Mint News Blog

News, Information, and Commentary on US Mint Products

Tuesday, February 17, 2009

US Mint Track Order Function

Several readers have posted comments wondering why the US Mint's online Track Order function has been unavailable for the past several days. The short answer is that this function is a serious security hole in the US Mint's website.

Mint News Blog readers who are members of Coin Network may already be aware of a situation that developed about a week ago. A Coin Network member named Tom had his Ultra High Relief Double Eagle order canceled by an unknown perpetrator. This action was performed using the US Mint's online Track Order function, which allows orders to be viewed and canceled by providing an order number and last name. His order number had been posted in the forum, and his last name had presumably been hunted down online.

I was honestly shocked and disappointed that something like this was possible, and even more so that someone had done it. I removed all other order numbers which users had posted on my sites and did what I could to rectify the situation.

I considered this to be a serious security flaw with the US Mint's website. Collectors often share their order numbers with others to estimate how many coins the US Mint is selling or to attempt to decipher the US Mint's shipping schedule. The US Mint has never indicated to customers that this number should be kept confidential, and last names increasing easy to discover online. Something more than these two bits of information should be required to cancel an order.

I sent an email to a contact at the US Mint to bring this to their attention. I also touched base with Susan Headley of About.com Coins. She had been aware of this issue for some time and had also reported it to the US Mint. With both of us expressing our concerns, they perhaps realized the seriousness of the issue and took the Track Order feature offline. (You can still call the US Mint by phone for an updated order status.)

Susan Headley describes the situation in detail on About.com Coins. She also discusses a separate US Mint issue related to shipping, which is currently in the spotlight.

Labels:

17 Comments:

At February 17, 2009 at 9:31 PM , Anonymous Anonymous said...

What is even more troubling is all these people who go out and try to sell the coins that they have just ordered from the US Mint on eBay, such as the 2009 Ultra High Relief Double Eagle, and then they are dumb enough to place both their name and order number in the description, or even copy their order confirmation from the Mint's website and place that in their eBay ad. I have seen this time, and time again, when looking at coins on eBay.

In these cases, they are just asking for trouble!!

 
At February 17, 2009 at 10:16 PM , Blogger astroguy said...

I've often wondered about that vulnerability (which dates back to at least ~2000 when the current version of the Mint's site was created). It's really too bad that happened to the forum member.

Do you know though, for sure, if this is the reason that they took away the functionality? Or is this speculation on your part, albeit informed speculation?

 
At February 18, 2009 at 5:10 AM , Anonymous Anonymous said...

It seems like this would be a very simple fix for the mint: just disconnect the link for "ORDER". Then a person HAS to log into their account in order to check the status of an order. Maybe I'm missing something here...

 
At February 18, 2009 at 5:50 AM , Blogger Mint News Blog said...

astroguy- According to Susan Headley's article, this is the reason the feature was taken offline. Hopefully, they will restore the feature since it is useful, but correct the security hole.

Anonymous- I recommended that customers be required to call and provide some additional confirmation of identity to cancel orders. Or at the very least, customers should be required to log into the US Mint website with a password to cancel orders. We'll see what they do...

 
At February 18, 2009 at 8:56 AM , Anonymous Anonymous said...

Michael,

Thank you for posting this. Since the feature first came down on the weekend, I thought that it was an IT thing. By Tuesday morning, I figured it was intentional, but wondered if it was in relation to the UHRDE fiasco.

Sadly, the real information is even more disturbing. So in 2009, we have major security flaw exposed, unsafe shipping practices, and the sale if a coin that really isn't foe sale. I called the Mint every day last week, and got a different answer each day. My credit card address didn't match, no coins have shipped, no blanks, and so on. Of course, none of those were true.

 
At February 18, 2009 at 9:05 AM , Anonymous Anonymous said...

Michael,

A second thought is the biggest current weakness with the Mint is the lack of ability for the public to communicate with the Mint. All contact info we are given takes us to the Fulfillment Center staff. The Mint should consider allowing others besides the press to contact the Mint directly.

