Argos buries unencrypted credit card data in email receipts
Catalogue firm Argos has been criticised for an email security breach that exposed customers’ credit card details and CCV security numbers. The exposure came to light after an Argos customer who checked his order confirmation email found that his credit card number and security code was buried in the HTML source of the message. …
"Argos takes the security of its customers’ data extremely seriously, is fully aware of the requirements of the Data Protection Act and has taken remedial action in relation to this matter.
We are in contact with the Information Commissioner’s Office. We have made them aware of our approach to customer communications and will continue to work closely with them to ensure we are taking all appropriate actions."
= Argos was called into the ICO and is currently bent over their bureaux waiting for pain.
He misses the point somewhat - since the collection of credit card details would require the company to be PCI compliant, there should be no storage of the CVV number and the credit card number should be encrypted and stored separately from the keys.
This error would suggest that the app processing the credit card details is the same one that sends out the emails. This would almost certainly result in a PCI non-compliant setup.
I think that Argos might have a visit from the bank's auditors in the near future...
I came here to post exactly the same complaint - what the hell are Argos doing with the CVV codes persisting anywhere??
"...This would almost certainly result in a PCI non-compliant setup.
I think that Argos might have a visit from the bank's auditors in the near future..."
Another visit is likely to be from the Argos Security team to their independent PCI auditor and accreditor, asking why this was not spotted and for a refund of their money.....
If this were a small company then it would find itself de-autorised in an instant.
Argos is a large company that pays millions in credit card fees.
I would bet the Argos CEO's golfing-expenses budget that no action is taken against them.
Gettin Sadda is spot on, large organisations can mutter about the cost of changing/replacing systems and continue to violate PCI requirements (they will need to have a plan to do something about it, though). So you could probably get away with storing CCVs or not using encrypted storage (for a while, anyway) - but not, I would guess, sending the info out in emails! And (strictly speaking) PCI compliance is not a requirement for conducting credit card business, it just gets you better Ts&Cs from the bank.
Full marks to Ed Rowley for flogging his product, but it's hard to see how you could block CCVs from being contained in emails - unless you're planning on stopping every email containing a 3-digit number.
Don't forget that Worldpay got delisted from PCI a few months ago (I believe they've fixed the problem now) but if Royal Bank of Scotland can't sidestep PCI requirements, I hardly think that Argos can. So I don't buy the "big companies" can get out of it argument, I'd be expecting to see hefty fines/delisting any time soon.
I doubt if the CVV codes persist. Except in the email. It's probably a monolithic application that writes some details for order shipping to one database, payment details to another database, generates and confirmation email and ends.
This looks like development code that was not removed.
I'm testing my shiny new application. I want to know exactly what values are being processed. I know, I'll copy all the user's input into hidden fields in the email. Solved.
Waddyamean I should have removed the diagnostic code?
Dodgy Geezer said:
"Another visit is likely to be from the Argos Security team to their independent PCI auditor and accreditor, asking why this was not spotted and for a refund of their money....."
Because that's not part of the PCI assessor's remit, perhaps? There's a requirement for Argos to have a penetration test, which might or might not pick up on it. An on-site assessment checks that a pen test has happened, and that it looks like a pen test (and not, say, a vulnerability scan), but that's really the only place that would catch this. There's a requirement for cardholder data to never be sent by email too, but that's more a "check policy and ask people if they do it" type question. There's nothing requiring anyone to actively check outgoing emails for cardholder data, which is the sort of thing that *would* catch this.
Of course, this is all assuming that Argos have been found compliant in the first place..... A fair proportion of Level 1 merchants are still a way off being compliant.....
http://www.snopes.com/business/consumer/bastard.asp
I could name at least one other major card processor who have told the banks to shove PCI where the sun don't shine....
Argos will pay a hefty fine, (which will be covered by their insurance), then they will offer free credit reporting for 1 or 2 years depending on what the law requires. (At least here in the US).
Still its a slap on the wrist.
One question ... who wrote their system?
PCI DSS compliance is a contractual obligation with the merchant acquirer, as they are contractually obliged to ensure their merchants are compliant by the card schemes. I'd suggest you read visa's international operating regulations before spouting such dross.
...that poor stock statement is also available to you from page 1018 of the Argos catalogue.
I don't know anything about email security and card processing personally. Clearly neither do Argos. I never knew buying a tacky clown pendent could be so insecure!
And its taken this long?
TBH, i would want them to get a fix in place before they start announcing it to all and sundry, else any bot herder with a comprimised mail server go "grep "argos" /tmp/mailspool" or some variation of the theme that would actually work.
grep "argos" /etc/mailstore (or whatever) will provide plenty of grist for the cloners.
Plenty people & businesses keep their mail serverside particularly if there's a legal need for archiving.
The ONLY secure fix to this mnoumental cockup is to issue every single one of Argos' customers a new card.
The ijit who thunk this up needs to be introduced to the rough end of a very large pineapple.
Yeah, good point, i didnt think that one through really. My only excuse is that its a friday :P
How is content filtering the issue here ?
We all know that what is in that email is PROGRAMMED to be there. It's not an accident, someone has written code to both output and purposely hide that information.
How should this be the laid at content filtering ? Surely the issue is "idiot coder at the keyboard, spitting credit card numbers out" ?
My mum was recently telling me about when she was pregnant with me and working at Argos as a cashier.
