Argos allegedly emails out embedded HTML payment card credentials

Argos allegedly emails out embedded HTML payment card credentials
04 March 2010 (source: infosecurity.com (UK)

Reports are coming in that discount retailer Argos, which allows customers to buy from its website, as well as order goods online for pickup from one of its many stores, has allegedly been mailing out customer payment card details – including the three and four digit CVV codes normally found on the signature strip or the front of the card – in its confirmatory emails
According to Barry Collins of PC Pro, emails sent out Argos customers have – embedded in the HTML code of the message, and so invisible in a normal message frame – complete details of the customer's payment card.

The card verification value (CVV), Infosecurity notes, is normally only found physically printed on the payment card, and is not stored on the magnetic stripe or smart card chip data. In theory, since the CVV is not printed on a retailer receipt, the only person that should know the CVV is the – quite literally – the holder of the card.

As Collins said when reporting the apparent security faux pas, "customers clicking on that web link would therefore leave plain text details of their card numbers in their browser web history, which could be particularly problematic on shared or public PCs, such as those used by web cafes."

"It would also leave the customers' details stored in the server logs that are maintained by employers and ISPs, as well as Argos' own web analytics software, which logs the URLs used to access its website", he explained.

The flaw was apparently spotted by Paul Lomax, PC Pro's chief technology officer, who ordered goods from Argos' website and later had his card details compromised.

"PC Pro reader Tony Graham, who alerted us to the flawed emails in the first place, also had his card details stolen after placing an order with Argos, although there's no evidence to tie Argos to the credit-card thefts," said Collins in his report on the saga.

Commenting on the apparent security problem, Ed Rowley, M86 Security's product manager, said that organisations who trade online need to be extra careful about what and how information – especially financial data – is exchanged.

"It is incomprehensible that this credit card data was sent out in an unencrypted format; even if the sensitive information was not visible in the main body it should have been protected from being sent out. A good email content filtering product could have enforced encryption or blocked this data from being sent out at all by Argos, using standard or default email security rules", he said.

"This case highlights the need to filter both inbound and outbound email in order to guard against malware coming in but also to block sensitive information from leaking out", he added.

"It's astonishing that larger companies are not using these well established security tools and procedures."