The other solution would be for the Mint to release info in a timely manner. Too often, press releases are released on the website late, or at least too late for the public to react. I remember that I missed the quarter ceremony in my state because the Mint posted the article about two hours before the event. Or, in the current cases, a press release explaining why the UHRDEs aren't ready for shipment, or explaining why the website has issues, would help the general collecting public understand what is going on.

 
At February 18, 2009 at 2:08 PM , Anonymous Anonymous said...

IT infrastructure in US Mint seems really suck. Their whole order processing system is highly inefficient, very frustrating to deal with.

 
At February 18, 2009 at 6:30 PM , Anonymous Anonymous said...

Maybe the US Mint will take this opportunity to overhaul the Track Order function. I would love to be able to see a complete history of what I ordered, when, what price, when it was shipped, etc. with the ability to record what I have actually received. It would also be nice to organize them by product type and year, etc. I, for one, find it a bit difficult to keep up with the amount of product that the Mint pumps out and, in my attempt to buy one of each coin, sometimes buy duplicates by mistake because I can't remember what I have ordered and/or I miss a product completely. The Subscription function is very helpful in keeping up but doesn't cover all products, especially "one off" products like Commemorative Coins and almost all of the annual gold and platinum products. Yes, I have a spreadsheet but I sometimes fail to update it properly (happens at least once a year). I am sure I am not alone in this. It would be very easy for the Mint to make the Track Order function alot more useful.

 
At February 18, 2009 at 8:20 PM , Blogger GoOgLyMoOgLy said...

LOL...the US Mint needs to take a lesson from APMEX.com. I love their features and their website structure.

 
At February 19, 2009 at 7:53 AM , Anonymous Anonymous said...

If your wondering why it takes so long for a problem to be fixed, or why information is not conveniently available......just remember it's the USM, a division of the Federal government. That's all you need to know.

 
At February 20, 2009 at 1:37 AM , Anonymous Anonymous said...

truly

 
At February 21, 2009 at 12:39 PM , Anonymous Anonymous said...

I just called the US Mint to check on an order.

The voice gave me the option of using the US Mint Track Order page which we all know is off-line.

You would think that one hand would have known what the other hand was doing and delete that reference so as not to anger a customer.

If I ran my busines like the Mint runs theirs, I would have been out of business a long time ago.

 
At February 21, 2009 at 3:39 PM , Anonymous Anonymous said...

Have there been many actual UHR deliveries reported? I placed my order within the first hour these coins were available and my ship date has changed several times with the last date of 2-20. I called today and they said it still hasn't shipped, but it still shows a ship date of 2-20. This is getting ridiculous. I can't be only one that's sick of this.

 
At February 21, 2009 at 9:37 PM , Anonymous Anonymous said...

It seems MINT IT really sucks, even for this kind of simple web application.

If MINT can give me 500 Gold eagle 1 oz, I can redesign everything for them. :-)

 
At February 22, 2009 at 2:40 PM , Blogger Mint News Blog said...

Anonymous, possibly the first UHR delivery happened for a member of Coin Network.

http://mintnewsblog.blogspot.com/2009/02/first-2009-ultra-high-relief-double.html

Besides this, I have only seen about four other reports of actual deliveries.

 
At March 11, 2009 at 7:13 AM , Anonymous Anonymous said...

The tracking function is back. You must first sign-in. Afterwards, when you click tracking, all of your orders appear.

 
At May 22, 2009 at 5:59 PM , Blogger Dollar ReDe$ign Project said...

Michael
I read your article today in NY times with great interest as I am working on a related topic called the dollar redesign project
I want to redesign the dollar bill
And believe in the same way you feel coins represent a country so does our paper money and the dollar even more so
And i agree completely with you that the image of America has gotten lost
I would love to chat as I have a tv interview next week
And would love to hear your thoughts
Regards
Richard Smith

 

Post a Comment

Subscribe to Post Comments [Atom]

<< Home