Pick `n Pay reacted quickly yesterday to close potential security risks on its Home Shopping Web site.
The action taken by the retailer followed a report last week by the Secure E-Commerce Site Initiative (SECSI) that listed a number of potential security holes on the site. Problems listed in the report included unencrypted login procedures and a registration link that was unencrypted, raising the risk of users having their usernames and passwords lifted.
However, not all login and registration procedures were affected and only a couple of links throughout the page were affected. The entire checkout process, including the payment details, would not have been impacted as this procedure has been secure since the site was launched.
Adrian Naude, GM for Pick `n Pay Home Shopping, says the unencrypted registration link was fixed as soon as it came to his attention on Friday night. Although SECSI, a body closely affiliated to the hacker site 2600.co.za, prepared the report on 29 August, it did not publish the findings on its Web site until 31 August.
Spokesman for the group, `lowvoltage`, says the report had been forwarded to Pick `n Pay on 29 August but when no response was received two days later, a decision was taken to make the information publicly available.
Naude says he was unaware of the report until it was published on the 2600.co.za Web site on Friday and was unaware of SECSI prior to the publication of the report. Late last night, however, Pick `n Pay reacted to the report by securing the site`s entire login process.
According to Naude, the registration and payment submissions portions of the site are secure, as is the entire login procedure. "There has been an upside to all of this. It forced our technical guys to re-think whether we can secure the login page without securing the actual products browsing page, and they have found a way. As of now, our login page is totally secure."
Naude also reacted to comments in the report that credit card details stored by Pick `n Pay could be compromised. He explains that credit card numbers and details are never stored by Pick `n Pay and could therefore not be compromised. Naude adds that client shopping histories are based on usernames rather than on credit card details.
A more contentious issue is the use of 40-bit encryption by the Pick `n Pay site. The SECSI report highlighted this as an area of concern, saying that 40-bit encryption has been broken before and it provides only a low-level security measure. Naude says he is confident the 40-bit encryption is more than adequate for the site. He notes that while 40-bit encryption could be `cracked` it would take far too much computer power and time to justify the information that could be obtained because payment details are not stored in the buyer`s profile.
Naude comments that the site was independently tested by a security-testing company before its release and he remains confident that the site is secure.
Eddie van Rensburg, GM of M-Web Business Solutions, agrees. He says M-Web and Pick `n Pay undertook internal and external testing of the site before its release. According to Van Rensburg, the site has never been hacked and he is confident that the 40-bit encryption is up to the task. "We pride ourselves on our checks and measures."
He adds that many of the e-commerce sites worldwide use less than 128-bit encryption and the use of encryption depended on the application for which it is being employed. The only businesses that really rely on 128-bit encryption are institutions such as banks, he notes.
Naude says Pick `n Pay is currently upgrading its software to include 128-bit encryption. The limitation of 40-bit encryption was a factor of the software used rather than a choice on Pick `n Pay`s behalf, he explains. The upgrade to 128-bit encryption will be completed in the next four to six weeks. "We believe our site is 100% safe."
The Pick `n Pay site design is in line with other international e-commerce sites and the payment section of the site is absolutely safe, says Naude, adding that it would be pointless to encrypt the whole site as every instance in which private information or private details are submitted is completely secure.
Of the SECSI, he says: "Their modus operandi has more to do with creating publicity than anything else. However, in this case they forced a rethink from us, and we have just improved the site as a result. So all credit to them."
Related stories:
Supermarket chain joins dot-com pack
Share
