PCPro has reported weaknesses with the online security of high street retailer Argos,
Argos has been sending customers unencrypted credit card numbers and security codes within e-mails confirming orders, potentially exposing customers to online fraud.
Then it emerged that those very same confirmation emails contain a web link - ironically intended to direct customers to Argos's security page - which contains the customer's full name, address and credit-card details in the URL itself.
Customers clicking on that web link would therefore leave plain text details of their credit-card numbers in their browser web history, which could be particularly problematic on shared or public PCs such as those internet cafes or public libraries.
This amount of information is being sent unencrypted over email, so anybody monitoring network traffic could see the data. If the email is going to a webmail account, this information will be stored and accessible to people with access to those servers.
Argos has refused to comment on how many customers have been affected or whether it had contacted customers who received the flawed emails.
PCPro’s investigation shows the faulty emails were being sent out as early as last September, but the problem wasn't fixed until last month.
I think the problem is no matter how large or small a Retail Company is, there’s probably a small company somewhere actually doing this work, and the programmer probably hasn’t ever been taught how to handle Credit Card or Personal data.
When checking into a small Hotel, have you ever leaned over the desk to see what system they are using for your Reservation? I always do – often its Excel.
I had an incident a couple of years ago where a small Retailer, who probably designed his own Invoicing system in Excel, sent me a paper Invoice in the post, and on the Invoice was my full 16-digit Credit Card number, the Expiry Date & the CVV (you know,
the one he’s not supposed to keep a copy of), plus my Name & Address. Horrified, as I didn’t know who is Acquirer was (it was mail order and I wasn’t going to drive 100 miles to see whose decal was on his POS), I wrote to all the major Acquirers.
I still have their responses : Barclays said : take it up with your Card Issuer (excuse me its an Acquirer issue?); HSBC said please call us to discuss (I didn’t); Lloyds TSB said report it to the Financial Ombudsman Service (that’s a little overkill?),
and Natwest/RBS (the biggest Acquirer I believe?) never replied at all.