Cybercriminals can exploit unencrypted HTML content warns web and email security expert
M86 Security, a global web and email threat protection expert, has warned that the recent exposure of Argos customers’ credit card details and CCV security numbers was easily preventable using well-established technology.
In the most recent retail security breach, an Argos customer who checked his order confirmation email found that his entire credit card number and security code could be viewed within the HTML code when he clicked on “View Source”.
The unencrypted email source code included the customer's full name, address, credit-card number and the three-digit CCV security code. While the details were not included in the body of the email, had the email been intercepted by a cyber criminal, it contained sufficient information to perpetrate credit card fraud against the customer.
And while the customer’s credit card details were subsequently stolen, no evidence has been uncovered to link the theft to the Argos email.
Apology but no explanation
Argos issued a statement saying that, as far as it was aware, the affected customer had been the only one to contact it about this breach. The issue “has now been fully investigated and resolved to prevent it from happening in the future,” it said.
"We have an obligation to protect our customers’ data and to ensure its security, so we cannot reveal information relating to our data processing arrangements nor regarding our dealings with other customers," added the Argos statement.
Ed Rowley, M86 Security product manager for the Europe, Middle East and Africa (EMEA) region, commented: “Organisations who trade online need to be extra careful about what and how information – especially financial data – is exchanged.
Setting a poor example
“It is incomprehensible that this credit card data was sent out in an unencrypted format; even if the sensitive information was not visible in the main body it should have been protected from being sent out. A good email content filtering product could have enforced encryption or blocked this data from being sent out at all by Argos, using standard or default email security rules.”
Rowley added: “This case highlights the need to filter both inbound and outbound email in order to guard against malware coming in but also to block sensitive information from leaking out. It’s astonishing that larger companies are not using these well-established security tools and procedures.
"This is one of the reasons why PCI DSS [Payment Security Industry Data Security Standard] standards have been introduced, but also an illustration of how they are not always adhered to. According to their parent company, Home Retail Group, Argos enjoyed over £1 billion worth of online sales up to the year ending February 2009, so they really should be setting themselves up as an exemplar of online security rather than as an illustration of what can go wrong, after all, it is their reputation that is at stake.”