Do retailers store payment and personal details securely?

While the payment procedure of websites may meet industry standards, how secure is the data they store about you. As you may have noticed, to purchase a product on most sites requires a registration. After concluding the registration and sales process, most sites will keep your registration details permanently. And, sometimes, like Amazon, will continue to store your payment details, such as your credit and debit card number.

Therefore, it's a fair enough question to ask, exactly how secure is a retailers database of personal details. While retailers, by law, are bound to secure personal details, it still does not mean they are secure. A recent test (2008) was conducted by http://www.securetest.com/ to evaluate this exact issue. This company ethically tested or 'hacked' (did not contravene the Computer Misuse Act (CMA) one hundred websites of online retailers in the UK.

The results of the test showed that sixty percent of sites had a fundamental flaw in their password reminder procedure. Nearly all the sites surveyed have a user's username and email address as the same. That means a hacker could abuse the 'password reminder' procedure. This is due to sixty percent of sites indicating whether an email account belonged to a customer when entered into a password reminder sytem. This is a starting point for a hacker to begin an attack.

Retailers will often send password details to a user's email account. The problem is, that the email with the password in it can be sent across unsecured networks, and can therefore be intercepted. Even an email with a link inside it, to make a new password, can be just as risky, as the hacker can simple use the link.

Many security experts believe that relaying solely on a username and a password is a mistake. Especially when it comes to ecommerce. They suggest following the approach of online banks, who usually provide customers will an added layer of security, such as a pin number, smart card, or unique code generator. In conclusion, it would appear, as of 2008, that there are flaws in the storing and accessing of user's details.