back to article Argos changes 150 easily guessed drop-off system passwords

UK catalogue store chain Argos has changed shop passwords for its drop-off store facility after a Reg reader inadvertently discovered staff relied on weak in-store access credentials to service orders. The reader – who asked not to be named – came across the issue when she went to send two eBay parcels via the Argos drop-off …

  1. m0rt

    Educate staff?

    It sounds like this is a shared password, linked to the location not to individual users. This means this is automatically a fail. I can imagine how this went at design phase :

    "We can just use a standard access credential for now. Staff won't remember their passwords and we will be constantly be asked to reset passwords..."

    Individual user passwords. Or a physical access key of some description. There is no other sensible way. Being asked to remember several passwords for your job - this isn't rocket science and is a prerequisite for this 'Brave New World' we inhabit.

    More inconvenient? Hell yes. But the other option is open to easy abuse. Kudos to your other reader for bringing this to Argos's attention...oh and The Reg for being courteous enough to not publish this until Argos changed their passwords...

    1. John Brown (no body) Silver badge

      Most likely it's a legacy process from when it was an internal only system but now it's operated from a publicly accessible web page. Still unforgivable of course, but easily overlooked.

  2. Kevin Fairhurst

    So how long until...

    someone figures out they're just changed it all to ArgosStore123 & starts redirecting packages rather than advising people of the issue?

    1. mhoulden

      Re: So how long until...

      In a couple of months they'll probably hold a security review and change it to ArgosStore124.

      1. CustardGannet

        Re: So how long until...

        Let me guess... '4rg0sStor3' [+Site Code]

  3. Pascal Monett Silver badge
    Trollface

    Wait a minute

    A customer found a weakness in employee password use and protection, signaled it and was not immediately blamed and brought shrieking into a ridiculous lawsuit ?

    What is the world coming to ?

    1. Alister

      Re: Wait a minute

      A customer found a weakness in employee password use and protection, signaled it and was not immediately blamed and brought shrieking into a ridiculous lawsuit ?

      It's because it didn't happen in the US.

      If it had, a full SWAT team would have been on-scene in seconds, and the customer would have been arrested, or possibly shot.

      1. Anonymous Custard Silver badge
        Joke

        Re: Wait a minute

        It's Argos - the SWAT team would have been out of stock in the local store and when sent from the next nearest would have arrived with their guns missing or broken...

        1. Hollerithevo

          Re: Wait a minute

          Actually, I have found Argos to be great. Stuff always in stock, nice service, superb returns policy. I do not work for them, but I find myself increasingly using them because I can order something and pick it up on my way home and it's a good price.

        2. teebie

          Re: Wait a minute

          Argos did send a SWAT team, but Yodel delivered it to a similar-sounding address 2 streets away from where it was supposed to go.

          1. Nick Ryan Silver badge

            Re: Wait a minute

            Argos did send a SWAT team, but Yodel delivered it to a similar-sounding address 2 streets away from where it was supposed to go.

            These packages are often "signed for" by somebody who most definitely did not look like a friend of the driver but was happy to accept the parcel that was not for them and is now untraceable. And the addresses doesn't even have to be similar-sounding as from experience the average Yodel delivery minion is not required to be able to read so they don't have to have this restriction.

      2. Nano nano

        Re: Wait a minute

        Happens in the UK too - http://www.theregister.co.uk/2009/01/30/cuthbert_mckinnon/

      3. NotArghGeeCee

        Optional

        It's because it didn't happen in the US.

        If it had, a full SWAT team would have been on-scene in seconds, and the customer would have been shot, or possibly arrested.

        There FTFY

    2. I am the liquor

      Re: Wait a minute

      I'm guessing that's why the tipster told El Reg and let them tell Argos. So if Argos adopted a shoot-the-messenger approach, El Reg would be standing in front of her.

  4. VinceH

    Hmm.

    The nature of the passwords suggest a policy/management decision - so why do they need to add that "Training procedures have also been reaffirmed to all store staff" ? Sounds to me like a bit of downward buck passing.

    1. Dabooka
      Stop

      How exactly?

      I don't understand how the nature of the passwords 'suggest a management decision'. I can't believe that any policy would be written with that level of detail for starters, and why would managers sit around a table and suggest what passwords to use?

      IT managers, sure I can beleive that. I had several experinces in large organisations where the IT staff actively promote such 'systems' to aid the thicko end user, and have been involved in relatively high level discussion where the Heads of IT has been berated for such propositions as utilising shared passwords. The sooner this us and them attitude is dropped bwteen IT and end user the better, I've said it many many times that there is often fault on both sides.

      My guess is they were defaults setup with an express requirement to change them after install or something, and it hasn't been actioned.

      1. VinceH

        Re: How exactly?

        My thinking was the passwords are unlikely to have been chosen by users (ie the staff at the stores) if they relate clearly to the individual store, to the extent that they fit a very specific pattern - which is what was described.

