It seems that companies are losing our data left and right, making it difficult for consumers to protect their identity. Most web site logins consist of nothing more than a username/password combination, and many users use the same password across multiple sites due to the sheer number of places that require a login. It’s a difficult problem to solve, but we should be coming up with ways to increase the security of websites. That’s why it’s shocking to see Red Robin, a large burger chain in the United States and Canada, use the customer’s phone number as the password to access their “Red Royalty” rewards program.
When first signing up for the rewards program, the site asks a series of personal questions including name, address, email address, and phone number. Underneath the field for the phone number is the following statement:
"Your phone number will be used as your password and to lookup your account in the restaurant should you forget your card.”
While the idea of being able to use your phone number to receive credits in the store is nice, the question is why does it have to be used as a password to login to the site? Furthermore, in the “Terms and Conditions” section, Red Robin states the following:
“You will need your password (phone number) to access your Red Royalty account. If someone does learn your password, then you accept full responsibility for any actions that person takes using your password.”
So instead of providing users with a way to select their own password, they are requiring users to use a phone number and to not share that number with friends and family. While guessing this password does not give an attacker any credit card information, there is still no excuse for this type of shoddy security practice in 2011.