Data theft and fraud risk from popular online shopping site
Would you leave a bottle of milk in the fridge for two years, and expect nobody else to notice? In what could be an own goal for Walmart’s UK operations, a recent report has prompted a security alert on ASDA’s online shopping site. It turns out that groceries.ASDA.com, their e-commerce site has had security vulnerabilities for two years.
ASDA has the second largest market share of all UK based supermarket chains, behind TESCO. The last quarter has seen the American owned company lose market share to ALDI and LIDL and poor trading figures over Christmas 2015. The report by UK security expert Paul Moore, is hardly going to instil any confidence in the beleaguered chain.
In March 2014, Mr. Moore alerted ASDA about the security risks on groceries.ASDA.com. He noted several holes in their e-commerce site, which the ASDA Service Team said would have been rectified. Almost two years on, he noticed that little had changed. In a YouTube clip, we see how Mr. Moore exposes the site’s vulnerabilities:
After entering your debit or credit card details, a typical e-commerce site would see your payments being handled by a third party merchant’s site like Worldpay or Sagepay, on a secure server. From ASDA’s website, we see in the Command Line Interface (bottom of the clip) how your credit and debit card details are being transmitted publicly. Which is akin to your browser posting on Facebook, “Mr. Howarth has bought four pints of semi-skimmed milk. Here’s his card details and account number.”
As a result, any unscrupulous Tom, Richard and Sally could pick up your card details and go on a spending spree. Sayonara to your spondulicks.
Why is it possible to lose your lucre on what is the online shopping site of the UK’s number two supermarket chain? As well as issues with payment handling, the TLS/SSL protocols aren’t enforced, making for an insecure shopping experience. Their reticence, exposed by Paul Moore, is another good reason to take your business elsewhere.
With a degree of insouciance over security concerns, ASDA has suggested using the Chrome browser. Paul Moore on the other hand suggested, as well as taking your business elsewhere, setting your browser to incognito mode if you’re happy with ASDA’s site.
You can read the full version of Paul Moore’s report on his own website, which is paul.reviews.]
Independent Merchant Services, 22 January 2016.