advertisement
advertisement

CVS Shuts Down Site After Security Leak

Written by Evan Schuman
June 25th, 2005

A major pharmacy chain’s program designed to let customers view a history of their purchases in e-mail had weak enough security to make it vulnerable to identity thieves, forcing the chain to temporarily shut down its Web site while it reconsidered security.

The chain was CVS Corp., which has more than 5,400 stores in the United States.

The program, called ExtraCare, was created to allow consumers to qualify CVS nonprescription products for government- and insurance company-sanctioned flexible spending account programs.

Those programs allow for consumers to set aside a portion of their salaries?using pre-tax dollars?for medical costs, but they must spend all of the dollars.

Customers were issued an ExtraCare card with a number on it. To access a history of their purchases, they’d access the Web site and have to provide three pieces of information: the 11-digit card number, their ZIP code and the first three letters of their last name. The list would then be e-mailed to the e-mail address provided, which did not have to be the e-mail address on file.

A privacy advocacy group called CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) tested the system and found it easy to fool.

The group even grabbed the recent purchases of a news reporter and had them e-mailed to the group’s domain to prove to the reporter how weak the security was, said CASPIAN director Katherine Albrecht.

The flexible spending account products “fall into the most private categories, including family planning and medical testing,” Albrecht said.

The three identifiers CVS chose were far too easy to find or guess, she said. The card number is both imprinted on the card?where it can be easily seen by someone else in line?and on every receipt, she said.

A statement from CVS, headquartered in Woonsocket, R.I., said the full card number is not printed on the receipt, but it was unclear whether enough of the number is used to give someone access. CVS did not reply to repeated e-mails and voice-mails messages sent by Ziff Davis Internet over several days seeking clarification.

Albrecht said such cards are often carried where others can see them. “Millions of people have them hanging off their keychains,” she said.

“If I were a private eye or snoopy ex-spouse or a jealous boyfriend,” the card number would be easy to identify, and those people would already know the ZIP code and the person’s last name, Albrecht said.

Even if they didn’t know the ZIP code, it would be easy to try the neighboring ZIP codes surrounding that store, she said. CVS clerks often call customers by their last names, so that is also not a difficult-to-find piece of information for the intrepid snooper.

“CVS didn’t have adequate security protections in place,” Albrecht said. “CVS is not taking this information seriously.”

After CASPIAN’s efforts received media coverage, CVS took down its ExtraCare Web site and said in a statement that it is “in the process of creating additional security hurdles for accessing this purchase information.”

The statement stressed that prescription information was not disclosed, but it didn’t indicate why the company thought that revealing a prescription antibiotic would be more damaging to a customer than revealing a contraceptive or pregnancy-test purchase.

After CASPIAN’s efforts received media coverage, CVS took down its ExtraCare Web site and said in a statement that it is “in the process of creating additional security hurdles for accessing this purchase information.”

The statement stressed that prescription information was not disclosed, but it didn’t indicate why the company thought that revealing a prescription antibiotic would be more damaging to a customer than revealing a contraceptive or pregnancy-test purchase.

“The CVS ExtraCare Web site was developed to give customers easy access to their own purchase information for purposes of filing FSA claims for over-the-counter items. The information contained on the Web site does not include prescription purchases,” the statement said. “The information does not include Social Security numbers, credit card numbers or any other information that could lead to identity theft.”

The statement also discussed the initial security procedures and limits. “In order to utilize this Web-based information, customers need to input their last name, their ZIP code and their 11-digit ExtraCare card number. Customer names or addresses are not printed on ExtraCare cards. Full ExtraCare card numbers are not printed on receipts,” the statement said.

“The security procedures implemented to protect information which is accessed for FSA-related customer needs have been carefully designed and we believe are effective. We have received absolutely no indication from any of our ExtraCare cardholders that this information had been improperly accessed.”

The statement then alluded to Albrecht’s interviews. “A recent press report has highlighted a means to gain unintended access to customer purchase information. In light of our absolute commitment to customer privacy, we are in the process of creating additional security hurdles for accessing this purchase information,” the statement said.

“Until those measures are in place, FSA-related information will not be available on our Web site.”

An Associated Press report quoted a CVS spokesperson as saying that until Web access is returned, access to that purchase information will be limited to telephone customer service.

But when Ziff Davis Internet News called CVS customer service, they told a different story. Customer service referred the matter to the ExtraCare department.

A representative in ExtraCare said they are not permitted to provide the information even on the phone until new security procedures are put in place.

CVS spokesperson Michael DeAngelis said in an e-mail?received after customer service said the information was not available on the phone?”Yes, customers can still call our customer-service number and request their info for the purpose of filing FSA claims.” A reply e-mail asking him to reconcile that comment with the customer service statement went unanswered.

That ExtraCare representative said no new identification requirements will be imposed on customers. Given that the alleged security hole consisted of inadequately stringent authentication procedures, it was unclear how security could be tightened without seeking additional?or stronger?identification methods. CVS also did not respond to requests to clarify that issue.


advertisement

Comments are closed.

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.