Tuesday, February 09, 2010

Security flaw exposed on Home Shopping Network

When a possible security flaw exposing customers of a large television shopping network to credit card fraud was encountered by a user, ABC's 7 On Your Side contacted computer security expert at UC Berkeley Doug Tygar, who suggested that they find out for themselves if her fears were founded.

The customer tried the 'Shop by Remote' feature on Home Shopping Network but directed her order to be shipped to her sister's address and found she could do so without her sister even knowing about it. This result was brought back to Tygar.
"I didn't believe it," he said. "I was shocked that you could do that, that such an obvious and large hole would be left open."
Tygar says requiring passwords is an industry standard. It is true that HSN requires both a user name and password when customers shop online. However, neither are required with HSN's "Shop by Remote" feature.
"I would imagine they would be able to deploy a password mechanism in a matter of days. It shouldn't take that much effort," Tygar said.

See full article at 7 on Your Side .