Must Read: Sorry, but bringing back the Start menu won't help Windows 8

Topic: Security

B&Q Web site lets hackers do it themselves

Summary: The latest e-commerce blunder gives easy access to the personal details of retail giant B&Q customers, and makes it a breeze to order goods on their accounts

Munir Kotadia
Matt Loney

By Munir Kotadia and Matt Loney |

A major security flaw has been exposed on home improvement retail giant B&Q's Web site, www.diy.com, which allows a potential hacker relatively easy access to its customers' personal details.

The flaw, which was discovered by a ZDNet UK reader, makes it possible to log in under accounts of other B&Q customers with little or no technical knowledge. Once logged in, it is possible to view or change the personal details of that customer -- including full name, delivery address, phone number and email address. Once access to an account is gained, if the customer has entered their credit card details, it is also possible to order goods on their account.

B&Q customer John Dunbar said he was horrified when told about the security flaw by ZDNet UK. "The thing is you assume that big companies like this have sorted it out, and that the security its there," he said. "You don't for a minute think that other people can get access to your details. It's absolutely diabolical -- the thought that someone could order on thousands of pounds worth of goods in my name."

James O'Brien from Reading, who is not a regular B&Q customer but had once filled in the registration form on the company's Web site, told ZDNet UK he was not impressed with the security breach: "It is a bit worrying that anyone can get your address and telephone number, but I don't see it as a major threat -- unless they had my credit card details." However, O'Brien admits it could have been different: "I would have used my credit card if I had bought something from them, but I can't even remember what I used the account for now," he said.

According to the security notice on B&Q's Web site, every online transaction is checked by the company's "fraud control systems" and "in the unlikely event of fraudulent or unauthorised use" the company promises to refund any money received by B&Q, but it stipulates that the customer must first notify their credit card company and B&Q directly (0870 0101 006) or through the company's Web site.

Security expert Neil Barrett, a visiting professor at Cranfield University, said B&Q had made a very basic error on its site. "I've come across mistakes very similar though not the same. It's very easy to make those sorts of errors. And very simple to fix."

Paul Worthington, chief technology office of B&Q's parent company Kingfisher, said the issue was being resolved. "Making sure that all our customers' details are secure is paramount, and we do all we can to ensure they are protected," said Worthington.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Contact

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Until recently I worked (not in IT) at B&Q. Their systems seemed robust enough from the inside against non-experts, but there were certain tell-tale signs...e.g. the way any customer assistant could login to competitors websites and open accounts...
    anonymous
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close