In detail: Argos credit card security breach

When I saw today’s The Register article, “Argos buries unencrypted credit card data in email receipts“, I immediately logged into my Gmail account to see if I had been affected.

It didn’t take me long to find an email receipt from an order placed in April 2009, and was able to see the problem first-hand.

Near the bottom of the email is the wording “We take security of your details seriously. We may send you emails from time to time, but we would never send an email asking for your log on or card details. See online security for further information.” The underlined words point to a page on argos.co.uk via an URL of some 1600 characters – ironically, this is where the problem lies:

http://www.argos.co.uk/webapp/wcs/stores/servlet/ArgosStatic
PageSecondLevel?includeName=Security.htm&langId=-1&storeId=1
0001&catalogId=1500001501&returnToURL=PlaceOrderProgressView
?storeId=10001&cardnumber=****************&houseNumber=*&val
idationno=***&readtsandcs=on&availableDeliveryOrder=********
**&LockDelAddressAsBillAddress=false&startmonth=&paymentAddr
essId=*********&javascriptEnabled=true&contactAddressId=****
*****&orderId=**********&creditPlanId=&unavailableDeliveryOr
der=**********&delcity=RUGBY&SCSNum=03&com.ibm.commerce.cont
ext.experiment.ExperimentContext=com.ibm.commerce.context.ex
perimentimpl.ExperimentContextImpl@63656e2a&switchno=&emailT
ype=HTML&vatReq=N&voucherCode=&catalogId=1500001501&creditPl
anShortText=&address2=&address1=**********&delpostcode=*****
**&cardtype=VISAD&FFM2011461168=5&POnumber=&deliveryAddressI
d=*********&langId=-1&startyear=&eccvValidated=Y&paymentName
=MR C BARNES&delHouseNo=&addressId=*********&delcounty=Warwi
ckshire&fromView=DeliveryOnlyPaymentInfo&SECURE_ACTION_RESUL
T=7&postcode=*******&SECURE_ACCEPT_CARD=Y&country=United Kin
gdom&town=RUGBY&endyear=****&isInstantCredit=false&endmonth=
**&issueNo=&nor=0&foundValidBinCardType=valid&address=******
********************&instantCreditOtherCard=true&instantCred
itOrder=N&county=Warwickshire&jspStoreDir=argos&delPostcode=
&continue.y=15&continue.x=108&cardholder=***********&argosIm
pl=1&deladdress2=****************

Obviously I’ve redacted my personal details, but the actual text contains my full unencrypted card number, CVV code, expiry date, name as printed on the card and address – basically all the information needed for an identity theft attack. Not only was the information transmitted in clear-text when the email was sent, but the link provided is a standard insecure HTTP link which, if I were to click it, would once again transmit the information in the clear.

A PC Pro story on the same subject credits the find to reader Tony Graham, whose credit card details had been used fraudulently. While there’s no evidence to link this incident to the Argos breach, my card details were also misused by fraudsters around the time of my Argos order, so this could be more than a coincidence.

My email receipt from a subsequent order made in July last year didn’t seem to expose these details, so presumably the problem had been resolved by then. Nevertheless, I would hope Argos have the decency to contact all customers that may have been affected, making them aware of what has happened and urging them to check their statements carefully.

“Domain Registry of America” scam

I’ve just received a letter from the “Domain Registry of America” (scam site URL) warning me that the expiry date of one of my domains is approaching. This is nothing but a scam which attempts to trick unsuspecting users into “renewing” their domain with DROA (i.e. transferring their registration to them) for up to 5 years. My advice is to either renew your domain with your existing registrar or let it expire.

The letter reads as follows:

As a courtesy to domain name holders, we are sending yiou this notification of the domain name registration that is due to expire in the next few months. When you switch today to the Domain Registry of America, you an take advantage of our best savings. Your registration for: *****.com will expire on June 07, 2006. Act today!

