A Best Buy online anti-fraud mechanism has unintentionally created a security hole. I was placing an order with a local Best Buy physical store, using the web site's pickup-in-store option. Because the store only had one of the item left, the associate suggested that I give her all of the account information on the phone and she would enter the order right there.
Everything went fine except that she apparently did a one-character typo in the e-mail address. I didn't discover this until a half-hour later when no confirmation note ever arrived. Using the order confirmation that she gave me, Customer Service was able to identify the order and spot the e-mail typo. Great! Except that Best Buy's fraud procedure locks them out from changing the e-mail address. Wait a second. Best Buy now knows that the address is wrong and further knows that my sensitive order information is going out to someone else (assuming that typo-ed address belongs to a real person). Not only can't they fix it, but they tell me that additional mails will go out to that incorrect e-mail address no matter what. Oops!
