By now, the news of Moonpig.com’s (quite frankly, inexcusable) data breach has hit the national news, with the following response hastily issued by Moonpig as the furore surrounding the insecurity of their API increased:
You may have seen reports this morning about our Apps and the security of customer details when shopping with Moonpig. We can assure our customers that all password and payment information is and has always been safe. The security of your shopping experience at Moonpig is extremely important to us and we are investigating the detail behind today’s report as a priority.
Done and dusted, then? Not quite. What Moonpig neglects to mention is the ramifications of letting that data leak in the first place, and why that same data renders their claim that “all [customer] password and payment information is and has always been safe” null and void.
As the initial disclosure document states, it’s trivial to increment though customer IDs to get the two things I care about most in this security issue: billing data, and the last four numbers of your credit/debit card. But what can you actually do with that data? Well, just ask Mat Honan.
It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud. - Wired, August 2012
That’s right. All that Mat’s hackers needed to take control of his entire digital life (and wipe his MacBook, iPad, and iPhone along the way) was his billing address and the last four digits of a credit card number. That’s the exact same data that Moonpig have known they’re leaking to anyone who goes looking for it: for the past 17 months.
That security holes exposed by Mat’s hackers still remain in companies across the globe today: its effectiveness lies in the fact that social engineering is hard to combat. By nature, humans are helpful, and whilst Apple have no doubt improved their policies since Mat’s case was brought to life, it wasn’t the first company to accept four digits and an address to restore access to an account: and they won’t be the last.
Now, companies using this method of verification of identity is frowned upon, and not Moonpig’s fault. However, the fact that malicious actors could even access a reliable source for that data in the first place falls squarely on their shoulders: especially given the length of time (17 months!) since the breach was initially disclosed.
Whilst it’s true that Moonpig haven’t directly leaked any customer credit card details and passwords, they’ve made it possible for those details to be obtained relatively easily. It’s a useful reminder that the security of your customers doesn’t just end when they leave your jurisdiction: your inaction can have devastating consequences.
Moonpig, by leaving customer data so woefully unprotected, your claim that “all [customer] password and payment information is and has always been safe” simply isn’t true: it’s trivial, given the data available, to commit identity fraud and get access to those customer passwords and credit card details you so vehemently say are secure.
When asked for a comment on a subject outline of this article, a representative on behalf of PhotoBox Group (the company that has owned Moonpig since 2011) said the following:
The company is investigating as our statement said. At the moment the statement we have is the extent of our comment.