Domain name: *****.com
Reply Requested By: April 7, 2006

You must renew your domain name to retain exclusive rights to it on the Web, and now is the time to transfer and renew your name from your current Registrar to the Domain Registry of America. Failure to renew your domain name by the expiration date may result in a loss of your online identity making it difficult for your customers and friends to locate you on the Web.

Privatization of Domain Registrations and Renewals now allows the consumer the choice of Registrars when initially registering and also when renewing a domain name. Domai nname holders are not obligated to renew their domain name with their current Registrar or with the Domain Registry of America. Review our prices and decide for yourself. You are under no obligation to pay the amounts stated below, unless you accept this offer. This notice is not a bill, it is rather an easy means of payments should you decide to switch your domain name registration to the Domain Registry of America.

The letter goes on to offer me the choice of renewing my domain for one, two or five years, for £18, £30 or £55 respectively, and also offers the .net and .org variants for £30 each for 2 years.

Looks like exactly the same standard letter that was sent to this blogger a little over a year ago. Steer clear!

The Oil PC

Submerging your PC in cooking oil seems like one of the worst ideas ever suggested, but it’s been done by the guys at Tom’s Hardware. Turns out that oil is a pretty good coolant, and as it doesn’t conduct electricity, won’t short out your components.

The associated Digg story links to a few other people who have tried similar things. My personal favourite is this one – in my opinion, he’s done a better job by avoiding the gratuitous use of silicone sealant and employing mineral oil to improve visibility and presumably reduce the chance of the oil becoming rancid. I also like the airbrick which sends bubbles up through the case.

I’m interested in trying something similar – I replaced my graphics card today and stuck the old card’s fan in a pot of sunflower oil. When I powered it up, it started spinning as normal, although silently and a lot less quickly. I’m not ready to rebuild my main PC in a fishtank full of baby oil, but I’m tempted to drag an old junk PC down from the loft and see how it fares as a silent, oil-cooled system.

Note that it’s unlikely that you’ll end up with a completely silent system – certain components such as the drives and power supply are definitely best kept out of the oil – but you can at least reduce fan noise and maybe even improve cooling at the same time.

Obviously, experimenting with cooling-by-oil-submersion is not without its risks – there’s a chance that you’ll fry (no pun intended) your system and/or end up with a pool of oil on the floor – but you can certainly have fun trying.

Procrastination

I have a rather scary exam in Formal Software Development tomorrow morning, so am finishing my last minute revision this evening. Rather than bore you with the details, here are a couple of fun stories I found on Digg earlier today:

PHP Easter Egg

Append ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 to any URL on most PHP-powered sites to see a cute picture of a dog (or a different dog, a rabbit or a guy with breadsticks up his nose, depending on the PHP version in use).

You can also use a similar technique to view the PHP and Zend logos, and the PHP credits.

There’s some more information here.

My only concern about this bit of harmless fun is that it exposes sites running PHP, but there are lots of other ways of finding this out with a default PHP installation. If you want to disable this, and other “clues”, set php_expose to Off in your PHP configuration file (php.ini) which I assume also removes other “clues” (such as PHP-specific HTTP headers). But I say: use PHP, and use it proudly. :)

(via Digg) – note that the trick no longer works on Digg URLs – the server guys did the php_expose thing!

How to cheat at Windows Pinball

The author of this article has uncovered a cheat in the 3D Pinball game bundled with Windows XP that has lain undiscovered since XP’s 2002 release. By typing the magic words “hidden test”, you are able to drag the ball around the board and do some other cheaty things. What makes it more interesting, though, is his explanation of how he unearthed the elusive cheat using debugging tools.

Apparently it only works on the XP version of the game, not the previous version which shipped on the Windows 2000 disc. However, the XP EXE should run on any version of Windows from 95 upwards. (If anyone can confirm or deny this, let me know.)

(via Digg)

Manna

I’m halfway through reading Manna, a sci-fi book (freely readable online) about robots and their impact on society. It’s a fantastic read and I thoroughly recommend it.

Update: Just finished! I reckon this would make a good movie, although maybe the geekiness would need to be toned down a little.