Red Robin forces phone number as password, says not to share

It seems that companies are losing our data left and right, making it difficult for consumers to protect their identity.  Most web site logins consist of nothing more than a username/password combination, and many users use the same password across multiple sites due to the sheer number of places that require a login. It’s a difficult problem to solve, but we should be coming up with ways to increase the security of websites. That’s why it’s shocking to see Red Robin, a large burger chain in the United States and Canada, use the customer’s phone number as the password to access their “Red Royalty” rewards program.

When first signing up for the rewards program, the site asks a series of personal questions including name, address, email address, and phone number. Underneath the field for the phone number is the following statement:

"Your phone number will be used as your password and to lookup your account in the restaurant should you forget your card.

While the idea of being able to use your phone number to receive credits in the store is nice, the question is why does it have to be used as a password to login to the site? Furthermore, in the “Terms and Conditions” section, Red Robin states the following:

You will need your password (phone number) to access your Red Royalty account. If someone does learn your password, then you accept full responsibility for any actions that person takes using your password.

So instead of providing users with a way to select their own password, they are requiring users to use a phone number and to not share that number with friends and family. While guessing this password does not give an attacker any credit card information, there is still no excuse for this type of shoddy security practice in 2011.

Report a problem with article
Previous Story

Third attack against Sony planned

Next Story

Gaming news round up: May 5

27 Comments

View more comments

I have never seen Red Robin in Canada.

Just ridiculous. Everyone that knows you pretty much has your phone number...are they telling us to put a bogus phone number in?! xD

Nagamasa said,
I have never seen Red Robin in Canada.

Just ridiculous. Everyone that knows you pretty much has your phone number...are they telling us to put a bogus phone number in?! xD

there's like three or four in vancouver alone...

Im sure (or I hope) that the people who made the site had to say something, "phone numbers as passwords is a bad idea" while the person with the final say said its ok since they wont be storing any payment details. Makes you think how many people use their phone number as a password for something more important.

Sacha said,
Who's the guy who came up with this idea and what's his username?

All you need to know is the name .. unless he has a unlisted number 411.com will give you half of the info needed .. sweeeeeeet

Brian Miller said,
Looks like people at Red Robin hired ex-Sony Security specialists to develop their login systems.

Uh uh... I wouldn't be to quick to give credit.
I bet RR at least encrypts your number... oh wait... no need! Oh snap!

GS:mac

Glassed Silver said,

Uh uh... I wouldn't be to quick to give credit.
I bet RR at least encrypts your number... oh wait... no need! Oh snap!

GS:mac


"I bet RR at least encrypts your number" umm man yes.. with special sauce!

Okay, really? Best Buy has been doing this with RewardZone forever. Sure, you need to print the rewards out at home, but you can easily retrieve your RZ# from the store with your number, then go home, register online (unless someone's already set up online) and take any points that have aggregated under their name. And as a former BBY employee, I can tell you 9 out of 10 people don't ever register or print their rewards.

Subway have a card like this, even in the UK. It's common practice for any chain store to provide a loyalty card and not just in the US.

_DP said,
Subway have a card like this, even in the UK. It's common practice for any chain store to provide a loyalty card and not just in the US.

I'd adore having loyalty cards here in Germany for fast food... I'm not eating it every day, but often...
Wish I could save some money.

GS:mac

How is this any different to loyalty programmes that use an easily photocopyable barcode to access the rewards in-store. Or using your middle name as your password at blockbuster because using a "secure" password is stupid when it's transmission is in plain text between the account holder and the data entry clerk who probably would be shitted if they had to enter P4s$W0rd into the system (or simillar in vein). It really is low risk combined with a low consequence.

The real problem is people using insecure passwords for e-mail, financial institutions (including internet stores which save CC information with your profile), and social identity collection websites. Ebay, facebook, paypal, hotmail, etc...

This is nothing more than a hook and bait, shock and awe article.

Well, the photocopy of a barcode at least (in theory) requires the attacker to have a physical copy of the barcode with them. And as for Blockbuster, they're undergoing bankruptcy right now so maybe not the best example.

Whats even sadder than this .. well.. retarded idea is that it had to have been more than one person involved. Management approval, website designers, RR's IT people... *somebody* had to have raised their hand and gone "lolwut?"

Dallas area doesn't have a lot of those big national restaurants like Red Robin and Hardees or Carl's Jr or even White Castle.

Not sure why though...my only guess is because Dallas has way too many restaurants as it is.

Dear Red Robin development team and management,
Please research technologies in the following article. http://en.wikipedia.org/wiki/Relational_model
Through the use of relational database technologies invented in 1969 one can reference information across multiple data areas without the need for compromising on security and risking customer information that could later be used for identity theft.

Sincerely,
The center for finding really dumb organizations misusing technology.

Commenting is disabled on this article.