a cardholder would not be responsible for fraudulent charges, it doesn’t help our economy if retailers are left holding debt as a result of credit card fraud.  As discussed in a previous two-part blog, when data is compromised, fingers are usually pointed to the merchant receiving the card information.  However, all parties involved are responsible for ensuring data security.  On the top, merchants need to be extra careful about business relationships which may affect the data protection of their customers.  Unfortunately – for banks and retailers – if a cardholder volunteers access to his or her account, and card information is jeopardized, the cardholder is still protected.

While Blippy thought they were on top of security on their site, the recent data exposure has changed their course.  In their April 26 blog, they outlined a new security plan which includes hiring a chief security officer and conducting regular security audits to protect members.

On the positive side for Blippy – the company has certainly gained more exposure since the data security issue hit the news.  Oh, and Blippy will soon have company in this playing field as Swipely is soon to go live.

As one of the first brick and mortar retailers go to online, 1-800-Flowers continues to lead the pack in thinking outside the box. Started as a single flower store in the 70s, the company launched a toll-free brand in the 80s and then evolved into one of the first online retailers in the mid-90s. Already utilizing mobile phone apps and Twitter, Facebook adds another avenue where the company is finding ways to go directly to the consumer, rather than waiting for the consumers to come to their web site.

“Facebook was the world’s fourth most visited web site in June… “

According to Alexa, a web information research company, Facebook users spend, on average, 30 minutes a day on the site. This gives online retailers, with at least a Facebook “fan” page, more opportunity to capture the attention of their current and future customers. It’s about allowing the consumer as many avenues for purchase as possible.

In addition to 1-800-Flowers’ fan page, followers can also post comments, provide feedback and publish links on their profiles. The company also provides apps for iPhones, Blackberrys and Androids, as well as a basic mobile site, where consumers can shop the Mobile Gift Center and receive SMS offers via their mobile phone.

Besides being a company which seems to forge new marketing paths, 1-800-Flowers needs to throw a pretty wide net out there to catch consumers. 1-800-Flowers’ target market is larger than consumers looking to send flowers, since the acquisition of several companies over the years has expanded its basic product line to include popcorn and specialty treats, cookies and baked goods, premium chocolates and confections, gourmet foods, wine gifts, gift baskets, home décor and children’s gifts.

With its 250 million member base, Facebook was the world’s fourth most visited web site in June, according to figures from comScore, an Internet marketing research firm. So far, Facebook has become a very strong marketing platform (hence the word “viral” that has been added to the original “social networking” term). However, based on other known security issues, the site’s payment platform still has analysts and developers wary of using the site for payment checkout. 1-800-Flowers uses an embedded transactional advertising widget, which operates as a fully functioning storefront. To serve its new e-commerce channel, Facebook is developing a new electronic payments system that might compete with Paypal. Facebook’s Vice President of Product, Christopher Cox, said “software developers who sell applications on Facebook are testing the payments system, but it is unclear whether the company will manage e-commerce transactions across the Web.”

Similar to offering alternative payments, merchants can stay ahead of the curve by regularly finding new ways to maintain their current customer base and reach new consumers. They need to be thinking – “where is my target customer spending their time?” The old adage of “build it and they will come” doesn’t apply in every situation – especially in today’s virtual world.