Security hole found in top price-comparison sites
By Davey Winder
Posted on 1 Sep 2010 at 07:53
A PC Pro investigation has revealed a gaping security hole in leading price-comparison websites.
While sites such as Confused.com and Comparethemarket.com might save you time and money, the true cost could be higher than you think courtesy of a basic flaw when it comes to securing customers’ personal data.
In order to gain full access to the entire quote history of an account holder all that was required was their email address, surname and date of birth
Following a reader tip-off, we visited Comparethemarket.com and clicked on the retrieve a quote button. In order to gain full access to the entire quote history of an account holder all that was required was their email address, surname and date of birth - details that could be easily harvested from social-networking sites such as Facebook.
This was enough to unlock a veritable treasure chest of further valuable data including telephone numbers, car registration and make details, occupation, personal details of spouse as well as property details where house insurance quotes were available. And all of this without any need to enter an account password or click a link in a validation email sent to the account holder's address; just click the submit button and all that data appears on screen.
Confused.com was little better: all we needed to do was fill out a simple web form to reset the account-holder password and access the quote history for anyone who had 'forgotten their password' which could, of course, include identity thieves.
This time all we needed to change the account password and get instant access to the quote-history data was an email address, date of birth, postcode and surname. Again, all information that is in the public domain and easily obtainable. The account holder would be none the wiser - no email is sent to even confirm the password had been changed.
Privacy policies
The Comparethemarket.com privacy policy states: "We comply with and are registered under the data protection laws in the United Kingdom and take all reasonable steps to prevent any unauthorised access to your personal data," although the evidence we have uncovered would suggest otherwise.
Meanwhile, the Confused.com privacy policy states: "Our security procedures mean that we always require proof of your identity before we will disclose information to you. Proof of identity includes your password, which is why you should never reveal it to anyone," except anyone can change that password with the minimum of fuss and without the account holder being any the wiser.
PC Pro contacted both Comparethemarket.com and Confused.com last week to inform them of the findings of our investigation and to enable them to improve their security before we published this story. We received no reply to our communications from Comparethemarket.com, but a spokesperson from Confused.com told us: "We take our customers' data protection seriously. We are currently in the process of upgrading our password reset and retrieval methods to enhance security for our customers including use of additional security questions, and this will be available in the near future."
At the time of publication neither company has made any changes to the security of the quote retrieval process.
To read the full version of this investigation, read Davey Winder's Real World Computing column in issue 194 of PC Pro, on sale mid-October.
From around the web
Compare prices...
...with your friends, neighbours and total strangers too!
By greemble on 1 Sep 2010 
They've known for at least a year
I complained to Confused.com at least a year ago that I was getting quotes for cars I didn't own. I don't believe it was malicious, I think it was just idiots getting their own email address wrong - it does happen. Clearly they weren't validating ownership of the claimed email address. They weren't very happy and were very reluctant but they did take down the associated account.
It's just laziness, and irresponsible. They should get a MONSTER fine.
JH
By JohnHo1 on 1 Sep 2010
true true
Just had a quick go with a mates dob on Comparethemarket.com and there we go: all his personal and quote information for me. As you say, not hard to pull this off of Facebook or the like...
By randomtoast on 1 Sep 2010
PCPro security flaws
PCPro and Dennis Publishing should put their own house in order. A password is all that is needed to enter a subscriber's account. It is printed on the magazine envelope!
By j325xc on 2 Sep 2010
Comparison Sites
I think the sites are a big contrick. They get paid to make you switch. You enter your details and they recomend a better deal. If you then enter the new recomendation they come back with another alternative which could be your original supplier. IE switch at any cost ???
By G3REPComms on 2 Sep 2010
Personal Details
Well it all comes down to personal details being available on Facebook. If people did not freely distribute their details the accounts would be harder to hack. I think the sites should be pulled down until they comply.
j325xc - good point - come on PCPro, glass houses and all that!
By Afterburned on 2 Sep 2010
@ j325xc
Out of interest what information is available on the subscriber web site? I don't have my password here to test. I assume if you have stolen the envelope then you already know the persons name and address. What else can be gleaned?
By randomtoast on 2 Sep 2010
Subsinfo.co.uk
Found my password. Information that can be found from here is: subscriptions held, their status, name and address and email.
As far as I know you can't see any banking details or home telephone number.
Email address might be a little annoying but as the password would have to be stolen from paper, it's not going to be pumped into any bulk spam.
As for the mags I subscribe too - nothing to hide for me. Do Dennis publish anything contentious?
By randomtoast on 2 Sep 2010
Subsinfo.co.uk
Found my password. Information that can be found from here is: subscriptions held, their status, name and address and email.
As far as I know you can't see any banking details or home telephone number.
Email address might be a little annoying but as the password would have to be stolen from paper, it's not going to be pumped into any bulk spam.
As for the mags I subscribe too - nothing to hide for me. Do Dennis publish anything contentious?
By randomtoast on 2 Sep 2010
deleting account on these price comparison sites
There needs to be a set of basic standards for sites that have user account login areas. This should include at minimum, the ability for a user to remove their details from being accessible from the Web UI. I have logged into both of these mentioned comparison sites and no such option is available. This then only leaves contacting the company to request the removal of your data but as yet I have not heard from either of them in response to such requests.
By pcbuilder on 6 Sep 2010
advertisement
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
- Can you send a truly anonymous email?
- Is it safe to send bank details over email?
- Sainsbury's Bank bans password storage
- MobileMe triggers credit card blocks
- How to stay safe against session hijacking
advertisement
Printed from www.pcpro.co.uk