Argos credit-card scandal worsens

4 Mar 2010
Credit cards

New fears over Argos, as 'security' page link exposes customers' unencrypted credit-card details

Fresh doubts have been raised over the online security of high street retailer Argos, following a PC Pro investigation.

Yesterday, we revealed that Argos was sending customers' unencrypted credit-card numbers and security codes in order confirmation emails, potentially exposing them to online fraud.

Now it's emerged that those very same confirmation emails contain a web link - ironically intended to direct customers to Argos's security page - which contains the customer's full name, address and credit-card details in the URL itself.

This information is being sent unencrypted over email, so anybody monitoring network traffic could see the data

Customers clicking on that web link would therefore leave plain text details of their credit-card numbers in their browser web history, which could be particularly problematic on shared or public PCs, such as those used by web cafes.

It would also leave the customers' details stored in the server logs that are maintained by employers and ISPs, as well as Argos' own web analytics software, which logs the URLs used to access its website.

The flaw was discovered by Dennis Publishing's chief technology officer, Paul Lomax, who ordered furniture from Argos last September and had his credit-card details stolen a few months later. PC Pro reader Tony Graham, who alerted us to the flawed emails in the first place, also had his card details stolen after placing an order with Argos, although there's no evidence to tie Argos to the credit-card thefts.

Broken "spirit of the law"

Security experts say Argos' system was seriously flawed. "Argos say 'we take security of your details seriously'. It seems more like, 'We don’t take security of your details seriously. We may send you email from time to time with your payment card details in it," said Sophos Labs security expert, Paul Baccas.

"Sending this amount of detail is a bad idea, and it has been poorly implemented. Having the customers’ PII [personally identifiable information] and PCI [payment card information] within the email - while possibly not breaking the Data Protection Act - has broken the spirit of the law, and I would suspect that the Data Protection Commissioner would like to be informed."

"This information is being sent unencrypted over email, so anybody monitoring network traffic could see the data. If the email is going to a webmail or company account, this information will be stored and accessible to people with access to those servers," he added.

"We know that bad guys monitor network traffic and hack web servers. Malware already searches computers for locally stored emails to garner PII. I see this every day in my line of work."

Argos comment

In a statement sent to PC Pro Argos said that it "takes the security of its customers’ data extremely seriously, is fully aware of the requirements of the Data Protection Act and has taken remedial action in relation to this matter.

"We are in contact with the Information Commissioner’s Office. We have made them aware of our approach to customer communications and will continue to work closely with them to ensure we are taking all appropriate actions."

Argos has refused to comment on how many customers have been affected or whether it had contacted customers who received the flawed emails.

Our own investigation shows the faulty emails were being sent out as early as last September, but the problem wasn't fixed until last month.

Read more

News