To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39116937,00.htm

Exclusive: Now Argos exposes customer account details online
Retailer's security was wide open...

By Will Sturgeon

Published: Monday 17 November 2003

Argos has become the latest UK retail giant to be exposed by a silicon.com investigation into website security - with potentially thousands of customer account details readily available online to all and sundry.

The news, which revealed a shocking level of security on the site, will prove a particular embarrassment for the company in the run up to Christmas with it hoping online shoppers will add to bumper seasonal sales.

However, word of the serious flaw will do little to reassure customers who are already wary of spending money online in the wake of other recent security breaches.

Having alerted Argos to the flaw at 12:30(GMT) on Monday, silicon.com withheld publishing details of the problem until the issue was resolved to avoid exposing customers to any further risk of fraud.

Argos has put a fix in place effective as of 18:00(GMT) on Monday and said "in light of" silicon.com's investigation "the potential vulnerability has been removed".

As with the recent case of the B&Q website, the problem arose from the way customers enter the site in the event that they have forgotten their password. Anybody trying to access their account information via the Argos website was presented with a reminder question if they had wrongly entered their password - or tried to guess somebody else's.

But answering the security question correctly takes users straight through to account details, rather than any subsequent level of security, such as emailing a new password or secure URL to the customer's registered email address.

This means anybody is effectively just two guesses from accessing highly sensitive customer information. And given that most sites will have 'rjones', 'pbrown', 'jsmith', 'apatel' and other common names among their users, the first guess is pretty much a given.

And the reminder questions aren't much harder.

silicon.com checked on a number of very common usernames - and the simplicity of the reminder questions was stunning in many cases - ranging from commonly known general knowledge questions to obvious word and number combinations.

While this is in part the fault of the consumers they probably didn't realise at the time what a key part their reminder would play in the site's flimsy patchwork of security.

As such anybody with the inclination to do so would not have to have looked very hard or very long before finding an account they could access - enabling them to change a password and more importantly shop for goods on the site, ranging from kitchenware to high-spec computer equipment. They could even make use of the express checkout facility - though Argos claimed "no credit card information is contained on the Argos.co.uk site".

A bad day for Argos wasn't eased by downtime and periods of unavailability for its Argos.co.uk site earlier today. At 12:20(GMT) a customer service representative told silicon.com: "It's been running slowly all morning and it just crashed about five minutes ago."