Apparently if you were able to operate one of there 1970's era tills you were the most highly trained cashiers there was because they were operable during the power cuts and very complicated.
How times have changed.....
Just checked the HTML source for the receipt for the cooker I bought last April and discovered that my name, address, postcode, credit card number, expiry date, and CVV number were all there.
As parameters in a link.
To an unsecured site.
And the text in link? "Online Security"
Am I allowed to swear? Because I'm pretty fucked off about this. This is utterly ridiculous.
@#1 "...take the pain". What pain?
A wee slap and "We'll do better" will be the outcome.
Isn't that the current phraseology for almost anything that goes wrong these days? Roughly translated as "I may be on an obscene salary, but no way I'm carrying the can for anything..."
When any organisations - banks included - say "we take the security of our customers' data vary seriously" you can bet the statement is being made by someone who hasn't the foggiest idea what they're talking about...
ARGOS with its laminated book of dreams. So many wonderful things I must possess them all! Stockcheck, beep beep boop boop!
shortly after Argos introduced their automated ordering machines to my local store I used one of them to make a purchase and was slightly surprised to see a second receipt (which I could have easily overlooked) popping out shortly after the first with my full card details printed on it. I don't work in retail admittedly but isn't it the done thing to only print the last four digits? They don't do that anymore but it really doesn't seem like Argos is an organisation that can be trusted with credit cards.
> The ijit who thunk this up needs to be introduced to the rough
> end of a very large pineapple.
Clearly, thinking was a minor part of the development of this extraordinarily lame system.
What I fail to understand is why _any_ company would bother with writing their own software for online sales. It's a very complex application which demands in-depth understanding of many issues, security among them, and there are very good canned solutions you can buy off the shelf.
It's against the odds that Joe Troll Programmer will have the breadth and depth of knowledge necessary to do the job right.
One wonders if the day is coming when software for online commerce must be vetted and certified by disinterested third parties before it can be legally deployed.
I download all my emails to my computer and delete them from my isp server. What about the poor saps that use hotmail and yahoo and keep all their old emails? ( if that's allowed - don't know, never used them). If it is possible to save all your old emails online then all the fraudster has to do is crack your email account and search for your Argos emails. Simples!
I find it funny that the furniture designer in their ads was a person of undefined east european nationality named Argus - or similar. Is he still around or is he sipping cocktails in the West Indies?
Why is anyone giving Argos their card details? Order online, collect in-store, then the only place your card is seen is at the store till. No CVVs, just chip and PIN.
Oh, and selecting plain text emails also helps. No chance of hidden codes in the HTML.
Fail, to everyone caught out. But mainly to the (hopefully now unemployed) payment app coders.
a) the point of ecommerce is that you don't have to go into town to the scum-ridden high street. Every time I'm forced to go into town I'm reminded how low our society has sunk.
b) yeh, Chip & PIN is so very secure(!) and don't forget that 3DSecure is great too!
Nice piece of programming, whats the betting that those details dont just get sent to the customer.
CVV2 should only be entered into a the secure aspect of the payment page/gateway dealt with by the processor, not third partied into it from a form that can be stored and re deployed.
In theory the acquiring bank should have pulled the ability to process until this is resolved but they dont like to lose those nice merchant and gateway fee's from all those sales.
In terms of SAQ D for PCI thats an epic fail on the part of Argos
Like Steve Anderson, I've checked my previous Argos email receipts and found one from April 2009 which suffers from this problem. Perhaps not coincidentally, the affected card was used fraudulently around that time and has since been cancelled.
I checked another receipt from July 2009 and that seems to be OK, so it looks like Argos fixed the issue, but didn't do the right thing and announce the problem...
Anyway, I've blogged about my findings here if anyone wants to read more: http://chris.gg/p637
If this system is leaking card details into the mail merge software I hate to think where else they might be ending up. Especially for the poor bastards who trusted Argos to save their card details. *shudder*
I have another tab open in my browser, it's Argos, and I was about to buy an item off them. And I just happened to see this article here on El Reg. Adrenaline rush.
Thank you, El Reg, for saving me.
Also, their public statement looks like typical corporate BS. I seriously do hope that the auditors fine them heavily for this. Something strong enough to teach them a lesson. And fire the noob who did this. I hope he's reading this. Right now. Yes, I mean you!
"Argos takes the security of its customers’ data extremely seriously"
Yeah, right.
Anyway, they made it really easy to BOFH get the CEO credit card details
If the application is not PA DSS compliant or they failed to disclose the program captured CVV they will have no comeback with the QSA. They will definitely be Merchant level 1 now and will have to bend over! I don’t imagine that it will be cost effective for them to actually control applications that process cardholder data from here on, as the supporting business processes will be too expensive for them to change. So they will need a third party to process cards for them ;-)
for a company whose sole business model is run from a giant catalogue, how come their online store system is so poor and cr*p? surely it would take very little to just take their store catalogue and make it 100% online?
The laminated book of dreams was laminated to catch the tears of joy, not the ones of realisation your bank account has been emptied....
I bet I know what really happened.
Once the payment ordering and processing software was done they then fired the competent programmer then hired some new programmer to take his place who knew nothing of security from india or china.
The differnce in pay saved from hiring the new guy is then given to the manager as a pay raise.
Sign up, sign up for The Register's weekly IT security newsletter - click here
