After a group started publicizing the security hole from a CRM program, CVS shut down everything. But corporate and customer service sing different tunes.
A major pharmacy chains program designed to let customers view a history of their purchases in e-mail had weak enough security to make it vulnerable to identity thieves, forcing the chain to temporarily shut down its Web site while it reconsidered security.
The chain was CVS Corp., which has more than 5,400 stores in the United States.
The program, called ExtraCare, was created to allow consumers to qualify CVS nonprescription products for government- and insurance company-sanctioned flexible spending account programs.
Those programs allow for consumers to set aside a portion of their salariesusing pre-tax dollarsfor medical costs, but they must spend all of the dollars.
Customers were issued an ExtraCare card with a number on it. To access a history of their purchases, theyd access the Web site and have to provide three pieces of information: the 11-digit card number, their ZIP code and the first three letters of their last name. The list would then be e-mailed to the e-mail address provided, which did not have to be the e-mail address on file.
How safe from prying eyes are the new contactless payment systems? To find out, click here.
A privacy advocacy group called CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)
tested the system and found it easy to fool.
The group even grabbed the recent purchases of a news reporter and had them e-mailed to the groups domain to prove to the reporter how weak the security was, said CASPIAN director Katherine Albrecht.
The flexible spending account products "fall into the most private categories, including family planning and medical testing," Albrecht said.
The three identifiers CVS chose were far too easy to find or guess, she said. The card number is both imprinted on the cardwhere it can be easily seen by someone else in lineand on every receipt, she said.
A statement from CVS, headquartered in Woonsocket, R.I., said the full card number is not printed on the receipt, but it was unclear whether enough of the number is used to give someone access. CVS did not reply to repeated e-mails and voice-mails messages sent by Ziff Davis Internet over several days seeking clarification.
Albrecht said such cards are often carried where others can see them. "Millions of people have them hanging off their keychains," she said.
Read the full story on CIOInsight.com: CVS Shuts Down Site After Security Leak