B&Q Web site lets hackers do it themselves

The latest e-commerce blunder gives easy access to the personal details of retail giant B&Q customers, and makes it a breeze to order goods on their accounts

A major security flaw has been exposed on home improvement retail giant B&Q's Web site, www.diy.com, which allows a potential hacker relatively easy access to its customers' personal details.

The flaw, which was discovered by a ZDNet UK reader, makes it possible to log in under accounts of other B&Q customers with little or no technical knowledge. Once logged in, it is possible to view or change the personal details of that customer -- including full name, delivery address, phone number and email address. Once access to an account is gained, if the customer has entered their credit card details, it is also possible to order goods on their account.

B&Q customer John Dunbar said he was horrified when told about the security flaw by ZDNet UK. "The thing is you assume that big companies like this have sorted it out, and that the security its there," he said. "You don't for a minute think that other people can get access to your details. It's absolutely diabolical -- the thought that someone could order on thousands of pounds worth of goods in my name."

James O'Brien from Reading, who is not a regular B&Q customer but had once filled in the registration form on the company's Web site, told ZDNet UK he was not impressed with the security breach: "It is a bit worrying that anyone can get your address and telephone number, but I don't see it as a major threat -- unless they had my credit card details." However, O'Brien admits it could have been different: "I would have used my credit card if I had bought something from them, but I can't even remember what I used the account for now," he said.

According to the security notice on B&Q's Web site, every online transaction is checked by the company's "fraud control systems" and "in the unlikely event of fraudulent or unauthorised use" the company promises to refund any money received by B&Q, but it stipulates that the customer must first notify their credit card company and B&Q directly (0870 0101 006) or through the company's Web site.

Security expert Neil Barrett, a visiting professor at Cranfield University, said B&Q had made a very basic error on its site. "I've come across mistakes very similar though not the same. It's very easy to make those sorts of errors. And very simple to fix."

Paul Worthington, chief technology office of B&Q's parent company Kingfisher, said the issue was being resolved. "Making sure that all our customers' details are secure is paramount, and we do all we can to ensure they are protected," said Worthington.