Skip to navigation
Latest News

Argos credit-card scandal worsens

Credit cards

By Barry Collins

Posted on 4 Mar 2010 at 13:55

Fresh doubts have been raised over the online security of high street retailer Argos, following a PC Pro investigation.

Yesterday, we revealed that Argos was sending customers' unencrypted credit-card numbers and security codes in order confirmation emails, potentially exposing them to online fraud.

Now it's emerged that those very same confirmation emails contain a web link - ironically intended to direct customers to Argos's security page - which contains the customer's full name, address and credit-card details in the URL itself.

This information is being sent unencrypted over email, so anybody monitoring network traffic could see the data

Customers clicking on that web link would therefore leave plain text details of their credit-card numbers in their browser web history, which could be particularly problematic on shared or public PCs, such as those used by web cafes.

It would also leave the customers' details stored in the server logs that are maintained by employers and ISPs, as well as Argos' own web analytics software, which logs the URLs used to access its website.

The flaw was discovered by Dennis Publishing's chief technology officer, Paul Lomax, who ordered furniture from Argos last September and had his credit-card details stolen a few months later. PC Pro reader Tony Graham, who alerted us to the flawed emails in the first place, also had his card details stolen after placing an order with Argos, although there's no evidence to tie Argos to the credit-card thefts.

Broken "spirit of the law"

Security experts say Argos' system was seriously flawed. "Argos say 'we take security of your details seriously'. It seems more like, 'We don’t take security of your details seriously. We may send you email from time to time with your payment card details in it," said Sophos Labs security expert, Paul Baccas.

"Sending this amount of detail is a bad idea, and it has been poorly implemented. Having the customers’ PII [personally identifiable information] and PCI [payment card information] within the email - while possibly not breaking the Data Protection Act - has broken the spirit of the law, and I would suspect that the Data Protection Commissioner would like to be informed."

"This information is being sent unencrypted over email, so anybody monitoring network traffic could see the data. If the email is going to a webmail or company account, this information will be stored and accessible to people with access to those servers," he added.

"We know that bad guys monitor network traffic and hack web servers. Malware already searches computers for locally stored emails to garner PII. I see this every day in my line of work."

Argos comment

In a statement sent to PC Pro Argos said that it "takes the security of its customers’ data extremely seriously, is fully aware of the requirements of the Data Protection Act and has taken remedial action in relation to this matter.

"We are in contact with the Information Commissioner’s Office. We have made them aware of our approach to customer communications and will continue to work closely with them to ensure we are taking all appropriate actions."

Argos has refused to comment on how many customers have been affected or whether it had contacted customers who received the flawed emails.

Our own investigation shows the faulty emails were being sent out as early as last September, but the problem wasn't fixed until last month.

Is your business a social business? For helpful info and tips visit our hub.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Over Christmas

I suggest that the amount of customers affected are in the millions as Christmas period is where 90% of the online purchases take place

By Andylec on 4 Mar 2010

...and now that this info is public knowledge it'll be about 5 minutes until some malware variant starts to actively hunt thru emails and web histories for this info :/

If this was only breaking the 'spirit' of the law. The law needs changing tbph.

By rozman on 4 Mar 2010

Over Christmas

I suggest that the amount of customers affected are in the millions as Christmas period is where 90% of the online purchases take place

By Andylec on 4 Mar 2010

What about payment card rules

All merchants who accept payment over the internet are covered by rules issued by the payment processors. It is hard to believe Argos are not in breach of these regulations.

By milliganp on 4 Mar 2010

A few years ago I worked for a small company[1] who took credit card payments over the web. We uploaded a daily batch via FTP to our credit card processing company. We were the only client they had who insisted on transmitting (and receiving) encrypted data! We knew this to be true because they had to write the encryption processing to support us. So it isn't only Argus who are bad and wicked in this sort of regard.

Details not given to protect the identities of the other parties.

By richardcrawshaw on 4 Mar 2010

Data Protection

What is the point of SSL and encrypting all personal details if these are to be decoded then returned to the user in plain?

There was obviously a breach of the Data Protection Act which states "Data should be kept SECURE".

It is possible anyone discovering this maltreatment of their data could sue for losses.
A change of personal security and banking details costs time and money..

By lenmontieth on 4 Mar 2010

Where's the PCI DSS Compliance

Hi,

I'm a UK Card Fraud specialist; it's not about the DPA but about their compliance with PCI DSS, the card payment industry standard for protecting (credit) payment cards, which all merchants must comply with.

It's pretty clear Argos weren't compliant with the PCI standard, in fact this is a pretty big compliancy failing, if card details were compromised because of this then they are likely to be heavily fined by the card schemes, which is way more powerful than the anything the Info-Commissioner can do.

I am more than happy to help journalists ask the right questions, especially as card fraud is costing UK citizens over £1 billion a year, which we all pay for indirectly.

For more info visit my blog blog.itsecurityexpert.co.uk or follow me on twitter @securityexpert

By itsecurityexpert on 5 Mar 2010

Looks like IBM was involved!

I checked one of my previous Argos orders and looked at the source code. Sure enough, the card details are there (thanksfully the card has expired now), but there are also references in the source code to an IBM e-commerce solution. Me thinks someone will be getting a roasting...

By pinball_wizard on 5 Mar 2010

IBM Websphere

It is likely to be IBM in the background, which suggests that the software has been badly customised.

ftp://ftp.software.ibm.com/software/retail/marketi
ng/retailref/Argos_Reference.pdf

By niowrtt on 8 Mar 2010

Why am I not surprised?

I had an incident a couple of years ago where a small Retailer, who probably designed his own Invoicing system in Excel, sent me a paper Invoice in the post, and on the Invoice was my full 16-digit Credit Card number, the Expiry Date & the CVV (you know, the one he’s not supposed to keep a copy of). Horrified, as I didn’t know who is Acquirer was (it was mail order and I wasn’t going to drive 100 miles to see whose decal was on his POS), I wrote to all the major Acquirers.
I still have their responses : Barclays said : take it up with your Card Issuer (excuse me its an Acquirer issue?); HSBC said please call us to discuss (I didn’t); Lloyds TSB said report it to the Financial Ombudsman Service (that’s a little overkill?), and Natwest/RBS (the biggest Acquirer I believe?) never replied at all.

By kapple999 on 9 Mar 2010

Some tips for reducing credit card fraud

Was look for information on how to stay safe while shopping with my credit card - found this: http://computing-tips.net/Five_Important_tips_Cred
it_Card_Security/

By ngwasuma on 2 Sep 2010

Leave a comment

You need to Login or Register to comment.

(optional)

advertisement

Most Commented News Stories
Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.