COMMENT In the space of four days silicon.com has revealed two serious security flaws on major UK shopping websites.
Argos and B&Q were leaving customers' details vulnerable - and not just to crackers or experienced techies with the knowledge to circumvent security. These details could be accessed by anybody on the internet - you didn't even need a password. In security terms the doors were wide open.
This is an appalling lapse in security and shows a worrying level of awareness among two companies who are at the forefront of the drive towards ecommerce dominance. We hope they are the only two.
After all if 'Joe and Joanne Public' can't trust Argos and B&Q then what chance the little vendors? Those at the top may be unfairly tarnishing the reputations of far more reliable, security-conscious companies.
In truth ecommerce is by and large safe - everybody at silicon.com is an advocate and this publication stresses most sites are secure. But that's why this news is so difficult to swallow.
If this was an advanced hack it would still be a failing on the part of the victim site but it would also be more understandable - as criminals' raison d'être is to stay one step ahead of measures in place to block them - but the fact these sites gave up the information without much of a fight is unforgivable.
It's been three-and-a-half years since silicon.com exposed the Powergen scandal and still we are writing stories such as these.
It would make it a lot easier to push forward ecommerce if the companies concerned were fighting only the most devious minds out there, rather than trying to remember whether they locked the back door.
Comments
There are 2 comments. Join the discussion
1. anonymous
This is a side issue but never the less related to the issue of online security. I have recently placed an order with http://www.pixmania.com/dev/gui_web/home/index.php A few minutes after placing the order I received an order confirmation - so far so good. Then later that day I receive another email as below;
----------------------------------
Dear Customer,
Thank your for your order on Pixmania.
PLEASE REPLY TO THIS MAIL FOR VALIDATION!
Our insurance company has issued new measures of security regarding all orders placed on our website.
Consequently, in order to proceed with your order, we would need the following details from you :
- An alternative e-mail address (for security reasons, we cannot validate orders with anonymous email addresses attached, like Yahoo, Hotmail, etc...)
- A phone number (company or home line) that can be checked on the directory (BT white pages, Yellow pages, infobel, etc.)
- For all orders, we ask you to send us a fax with an ID (Driver's license, utility bill, passport... or equivalent on the following fax: 0033 145 700 933)
We are sorry about the inconvenience this may cause you. Bear in mind these measures are intended for the customers protection, due to a large amount of
Credit Card frauds, on the Internet, in the UK.
Best regards and thank you for choosing Pixmania.
Pixmania Customer Care
Alexandre Giroux
Validation Department
Tel : 01 45 70 07 42
Fax :01 45 70 09 33
--------------------------------
Being a frequent online user I have never been asked this before?? Casting doubts in my mind whether this is some sort of scam - a bit like the money scams from Nigeria?? Or am I being too paranoid?
What should I do??
pls help
2. anonymous
The problem remains that anyone attempting to find security holes on a web site - obscure or otherwise - is at risk of being branded an e-terrorist.
This has been aired many times, but perhaps if the PHBs in these companies knew that it was legal for experienced hackers to pop round and check some aspects of site security, they would be more keen to see the job done properly.