Pinterest Stumbleupon Whatsapp
Ads by Google

Online greetings card store Moonpig exposed customer data to hackers for at least 15 months, despite warnings from an expert that there was a hole that needed to be plugged.

There are multiple lessons here. The first: corporate arrogance is dangerous. Second: it’s important for customers to educate themselves, and make sure companies are working to keep them secure. And the third: a “known name” isn’t necessarily a safe one.

Moonpig is an online greetings card store that sells custom-designed cards and mugs through their website. Hugely popular (thanks to regular TV advertising), Moonpig shipped 6 million cards in in the UK in 2007. While a British site (based in London and the Channel Island of Guernsey), this is a situation that affects shoppers and online store owners around the world.

The Moonpig Hack: What Happened?

Back in 2013, developer Paul Price discovered that mobile API requests on the Moonpig.com website could be hacked, thereby enabling criminal hackers to place orders on any account. Additionally, Data such as customer names, date of birth, address, credit card expiries and the last four digits of the card could be viewed.

muo-security-moonpig-hack-card

Websites that offer online shopping usually provide rate limiters that reduce the impact of automated scripts, but Moonpig omitted to do this, making it an easy, open target for hackers.

Ads by Google

Initially informed by Price of the vulnerability in mid-2013, Moonpig claimed that they would fix it right away; 18 months later, the vulnerability remained.

Said Price when he published details of the vulnerability online:

“I’ve seen some half-arsed security measures in my time but this just takes the biscuit. Whoever architect this system needs to be waterboarded. Every API request is like this: there’s no authentication at all and you can pass in any customer ID to impersonate them. An attacker could easily place orders on other customers accounts, add or retrieve card information, view saved addresses, view orders and much more.”

Essentially, basic authentication was being used and account data revealed without authentication checks.

Price decided to go public with the hack after Moonpig responded to his follow-up contact in September 2014 to have the fix in place by Christmas. When he revealed all on January 5th, it had yet to be plugged.

Moonpig’s Reaction To The Hack

The lesson of this story isn’t so much about the hack – they’re happening more and more in the online shopping industry – but about the attitude of the company, and what this means to consumers.

If we consider the volume of hacks over the past couple of years, such as still-unexplained eBay leak The eBay Data Breach: What You Need To Know The eBay Data Breach: What You Need To Know Read More and Target losing 40 million credit cards Target Confirms Up To 40 Million US Customers Credit Cards Potentially Hacked Target Confirms Up To 40 Million US Customers Credit Cards Potentially Hacked Target has just confirmed that a hack could have compromised the credit card information for up to 40 million customers that have shopped in its US stores between November 27th and December 15th of 2013. Read More  then we can see that there seems to be at best an ignorance, at worst utter complacency, towards online security.

Take, for example, the Moonpig response to the news:

This attempt at damage limitation was immediately called out:

Public Relations disaster aside, Moonpig’s inability to deal with the issue in a timely manner highlights the importance of regular running penetration tests on Internet facing websites, as well as responding to security advisories promptly.

How Customers Can Benefit From Security Vulnerabilities

It isn’t clear if any data was stolen from Moonpig via this vulnerability, and based on their damage limitation efforts so far they probably wouldn’t share the information even if they had it.

The endless issues with online shopping security over the past 24 months or so have begun to undermine confidence in the industry. While eBay is giving little away at this stage, for instance (and never confirmed how their data was hacked) it’s remarkable drive towards free listings and other bonuses during the middle of 2014 suggests a lot of users stayed away.

muo-security-moonpig-hack-card2

Short of launching civil actions against these companies, the only real steps customers can take against the flagrant misuse and insecurity of their data (and if you’re a Moonpig.com customer it’s worth checking for any promises of data security in your original terms and conditions) is to vote with their wallets.

With the explosion in courier services and drone deliveries, vast warehouses around the country and vast deliveries, Amazon is proving how to fulfil customer orders and keep their data safe (so far). Other companies should be using Amazon as an example, rather than a rough template to attempt to mimic. Failure to do this can only result in the end of online shopping – or the total dominance of Amazon.

Only by taking steps to shop elsewhere can we benefit from online stores taking their responsibilities seriously.

Don’t Quit Online Shopping Yet: Just Shop Smarter

Over the past couple of years we’ve seen far too many big names hacked. But these intrusions, and subsequent data leaks, don’t mean that you have to remain a customer. In fact, you should do the opposite and head for the more secure competitors, or shop locally, instead. If you’re caught out and shop at a site that is hacked, you might also consider these alternative options Store You Shop At Get Hacked? Here's What To Do Store You Shop At Get Hacked? Here's What To Do Read More .

