Identity theft & payment fraud? That's ASDA price.
Back in March 2014, I contacted ASDA to report several security vulnerabilities and despite a fix promised "in the next few weeks", little appears to have changed.
@Stuho1mez All of our sites are secure, I would advise using Chrome. Thanks, Beth
— Asda Service Team (@AsdaServiceTeam) January 14, 2016
After 677 days and several tweets along a similar vein, my patience has finally run out.
What's the problem?
Two of the simplest and most prevalent exploits allow an attacker to quickly & effectively collect personal information & full payment details.
Rather than outline the finer points of CSRF (Cross Site Request Forgery) & XSS (Cross Site Scripting) for the umpteenth time, it's probably easier to show you.
Have I been affected?
As of Q2 2014, ASDA processed upwards of 200,000 online orders each week. Given the length of time this has been exploitable, that equates to over 19 million transactions.
I'm not aware of any evidence suggesting these exploits are being used in the wild, but just a few months after my initial report, this tweet appeared.
@asda some one hacked my acc tomake fraud on line purchases the bank caught it tank god but warn ur customers and i need a number to ring
— cathy creighton (@Ruby6918) June 10, 2014
Unfortunately, it's difficult to know if your details have been stolen unless the attacker uses the information very shortly after the breach occurs, such that it's reasonable to assume a link between the two. However, ASDA may be able to shed further light on anyone affected by this, or any other exploit.
How can I protect myself?
The safest way is simply to shop elsewhere.
ASDA/Walmart have had ample opportunity to fix these issues and have failed to do so. If you must continue shopping with ASDA, open a "private" / "incognito" window and do not open any other tabs/windows until you've logged out.
Other issues...
Well, they don't enforce SSL/TLS during login and the entire session is maintained over an insecure protocol.
Another user spotted this too... and tweeted ASDA.
Hey @ASDA why do you serve your login form over plain (unencrypted) HTTP? pic.twitter.com/1LsuP8YuLF
— Chris (@cmrowles) February 9, 2015
Did they acknowledge the issue & deploy a fix? Not quite.
@cmrowles Morning! We've had it confirmed that the page is secure 😊 Thanks, Beth
— Asda Service Team (@AsdaServiceTeam) February 10, 2015
--
When Sarah tried to apply for a job, she was greeted with this error.
@asda get a new security certificate for your jobs site, risk of having personal data stolen. #asda #websecurity pic.twitter.com/mVpueZs5Qy
— Sarah Rose (@NyowcatS) May 26, 2015
Did they spot their mistake, generate and deploy a new certificate?
@NyowcatS Hi Sarah, I can confirm that all our Asda web pages are secure, Thanks Steph
— Asda Service Team (@AsdaServiceTeam) May 26, 2015
No. They go on to recommend Sarah delete her cookies!
Scott tried to apply for a job too.
@asda I'm trying to apply for a job on your site. But anytime I try to access the application part. It tells me the websites in danger
— scott paterson (@whosinthebox94) June 15, 2015
Surely now they'll fix it, right?
@whosinthebox94 Hi Scott, I can confirm to you that the http://t.co/I7R0i6VbzC website is a fully secure site, Thanks Steph
— Asda Service Team (@AsdaServiceTeam) June 15, 2015
Nope. Now, it's fully secure.
Summary
Despite a speedy response to my first email and a privacy policy which suggests otherwise, ASDA do not appear to be overly concerned about the security of their customers.
I invited ASDA to comment on the situation; requesting more detailed information on who customers should contact if they believe they're affected by any security flaws. I received an "out of office" from their "data protection" email address and haven't heard anything since.