back to article UK website data insecurity worries: Users in bits over car break-up emails

Popular car parts website PartsGateway.co.uk is dangerously insecure, a veteran UK security consultant warns. The warning from Paul Moore comes in the midst of ongoing social media complaints (example here) by customers who say they have received phishing mails containing personal addresses and phone numbers. One of the users …

Silver badge
WTF?

With an 11-year-old version of Apache, a seven-year-old version of PHP, no security headers whatsoever, weak TLS and no meaningful authentication, it was only a matter of time before Partsgateway became a statistic

How did that get past PCI DSS?

3
1
Anonymous Coward

Simple.

They got a bit of paper through the mail, they tick a load of boxes, and send it off. In my experience that's all a PCI DSS consisted of. No one ever checked it.

7
0
Bronze badge

"How did that get past PCI DSS?"

They might not take direct payments themselves.

I used a similar site a few years ago (can't remember the name now) which turned out to be infested with fake dealers who took credit card payments over the phone but didn't supply any goods. That site also charged a fee for dealing with complaints. The obvious lesson is to research customer feedback thoroughly before using such a site.

From the homepage: "It's {{ today | date:'shortTime' }} and motorists across the uk are busy sourcing their spares through PartsGateway". Somehow that doesn't fill me with confidence about using the site.

3
0
Silver badge

A lot of sites these days rely on javascript, it's not in itself a reason to distrust them. At least they're using Angular so the front end may well be nicely engineered.

But if their back end is massively out of date then all the front end shenanigans aren't going to make any difference to their security.

1
0
Bronze badge

"A lot of sites these days rely on javascript, it's not in itself a reason to distrust them. At least they're using Angular so the front end may well be nicely engineered."

It wasn't the use of javascript itself that made me doubtful, but the way they display bits of code to users with javascript turned off. I'd call that sloppy.

0
0
Silver badge

I need to start doing this

Unique email addresses seem the way forward.

2
0
Anonymous Coward

Re: I need to start doing this

It may be teaching my mother's mother to suck eggs, but Gmail (and others I guess) allow you to append to your name in their addresses using a +

e.g. if you are johnsmith@gmail.com, johnsmith+carparts@gmail.com will get to you and, if it comes from anyone but the aforementioned, will tell you they've been lax or worse. Filters in gmail make it easy to highlight inbound messages.

I've used it for successfuly a while but note that some web forms will refuse to accept what they see as a non-standard character.

7
0
Bronze badge

Re: I need to start doing this

"Unique email addresses seem the way forward."

You might be in for an unpleasant surprise. I once used a unique address for an application for online banking with a major UK bank, and within a couple of days started getting very convincing phishing emails to that address, purporting to be from that bank, asking me to confirm my details. Needless to say I didn't proceed with the application.

3
0
Silver badge
Boffin

Re: I need to start doing this

I've been doing that for many years now. It's the reason I run my own mail server. Although most mail servers support the '+' notation it's a bit too obvious for my taste. Instead I've set my mail server up with a wildcard based alias system. If anyone does ever crack that I can change the template and continue anew.

I almost never get any spam and if I do it's a simple matter to blacklist the address.

The only downside is that it does leave you with a deep and abiding hatred of the 'CC' function in mail clients.

1
0
Silver badge
Thumb Up

Re: I need to start doing this

You might be in for an unpleasant surprise.

Yes but at least you know the guilty party and can react appropriately. Anything in an SMTP header can be faked so you can't reply on the 'FROM' field to know where an email came from. If you run your own server the logs can give you a clue but they might just point to somewhere like a GMail server.

But if I get email sent to 'HieronymusBloggs@myowndomain.com' then I know exactly where to point the finger - there's only two 'custodians' of that address and in fact only one that will ever store the address in a database ;)

2
0
Anonymous Coward

Re: Nothing new under the sun

in the 80s, I used a variety of middle initials to trace junk mailers. (One of my final year project suggestions was a database to allow easy identification of the culprits).

The most interesting one was the one I used for the 1991 census - my real one. Because despite explicit assurances it would not be used for any other purpose, it "magically" found it's way onto my poll tax demand. Even my council only had my first and surnames .....

4
0
Silver badge

Re: Nothing new under the sun

...in the 80s, I used a variety of middle initials to trace junk mailers. (One of my final year project suggestions was a database to allow easy identification of the culprits).

The most interesting one was the one I used for the 1991 census - my real one.

