Security

What kind of security do you have?

It's recently been improved via the new 'volunteer' role - if you sign in with that password, you can do proofreading, paddle assignment, and sale and payment entry (normal back-end tasks) but not all the other admin menu stuff like reports or live item ordering or emails or anything like that.

Privacy is a concern of many users, so it's discussed on the member contact info page here:

Member Contact Info - This is where you tell us who you are
If you've been here before, please take a moment to verify this contact information
Make any changes necessary, then press to proceed to your statement...
Privacy Info:If you purchase items, your phone and an email link will appear on the donor's statement. If you donate items, your address (and a map-link to it) will appear on buyers' statements, and your name and item descriptions (but NOT your phone or email) will appear in the catalog. We may send you emails after the auction, and to remind you of your auction events, but we will not give out your phone or email to anyone other than your event guests.

Briefly, for members who make donations, we share their names only (via the public catalog listing) and any links or images or other info they choose to put in their descriptions. Only the person(s) who purchase their items will see their phone number and/or email, but even that can be configured based on the item's category (some categories are 'cash and carry' and therefore anonymous). Folks who attend an event can also see the names of others who also attend and the address, email, and phone of the host, but only the donor gets to see all the emails (indirectly via an "email all" link on their statement).

Originally, the 'self-service' aspect of the web site means that anyone who knows a member's phone number could sign in as that person and make changes to the items donated by that member. Items can't be deleted, but certainly mayem could be done by a dedicated malicious person.

Because of this, in 2011 we introduced a PIN number in addition to the phone number required to sign in. Most existing users leave this at the last 4 digits of their phone, so it's not all that secret, but in theory anyway, it allows someone who is concerned about security (or perhaps has a 'higher profile' that might be more attractive to mischief-makers) to establish their own password. It's still a usability trade-off, but we now at least have the security infrastructure in place to support a more restrictive policy some may choose to adopt.

One downside to the PIN is that it prevents a 2nd person from signing up with an existing phone number - you'll have to do this for them using the volunteer password. If we allowed this, we would have to turn off the ability to jump between statements having the same phone number or else it would undermine the security of the PIN - so we chose to limit new sign ups against existing phones instead.

If you wanted to suppress the entire self-service aspect of the site (basically make it read-only) I can see where that might make sense - you'd get a nice security benefit, but might loose some accuracy (esp late changes to event dates or phone/address/email changes which we enjoy not being bothered with). I could also imagine controlling public permission to add/edit/delete items, join as a new member, and update contact info. (Maybe make it less restrictive in-season and tighten it up after the auction?) Currently all these things are possible if one knows a member's phone number (and now, also their PIN).