March 10, 2005

MemoryToGo credit card vulnerability

click for full size It’s 2005 and there’s still online merchants that just don’t get it? Beware of MemorytoGo.com. Their totally insecure site publishes complete credit card numbers (with billing addresses and expiration date) on non-encrypted webpages— easily viewable by not only you but by the crafty l33t people that steal credit card numbers (click the thumbnail to the left).

To add the the scariness — I placed an order with them for a 1 Gig memory upgrade for the surprising free Mac Mini I received. After not receiving the memory Next Day, I check my order status and was SHOCKED to see my full credit card available to the world to intercept. I immediately contacted them— and the first thing they said was that Next Day orders hadn’t been processed because their online store had crashed (maybe they said “went down”?) yesterday, and they’re just getting to processing orders now. Wait a minute— what do you mean went down? I hope that doesn’t mean that their obvious disregard for end user security lead them to be hacked as well.

I forcefully requested that my credit card be removed from their site ASAP, and was told “we can’t do that, the [clear text] credit card number is needed for the accounting people.” Wha? After arguing with me that this wasn’t a threat- and repeatedly telling me I wasn’t listening to them… they reluctantly assured me my credit card would be taken down in a couple of hours— after they reached their web developer. You have to be kidding? And is just mine coming down or are they securing the whole site?

I’ve alerted American Express Merchant Services, but feel like I got the blow off from them. I hope something gets done. If you’ve shopped with MemorytoGo.com— beware, your credit card numbers and personal information are exposed to the world.

Update: A day later and this site is still publishing American Express card member’s identities, card numbers and expiration dates in clear text— just waiting for a Man-in-the-middle attack. The lack of action by American Express is shocking. Membership doesn’t have the security privilege.

Update 2: Three days later and Memorytogo.com has just deleted my order… Aside from placing a new order, I can no longer confirm that everyone’s credit card numbers are exposed on unsecured pages— though it appears they still aren’t using SSL, so my guess is that credit card information is still being published in clear text over the internet. It’s also 2 days after I wrote and called AMEX. No response from them. We should setup a test: Someone place an order, and everyone else try to snag the card number and expiration date. Just kidding.

UPDATE 3/18: Memorytogo has now begun encrypting with SSL the account/order status pages. Their CEO left a message to let me know that their web developer says “it’s always been that way.” Clearly from the screen shot above— it hasn’t. Either way, their site is now partially secure— the account login page is not encrypted, so your account username and password are passed over the net in clear text and can still be intercepted. This could give packet sniffers access to your encrypted account pages. I can’t confirm- but hopefully they’re keeping credit card numbers offline now.

For the record: aside from this partially corrected problem— I didn’t mention that they did fulfill my order, and I happy with that aspect of their service.


12 Comments

If I'm not mistaken, that's illegal now, I think as a part of "Check 21". All merchants have to obscure full credit card numbers on receipts, etc. If it's not illegal now, it's a phased-in compliance. (The "financial services" job is paying off in still more trivia to waste some genius.) Sounds shady, brother.

Well over 5 hours since I requested they remove my full credit card number, expiration date, name and billing address from their non-encrypted, not secure website.

No go. It's still up. I'm not sure what to do... Amex doesn't seem to care. The vendor isn't doing anything to protect my card, my account or my identity.

I was raped with identity theft, hey at least you can know your source, when Jon Hudson aka as someone who may be 350 pounds in work boots, goes to town, all over a town you can tell the police, detectives how they got your information.

Keep calling Amex. Cancel that card.

The kicker is-- it's not just me. This merchant is publishing the credit card number to all their orders... regardless of card type.

If your credit card issuer doesn't come to defend you then it's time for change! Send your card back and specify to have them record you are cancelling their card as your (the customer's) request. Then fire off a letter to customer service to tell them why you're cancelling. After reading how the American Express customer wasn't getting good service I am cancelling my card today!

It's now been a full 24 hours since I contacted the merchant about the security risk-- and a full 24 hours since I've contacted American Express. That merchant is still publishing everyone's credit card numbers on unsecure pages.

I'm going to send a letter to Amex and see if I get a response.

Send the letter to someone high up in the company, and do it via certified mail, so you know when they got it. They can't just claim they didn't get the letter at this point, so you are far more likely to get a response.

Is your complaint just that they're not using HTTPS, or can you actually see orders besides your own?

They should be using HTTPS on that page, to be sure, but assuming that you can only see your own orders, saying it's "available to the world to intercept" would require that the whole world be between your browser and their site, which doesn't seem that likely. For one thing, latency would be hell...

One example (with zero latenecy)-- go download something like ettercap:

http://ettercap.sourceforge.net/

and you can watch any packet on your network pass by. By not using SSL and not obscurring the credit card number, anyone can capture the credit card numbers being displayed on the memorytogo.com site.

Contact the Secret Service. They are responsible for investigating possible financial crimes. Memory To Go may be more responsive to a call from a Federal Special Agent.

for those of you that keep emailing me to tell me the status bar has the full url-- it's doesn't and hasn't from the first post.

Aside from obscuring my credit card number, I clipped the last 10 digits from the URL in the status bar. If you look closely at the end of the URL (--CC1) the brushed metal background doesn't line up.

FYI I saw this comment posted on: tuaw.org (http://apple.weblogsinc.com/entry/1234000510035685/ )

"Weirdly I had a similar problem with them. I felt their site was insecure about 6 months ago (another issue) and I placed the order by phone, and told them my concerns. They said "don't wory about it, I JUST USED THE WEB SITE TO PLACE YOUR ORDER. They use the website even for PHONE ORDERS. Please keep this in mind."