Where were you back then? I only ask because you appear to have been a couple of decades ahead of the curve...

0
0
Anonymous Coward

Re: Where were you back then?

London.

When *another* of my suggestions for a final year project was submitted, some sort of old-boy network must have been tripped (some of my lecturers had connections). I had a visit from the spooks.

At the time I believed it was to discourage *anyone* from undertaking that research. 35 years on, it's clear someone else did undertake the research - and leveraged it's (obvious) conclusions.

0
0
Bronze badge

Re: I need to start doing this

Yeah we know

But gmail is Google and Google is evil, so there you go.

0
0

Unique e-mail addresses

Unique e-mail addresses do aid in the identification of the source of a leak, but they aren't much help if your payment details have also been compromised.

Isn't it about time the banks and credit card firms came up with a scheme to allow us to give a vendor a one time payment reference. The vendor would use this to get the payment from the bank. After that the reference would be useless. From a vendor's point of view this isn't that different from selling through Amazon, except that in this case the cut of the sale goes to directly the bank rather than via Amazon (who also take their own cut).

(I've used unique e-mail for many years, and I have done business with at least two organisations that have been less than secure with my data. I'd like to name and shame, but I don't want the hassle of getting letters from their lawyers.)

0
0
Anonymous Coward

Re: Nothing new under the sun

"in the 80s, I used a variety of middle initials to trace junk mailers."

In the 80s, I had fun with variations on my address.

The Gas, Electricity, Water and Rates bills had subtle variations on the spacing, puncuation and use of abbreviations (e.g. "Road" versus "Rd" versus "Rd."), making it quite easy to spot which of them had sold the address.

0
0

Re: I need to start doing this

It isn't so much gmail that allows the + but the standard. In fact that is exactly how email worked for all Demon customers. Every customer had their own subdomain, i.e. sub.demon.co.uk, email was sent to anyuser@sub.demon.co.uk, but their system rewrote that to sub+ anyuser@demon.co.uk in order to have it sent to the correct account.

0
0

Re: I need to start doing this

There is a downside though. Many websites use an incorrect regular expression for validating email addresses and will reject ones with the +

0
0
Silver badge

Re: Nothing new under the sun

You can't very well use your real middle initial for those purposes, because it's not a secret to begin with. There are lots of places where the poll tax bods may have researched it from. (E.g. passport office, DVLC.)

As for "ways of spelling 'Road'" - look, the database I work with contains a lookup table of all 'road types' ("road", "street", "way", "highway", "crescent", "avenue", etc. - there are about 400 entries altogether), and lists a standard abbreviation for each of them. What that means is that an address on "Bloggs Road" will be abbreviated in some correspondence as "Bloggs Rd" - regardless of whether it's entered as "Bloggs Rd", "Bloggs RD", "Bloggs Rd.", or "Bloggs Road". I hope this illustrates (one of) the problems with using this information this way.

0
0
Silver badge

Re: I need to start doing this

"Unique email addresses seem the way forward."

I've been doing it for years and the only times I've had spam on any of the company-unique email addys I've given out have been to garmin@mydomain and svp@mydomain. Neither have generated more than a handful of spams. In fact they are more than outweighed by the marketing emails from the companies who demand email addresses from me. I've only ever blocked a couple or three companies for not stopping the marketing emails when I've asked them to or who sent them even after ticking the "please don't email me " box(es) on original submission.

0
0
Silver badge

Seriiously WTF

It is a shitty website which searchers vendors for the car part(s) you are looking for then says

"As part of our service to you, we'll send you an email listing your top quotes and local matches so you can refer back to them quickly and easily."

And asks for you name and email address.

The site could provide the information you wanted straight away, but, insists on emailing it so it has your email address and of course that will result in you getting spam. What the fuck did you think they insisted on getting your email address for?

The morons that give such sites email addresses they care about deserve what they get.

4
2
Anonymous Coward

Re: Seriiously WTF

The business model seems to be they contact their scrapyard partners, who rummage around the back of the yard, take some photos and make up a price. They then send you an offer. That way they don't have to list every part on a car just in case someone is interested, they can do it on demand.

I can understand that taking time, but IME they aren't very good at it. Yards don't actually mail you back, or mail you back with stupid prices - just going to ebay is cheaper and easier.

That said, if they had clue they wouldn't release personal details to yards, yards would just respond to anonymised requests. That would prevent issues from dodgy yards, but not from the network getting hacked.

