NEWS Argos has become the latest UK retail giant to be exposed by a silicon.com investigation into website security - with potentially thousands of customer account details readily available online to all and sundry.
The news, which revealed a shocking level of security on the site, will prove a particular embarrassment for the company in the run up to Christmas with it hoping online shoppers will add to bumper seasonal sales.
However, word of the serious flaw will do little to reassure customers who are already wary of spending money online in the wake of other recent security breaches.
Having alerted Argos to the flaw at 12:30(GMT) on Monday, silicon.com withheld publishing details of the problem until the issue was resolved to avoid exposing customers to any further risk of fraud.
Argos has put a fix in place effective as of 18:00(GMT) on Monday and said "in light of" silicon.com's investigation "the potential vulnerability has been removed".
As with the recent case of the B&Q website, the problem arose from the way customers enter the site in the event that they have forgotten their password. Anybody trying to access their account information via the Argos website was presented with a reminder question if they had wrongly entered their password - or tried to guess somebody else's.
But answering the security question correctly takes users straight through to account details, rather than any subsequent level of security, such as emailing a new password or secure URL to the customer's registered email address.
This means anybody is effectively just two guesses from accessing highly sensitive customer information. And given that most sites will have 'rjones', 'pbrown', 'jsmith', 'apatel' and other common names among their users, the first guess is pretty much a given.
And the reminder questions aren't much harder.
silicon.com checked on a number of very common usernames - and the simplicity of the reminder questions was stunning in many cases - ranging from commonly known general knowledge questions to obvious word and number combinations.
While this is in part the fault of the consumers they probably didn't realise at the time what a key part their reminder would play in the site's flimsy patchwork of security.
As such anybody with the inclination to do so would not have to have looked very hard or very long before finding an account they could access - enabling them to change a password and more importantly shop for goods on the site, ranging from kitchenware to high-spec computer equipment. They could even make use of the express checkout facility - though Argos claimed "no credit card information is contained on the Argos.co.uk site".
A bad day for Argos wasn't eased by downtime and periods of unavailability for its Argos.co.uk site earlier today. At 12:20(GMT) a customer service representative told silicon.com: "It's been running slowly all morning and it just crashed about five minutes ago."
Comments
There are 4 comments. Join the discussion
1. Stephen Meredith
How many more of these stories are we going to hear about before someone starts to take online authentication seriously? The problem is that the e-tailers are protected from the consequences of fraud by the banks and the banks factor the losses into their overall cost base so the incentives to do anything about it are not there. In the end the customer is the one left with the hassle and problem of sorting new cards and credit facilities. Even the new Chip & PIN technology - the banks' panacea for identity theft - is not the answer for online shopping. Unless all the stakeholders in the e-conomy take this much more seriously and come up with a permanent solution that works, there is little prospect of it ever been universally adopted as genuine alternative to a trip to the nearest shopping centre.
2. robin bailey
May I say well done to those at Silicon.com . I hope that Argos are grateful to them spotting such a flaw before anyone else.
3. Chike Chinukwue
The Argos ebusiness team is utter crap. For someone who had a first stab at online transactions, their customer service liaisons ie telephone nos, responsibility and trust were just a horrendous experience.
The whole Argos Ebusiness setup needs to be stood on it's head or this will not be the last of the slips.
Take this as a warning from someone who has been stung.
4. Terry McMahon
It doesn't surprise me. You should try and order something from Argos and get Argos direct to deliver it. If their flaws in web design are anything to go by then why am I surprised when there order processing system is worse than useless.
I ordered some furniture from Argos and was told that it would be delivered in 14 Days. 1 working day later they turn up and wonder why there is nobody home. I dutifully phone them up and arrange a new date, (Today 21/11/2003) and they come and deliver my furniture. Sounds good I know however here is the sting to my story....... I was expecting 3 boxes of flat pack furniture to be delivered, Argos managed to deliver one box that should contain a work station that comes in two boxes, so I am missing two boxes of furniture. I phone up there customer services and they could not tell me why I had only recieved one box, they would have to email there dispatch department and find out. I asked if I would get a call back within the hour and they said they would. Surprise Surprise Argos did not bother and I had to phone them. Once I had navigated their IVR I was greeted by their customer services who informed me that actually they were out of stock of both the second box for the work station and a filing cabinet that I ordered at the same time. I asked when they would be in stock and I was informed that they would come in next week and when they were ready Argos would phone me (I have heard that one before!).
I forgot to add that the original order was placed 01/11/2003 and I confirmed with Argos on the 18/11/2003 that everything was in stock. So I have had to cancel the order and again surprise surprise, Argos could not give me a date on when I would have somebody to collect the unwanted box and they would phone me this evening.(Looks like I will be back on their IVR system again).
So in summary Argos had (basic, middle school) problems with their web site this week which whoever wrote the site should be shot for, however they have major problems with their order processing and despatch systems. I dread to think what their financing system is like. I am not the only one that has experienced problems do a Google search for 'Argos Direct Problems'