According to Barry Collins of PC Pro, emails sent out Argos customers have – embedded in the HTML code of the message, and so invisible in a normal message frame – complete details of the customer's payment card.
The card verification value (CVV), Infosecurity notes, is normally only found physically printed on the payment card, and is not stored on the magnetic stripe or smart card chip data. In theory, since the CVV is not printed on a retailer receipt, the only person that should know the CVV is the – quite literally – the holder of the card.
As Collins said when reporting the apparent security faux pas, "customers clicking on that web link would therefore leave plain text details of their card numbers in their browser web history, which could be particularly problematic on shared or public PCs, such as those used by web cafes."
"It would also leave the customers' details stored in the server logs that are maintained by employers and ISPs, as well as Argos' own web analytics software, which logs the URLs used to access its website", he explained.
The flaw was apparently spotted by Paul Lomax, PC Pro's chief technology officer, who ordered goods from Argos' website and later had his card details compromised.
"PC Pro reader Tony Graham, who alerted us to the flawed emails in the first place, also had his card details stolen after placing an order with Argos, although there's no evidence to tie Argos to the credit-card thefts," said Collins in his report on the saga.
Commenting on the apparent security problem, Ed Rowley, M86 Security's product manager, said that organisations who trade online need to be extra careful about what and how information – especially financial data – is exchanged.
"It is incomprehensible that this credit card data was sent out in an unencrypted format; even if the sensitive information was not visible in the main body it should have been protected from being sent out. A good email content filtering product could have enforced encryption or blocked this data from being sent out at all by Argos, using standard or default email security rules", he said.
"This case highlights the need to filter both inbound and outbound email in order to guard against malware coming in but also to block sensitive information from leaking out", he added.
"It's astonishing that larger companies are not using these well established security tools and procedures."
Comments
kapple999 says:
09 March 2010
I had an incident a couple of years ago where a small Retailer, who probably designed his own Invoicing system in Excel, sent me a paper Invoice in the post, and on the Invoice was my full 16-digit Credit Card number, the Expiry Date & the CVV (you know, the one he’s not supposed to keep a copy of). Horrified, as I didn’t know who is Acquirer was (it was mail order and I wasn’t going to drive 100 miles to see whose decal was on his POS), I wrote to all the major Acquirers.
I still have their responses : Barclays said : take it up with your Card Issuer (excuse me its an Acquirer issue?); HSBC said please call us to discuss (I didn’t); Lloyds TSB said report it to the Financial Ombudsman Service (that’s a little overkill?), and Natwest/RBS (the biggest Acquirer I believe?) never replied at all.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.