1
0
Silver badge

Re: Seriiously WTF

"Yards don't actually mail you back, or mail you back with stupid prices - just going to ebay is cheaper and easier."

Got a quote of £156 for four used shock absorbers for a 18 year old Corolla.

Brand new I could get them for £180.

So why would you even bother with that for £24? It's like they don't want my business.

1
0

Re: Seriiously WTF

Hi, I'm one of the morons you refer to (or maybe I'm not, since you do give the get out clause "give such sites email addresses they care about", I used a unique email address for this company) and am actually quoted in the original article.

Basically, I used the site when I was looking for a car part for a 14 year old car, where buying new was hideously expensive and there was a high chance a breakers had it. I phoned around locally, checked eBay etc with no luck.

In my experience breakers don't hold stock lists. If you ring them up you usually get a grunt and a "we'll call you back". This service at least alerted a nationwide list of breakers that someone was looking for a specific part, and would put you in touch with said buyer when they came back to say they had it, the condition/colour etc and the price they wanted. Saving a lot of hassle and ringing around and grunting.

I think as a basic service it's fine in principle, and the issue isn't with the service they provide and more the security/systems that were in place that allowed it to happen

2
0

Re: Seriiously WTF

Had a quote for a part of £800 for a wheel (brand new from jaguar/ford was £260..) so I rang the breaker.

"Boss says we have to respond to every request, if we don't have it we put a silly price in" - makes a bit of a useless site when people do that.

0
0
Anonymous Coward

I got phished too

I've had phish from PartsGateway too:

From: servicecustomer@bearkatautorepair.com

To: [my unique email address given only to PartsGateway]

Subject: [my real name] Your order [fake order number] confirmation

Store Locator | Contact us | Your account

Thank you for your order

Dear [my name] ,

Thank you very much for your order. We’ll get your items packed up and sent out as soon as possible, and we’ll send you a quick email to let you know when they’re on their way.We want you to enjoy shopping with us in complete confidence which is why every single product at us is backed by our guarantee. Tried and thoroughly tested, you can be assured that no product makes it into our range without us really putting it through its paces. We do this because we’re only happy when you’re happy. You can always trust us.

Your order number: [fake order number]

http://[random domain]/personal-area/notification-customer-confirm-reservation-[number]verified-[number].xls

Delivery address:

[my real street address]

Not only that, they didn't find the everyday part I wanted either!

2
0

Just got an email with a fake invoice, had my full name, street name but no door number, and full mobile phone in the email.

0
0
Anonymous Coward

Deja vu

Interesting that Twitter shows a similar conversation from 2015.

A little chat with the ICO may be in order...

3
0

I use a catch all email for signing up to <sitename> with <sitname>@<catchalldomain> - then if they start spamming me I can ban that one 'user' to prevent the spam/viruses coming to me, works ok for me, and if the email gets pwned then it's not a huge deal.

Sending from it is often flagged as spam but it's not for personal things so not too bothered.

0
0
Silver badge

All of those breakers yard search websites *look* insecure, just by the feel of the website you get the impression that it was written by the boss's nephew for £20. I do wonder if there's room for somebody to come along and do it properly.

1
0
Silver badge

I've just had an email from partsgateway:

"We have been made aware of a spam email being targeted to X@X. Unfortunately we were the victims of an attack where the perpetrators were able to gain access via a V Bulletin work forum to access the user database. We must stress no financial records are stored.

We are currently going through every line of code from the last 16 years, taking various parts of the site offline and reviewing all security layers but as a small site with limited resources this will take some time. We are also due to migrate to new servers which will further bolster our defences.

In the meantime can you please delete the email account X@X to avoid any future exposure. We have also removed all traces of your details on the server. Please accept our sincere apologies for the inconvenience this has caused. "

0
0
Pint

Re: I've just had an email from partsgateway:

Me too. Same wording as yours. I too use a partsgateway@<mydomain>.<tld'> Style address. They may be behind with their software, but they're the first company to have informed me quickly, so I'll give their IT guy a beer.

Contrast this with another company I recently contacted because their unique address was being spammed. They admitted to a breach three years ago and gave me a £30 voucher as a very late apology! Nice, but I won't be trusting them with real money in future.

1
0
Silver badge

Re: I've just had an email from partsgateway:

I used a partsgateway@mydomain address too. I wonder if they're found us specifically because we use a unique email address.

If so, it's good of them to do so.

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017