When I saw today’s The Register article, “Argos buries unencrypted credit card data in email receipts“, I immediately logged into my Gmail account to see if I had been affected.
It didn’t take me long to find an email receipt from an order placed in April 2009, and was able to see the problem first-hand.
Near the bottom of the email is the wording “We take security of your details seriously. We may send you emails from time to time, but we would never send an email asking for your log on or card details. See online security for further information.” The underlined words point to a page on argos.co.uk via an URL of some 1600 characters – ironically, this is where the problem lies:
http://www.argos.co.uk/webapp/wcs/stores/servlet/ArgosStatic PageSecondLevel?includeName=Security.htm&langId=-1&storeId=1 0001&catalogId=1500001501&returnToURL=PlaceOrderProgressView ?storeId=10001&cardnumber=****************&houseNumber=*&val idationno=***&readtsandcs=on&availableDeliveryOrder=******** **&LockDelAddressAsBillAddress=false&startmonth=&paymentAddr essId=*********&javascriptEnabled=true&contactAddressId=**** *****&orderId=**********&creditPlanId=&unavailableDeliveryOr der=**********&delcity=RUGBY&SCSNum=03&com.ibm.commerce.cont ext.experiment.ExperimentContext=com.ibm.commerce.context.ex perimentimpl.ExperimentContextImpl@63656e2a&switchno=&emailT ype=HTML&vatReq=N&voucherCode=&catalogId=1500001501&creditPl anShortText=&address2=&address1=**********&delpostcode=***** **&cardtype=VISAD&FFM2011461168=5&POnumber=&deliveryAddressI d=*********&langId=-1&startyear=&eccvValidated=Y&paymentName =MR C BARNES&delHouseNo=&addressId=*********&delcounty=Warwi ckshire&fromView=DeliveryOnlyPaymentInfo&SECURE_ACTION_RESUL T=7&postcode=*******&SECURE_ACCEPT_CARD=Y&country=United Kin gdom&town=RUGBY&endyear=****&isInstantCredit=false&endmonth= **&issueNo=&nor=0&foundValidBinCardType=valid&address=****** ********************&instantCreditOtherCard=true&instantCred itOrder=N&county=Warwickshire&jspStoreDir=argos&delPostcode= &continue.y=15&continue.x=108&cardholder=***********&argosIm pl=1&deladdress2=****************
Obviously I’ve redacted my personal details, but the actual text contains my full unencrypted card number, CVV code, expiry date, name as printed on the card and address – basically all the information needed for an identity theft attack. Not only was the information transmitted in clear-text when the email was sent, but the link provided is a standard insecure HTTP link which, if I were to click it, would once again transmit the information in the clear.
A PC Pro story on the same subject credits the find to reader Tony Graham, whose credit card details had been used fraudulently. While there’s no evidence to link this incident to the Argos breach, my card details were also misused by fraudsters around the time of my Argos order, so this could be more than a coincidence.
My email receipt from a subsequent order made in July last year didn’t seem to expose these details, so presumably the problem had been resolved by then. Nevertheless, I would hope Argos have the decency to contact all customers that may have been affected, making them aware of what has happened and urging them to check their statements carefully.
apart from the obvious information attack vector outlined here and TheRegister – it looks like that application is also susceptible to replay attacks, CSRF looks likely and a whole how of other problems of using a GET to copy data like that.
Just checked an email from 29 July 2009. Holy cow!! Everything is in there!! Absolute madness.
One of my friends just brought this to my attention and having checked my order from September 2009, my card number and CVV number were both plainly visible in the same link to “online security”… Doesn’t look like they fixed it after all Chris but they had a stab at, took out the expiry date an so on and somehow felt that leaving the card number and CVV were perfectly acceptable! Less than impressed…
It would be interesting to know if the same problem has arisen with Homebase online transactions, as both companies are part of the Home Retail Group. anyone ordered products from them ?
It was me that spotted the original problem. Argos customer support failed to respond to any of my emails so I reported the story to PC Pro. Argos continue to take no appropriate action and so I’ve made a complaint to the Information Commissioner’s Office (ICO). I suggest others also complain to the ICO (an easy web form). Also, I’d like to understand why Argos have not asked the police to run a correlation check between web order card details and stolen cards. This would be an easy way to identify whether our stolen details are related to their security problem or just coincidence.