In detail: Argos credit card security breach

When I saw today’s The Register article, “Argos buries unencrypted credit card data in email receipts“, I immediately logged into my Gmail account to see if I had been affected.

It didn’t take me long to find an email receipt from an order placed in April 2009, and was able to see the problem first-hand.

Near the bottom of the email is the wording “We take security of your details seriously. We may send you emails from time to time, but we would never send an email asking for your log on or card details. See online security for further information.” The underlined words point to a page on argos.co.uk via an URL of some 1600 characters – ironically, this is where the problem lies:

http://www.argos.co.uk/webapp/wcs/stores/servlet/ArgosStatic
PageSecondLevel?includeName=Security.htm&langId=-1&storeId=1
0001&catalogId=1500001501&returnToURL=PlaceOrderProgressView
?storeId=10001&cardnumber=****************&houseNumber=*&val
idationno=***&readtsandcs=on&availableDeliveryOrder=********
**&LockDelAddressAsBillAddress=false&startmonth=&paymentAddr
essId=*********&javascriptEnabled=true&contactAddressId=****
*****&orderId=**********&creditPlanId=&unavailableDeliveryOr
der=**********&delcity=RUGBY&SCSNum=03&com.ibm.commerce.cont
ext.experiment.ExperimentContext=com.ibm.commerce.context.ex
perimentimpl.ExperimentContextImpl@63656e2a&switchno=&emailT
ype=HTML&vatReq=N&voucherCode=&catalogId=1500001501&creditPl
anShortText=&address2=&address1=**********&delpostcode=*****
**&cardtype=VISAD&FFM2011461168=5&POnumber=&deliveryAddressI
d=*********&langId=-1&startyear=&eccvValidated=Y&paymentName
=MR C BARNES&delHouseNo=&addressId=*********&delcounty=Warwi
ckshire&fromView=DeliveryOnlyPaymentInfo&SECURE_ACTION_RESUL
T=7&postcode=*******&SECURE_ACCEPT_CARD=Y&country=United Kin
gdom&town=RUGBY&endyear=****&isInstantCredit=false&endmonth=
**&issueNo=&nor=0&foundValidBinCardType=valid&address=******
********************&instantCreditOtherCard=true&instantCred
itOrder=N&county=Warwickshire&jspStoreDir=argos&delPostcode=
&continue.y=15&continue.x=108&cardholder=***********&argosIm
pl=1&deladdress2=****************

Obviously I’ve redacted my personal details, but the actual text contains my full unencrypted card number, CVV code, expiry date, name as printed on the card and address – basically all the information needed for an identity theft attack. Not only was the information transmitted in clear-text when the email was sent, but the link provided is a standard insecure HTTP link which, if I were to click it, would once again transmit the information in the clear.

A PC Pro story on the same subject credits the find to reader Tony Graham, whose credit card details had been used fraudulently. While there’s no evidence to link this incident to the Argos breach, my card details were also misused by fraudsters around the time of my Argos order, so this could be more than a coincidence.

My email receipt from a subsequent order made in July last year didn’t seem to expose these details, so presumably the problem had been resolved by then. Nevertheless, I would hope Argos have the decency to contact all customers that may have been affected, making them aware of what has happened and urging them to check their statements carefully.