Of course, you might have a better solution. So use the comments to share it, and any related stories you may have.

Image Credit: Shopping online via Shutterstock

  1. ReadandShare
    January 13, 2015 at 10:56 pm

    "My solution is to shop brick & mortar, use cash and to hell with convenience."

    I recall it was Target's brick & mortar store POS that got hacked -- and not its online shopping website. So, you can still be at risk as the clerk rings up your purchase -- unless you always pay with cash -- but that opens up a whole another can of risks.

    • RamblingPirate
      January 14, 2015 at 8:25 am

      Not to mention the not-so-common, but easy to make and install ATM skimmers that have recently been seen used at gas station pay-at-the-pump stations, brick-and-mortar swipe stations, etc.

      It's not shopping online that's dangerous, it's companies opting for the lowest bidder to do their systems, the web not having one set standard to follow, etc.

      I've seen some sites that can't possibly be PCI DSS compliant, but since they use a third party to store and retrieve card information, they don't have to be.

      On top of that, webapps that are made in house by companies are almost never looked at by a penetration tester and audited for vulnerabilities, ESPECIALLY not webapps that were designed in house for use in house, and were never meant to see the outside network.

      I can think if at least 5 maybe 6 systems right now at fortune 500 tech companies that suffer from exactly that problem.

      Like the article says, we need to make users more aware of what all goes on in our webapps, we need to acknowledge IMMEDIATELY when a breach happens, and we need to start auditing ourselves.

      I know most small web design studios aren't going to be able to afford a full time penetration tester in house to perform an in depth audit, but I'm fairly certain there are services that offer different assessment levels depending on budget; we need to encourage some type of testing, and reinforce that behavior with our wallets.

      Maybe some sort of badge on a site after it's been certified. Have it expire annually, so they have to get it checked for vulnerabilities at least once a year, and after every new big feature addition.

    • dragonmouth
      January 14, 2015 at 4:07 pm

      @RamblingPirate:
      "Not to mention the not-so-common, but easy to make and install ATM skimmers"
      I agree, let's not mention ATMs. An ATM is just an online transaction, which we agreed is not safe. :-)

      "we need to acknowledge IMMEDIATELY when a breach happens"
      Not WE, the companies have to. But as we well know companies are loath to even admit to breaches because they do not want to lose customers, don't want their stock price to drop, don't want the bad publicity.

      Let's look at the situation objectively. Why do we expect the online security to be able to stop intrusions? After all, the programming staffs for both sides of the issue is drawn from the same general pool of programmers. Both sides, the "merchandisers" and the "hackers", have brilliant individuals on their staffs. If anything, I would expect the "hackers" to have the edge in ability since the potential payoff from cyber crime is better than the pay in the cyber defense field, attracting smarter individuals.
      "Cyber crime vs cyber defense" is just a variation on the old "armor vs projectile" struggle. Some one creates a better hack which leads to a stronger firewall which leads to a better hack which results in an even tighter firewall which leads to ....... ad nauseam and ad infinitum. Anything man can invent/design, man can subvert. One of these days we will come to the realization that online security is just wishful thinking and we'll quit sending sensitive data over the Internet, using it only for Facebook, Twitter, email and watching porn.

  2. dragonmouth
    January 13, 2015 at 9:21 pm

    " In fact, you should do the opposite and head for the more secure competitors"
    Easier said than done. With corporate arrogance being what it is and the extreme, almost criminal, reluctance of companies to notify their customers of any pertinent security breaches, what is perceived at the moment to be a "secure competitor", in reality may not be one. It may have already been compromised but the company is keeping it quiet for its selfish reasons. Unfortunately we will not find out about the security breach until it is way past too late.

    My solution is to shop brick & mortar, use cash and to hell with convenience. Let's not forget that while online shopping makes it more convenient for the customers to obtain merchandise, it also makes it more convenient for the crooks to steal our data. As evidenced by all the security breaches at various merchandisers, the price of convenience is security and that is a price I refuse to pay. Until online shopping came along, identity theft was relatively rare and realtively difficult to achieve. Online shopping and online transactions have made identiuty theft rather commonplace.

    "Amazon is proving how to...... keep their data safe (so far)."
    And as far as we know. Their security could have been breach some time ago and Amazon just hasn't seen fit to reveal that minor detail.

    The one common fact in all the security breaches is that none were revealed immediately after their occurence. Ususally it took months, sometimes many, and a whistleblower before the public (customers) was made aware.

Leave a Reply

Your email address will not be published. Required fields are marked *