back to article Charmin'. Garmin admits customers' full credit card data nicked from South African web store

GPS and wearables maker Garmin has warned customers in South Africa that their personal info and payment data were pinched after they shopped on the shop.garmin.co.za portal. The stolen data, which the emailed notice said was limited to Garmin's South Africa site, included customers' home addresses, phone numbers and emails as …

  1. tony2heads
    WTF?

    WHY do they store the CVV

    Surely totally unnecessary

    And how come it was not encrypted?

    1. Brian Miller

      Re: WHY do they store the CVV

      Nicked as it was typed in! That's the vulnerability. The site database wasn't breached, it was the order page itself.

  2. Trollslayer Silver badge

    Paypal

    A lot of online shops let you use Paypal, if they do I use it.

    There is a one time transaction set up and despite Paypal being a massive targete they haven't been hacked,

    OK, yet.

    1. Doctor Syntax Silver badge

      Re: Paypal

      "OK, yet."

      As far as we know.

  3. shyted
    WTF?

    PCI compliance?

    How an earth could they be PCI compliant? if they if they were storing the card number unencrypted, and as for the CVV it shouldn't be stored at all?

    1. Doctor Syntax Silver badge

      Re: PCI compliance?

      As per TFA: CVV wasn't stored, it was nicked in flight.

  4. This post has been deleted by its author

  5. Wellyboot Silver badge

    Assume the worst.

    That the rest of their world stores (same actual backend system?) are all just as shoddy.

    A statement announcing otherwise would be nice.

    1. Doctor Syntax Silver badge

      Re: Assume the worst.

      As per TFA: it wasn't nicked from the back end but from the unpatched front end.

  6. Bendacious
    Thumb Down

    They've taken the website down so I can't check but it seems to be the norm these days to have bucket loads of third-party scripts loaded on payment pages. All those popular JavaScript libraries must be so tempting for card-skimmers to try and inject their code. I use the uMatrix add-on so I get a handy number pop-up in Firefox's toolbar that tells me how many external resources are being loaded on a page. In my experience websites that use eCommerce content management systems like Magento are often the worse. The web designer adds 15 JavaScript libraries to help the product pages look great and to track visitors and never thinks to remove them from the payment page. Every page uses the same template. Of course the libraries are loaded from a CDN (Credible? Don't Know) as well, not from the local server. I'm not offering any solutions, just complaining about a problem. It will be tough to fix although I suppose the Payment Card Industry Data Security Standard should have more to say about this practice.

    I agree with Trollslayer - I have my issues with Paypal but not having to type in my credit card details into a site that doesn't follow best practice is a winner every time. Also, in the past websites have saved my card details without asking and I only find out next time I visit - they can't do that with Paypal.

    1. Neil Barnes Silver badge

      Another paypal user here - it's one place less that has a debit/credit card stored if I can purchase via a single on-line point (though it does, as pointed out above, make paypal an obvious target - so the card linked at paypal is deliberately restricted in its access to cash).

      A couple of points:

      - in the vast majority of cases, there is absolutely no need for a company to store *any* details about me, whether that be my name and address or my payment details. If there are legal requirements to log the purchase, then surely all that is needed is an encrypted record that the purchase has taken place.

      - every company with whom I might deal on the internet seems to suffer from the delusion that I am now in a relationship with them. This is emphatically not the case. Each and every purchase is a single discrete event. I am quite happy to spend the couple of minutes that it takes to fill out the details each time, but it seems that my co-habitees on this planet are happy to take the risk of having their details stored willy-nilly throughout the world. (Admittedly, this would not have helped in a scraping case like this).

      - STOP allowing random scripts to run. The majority are trackers in one form or another: you are under no obligation to allow yourself to be tracked. Others are potentially dangerous - particularly if they call other scripts - or annoying, in the case of every advert ever made. Allow only those scripts that *must* be run to run, e.g. payment services. As a courtesy detail, if a site presents an empty page unless its scripts are allowed, I consider that site broken by design and avoid using it.

      1. Doctor Syntax Silver badge

        "Each and every purchase is a single discrete event"

        This is something marketing people just can't get their heads round. The local village hall uses a ticketing site. It's reasonable that such a site has an email address for e-tickets and retains it long enough to notify of any last minute changes. It's very much more doubtful that they need a password and they have no business whatsoever spamming that email address without explicit opt-in. So now the email address will be useless for notifying changes, it's set to bounce and, should they bother to read the bounce notices, it will tell them why. If I ever need to use it again the non-bouncing window will last just long enough to get the tickets.

        1. ds6 Bronze badge

          I use a combination of alternative addresses and plus-delimited addresses to segregate received mail. Every site gets its own alias, and most correspondence gets tagged with a label. If I start getting spam to a specific address, I cut all ties with that company. because I know at that point they've done me wrong.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019