        However, I didn't even think of the possibility that they might be defaults - so fair point.

  5. Dr Paul Taylor

    Argos data security

    They also have a policy that has been noted here for banks: phoning customers and asking for their address and other details, and insisting on this before proceeding with the business of the call.

    1. Sir Runcible Spoon

      Re: Argos data security

      If they ever try this - you can always compromise on the data exchange.

      Eg they give you the first part of the address, you give the next; you give the first part of the postcode - they give the next etc.

      If they don't show they have enough information already then they get to meet Mr Dial Tone.

      1. paulf
        Holmes

        Re: Argos data security

        @ Dr Paul Taylor

        "They also have a policy that has been noted here for banks: phoning customers and asking for their address and other details, and insisting on this before proceeding with the business of the call."

        Everyone does this, not just banks. That said, when the optician rang me a few weeks ago to say my new glasses were ready for collection they only checked it was me by name and didn't demand a plethora of personal information first. My flabber was well and truly gasted!

        @ Sir Runcible Spoon

        "If they ever try this - you can always compromise on the data exchange."

        Already tried and failed on many occasions.

        Me: "If you give me the first three characters of my postcode [the bit that relates to the town which is easiest to guess], I'll give you the last three [that relates to the street so harder to guess]."

        Call centre droid: "I'm sorry, Zur, I can't give out any information until you confirm your identity. It's data protection doncha know."

        The simple yet sad fact is that any company calling a customer asks all the same questions (what is your address, DoB, account number etc) that the fraudsters ask, and positively refuses to compromise while offering no means for the customer receiving the call to verify the identity of the caller. Then the industry stands around wringing its hands, wondering why people give out such personal information willingly to random callers who claim to be "From the bank".

        1. Anonymous Coward
          Anonymous Coward

          Re: Argos data security

          Anyone calling me has a return number. If they do not, they are a scam centre.

          If they do, I check it is registered to the correct company.

          Then I check the phone dialled out correctly, preferably using a different phone, to prevent them holding the line open silently.

          1. paulf
            Pirate

            Re: Argos data security

            @ TechnicalBen

            "Anyone calling me has a return number. If they do not, they are a scam centre."

            CLI is stupidly easy to spoof if you're in the confidence trickster business. CLI is a handy way to know if your Auntie Val called while you were out, but not something you can rely on to verify it really IS the bank calling you.

            Perfectly legitimate call centres often withhold their number so this is also no indication.

            The only way to be sure you're speaking to the company the caller claims is to call them back using either a known number, or a published number (e.g. website), and from a different line/mobile.

            1. davenewman

              Re: Argos data security

              Doesn't have to be a different line. Just unplug the phone for 5 minutes.

              1. John Brown (no body) Silver badge

                Re: Argos data security

                "Doesn't have to be a different line. Just unplug the phone for 5 minutes."

                Or dial the speaking clock or some other service and see who/what "picks up" to confirm the original call has really ended.

                1. Vic

                  Re: Argos data security

                  Or dial the speaking clock or some other service and see who/what "picks up" to confirm the original call has really ended.

                  That can be spoofed on an open line with some planning, a spare line, a copy of Asterisk, and a custom dial plan...

                  Vic.

        2. Sir Runcible Spoon

          Re: Argos data security

          @PaulF : "Call centre droid: "I'm sorry, Zur, I can't give out any information until you confirm your identity. It's data protection doncha know.""

          My response when that has happened is simply : "I'm sorry, you have failed to verify your identity as a representative of <company x>. Goodbye."

          If the call was about a credit card purchase they are making sure was valid, I usually make the effort to get the call escalated to a supervisor that can speak without having to follow the exact words on a piece of paper/screen, If *that* fails, I just tell them that *they* called *me* and that I had already identified myself sufficiently to engage in additional data exchange, and also that if they block my transaction that I will be suing them for breach of contract.

          If all else fails, I change bank - but it never reached that point thankfully. I ended up getting HSBC CC services to adopt the data exchange process into their standard procedure, so if they don't agree to do it - escalate - because the droid isn't following his training.

  6. Lloyd

    Argos is a subsidiary of Home Retail Group

    Shouldn't that read "Argos is CURRENTLY a subsidiary of Home Retail Group" seeing as Sainsburys' got the green light to buy them last week?

  7. AustinTX

    Whole Foods Market

    By inflexible policy, their passwords are all in the form of the day of the week, month and day on which it was last reset in the form of FRI0729. Every account created or reset today gets that password. The associate might change it, but probably won't.

  8. Uplink

    Revokable, frequently refreshed credentials

    As I was reading the article I crossed it with something I've seen in Tesco: they can log into a till and print a barcode that they can then use to quickly log in and give help without entering any passwords.

    While I don't think the Tesco system is much more secure than passwords on post-it notes, it gave me an idea:

    What if, when the shift starts, or on demand later in the day, a public/private key pair is generated and the private key is printed as a QR that the employee can add to their badge? The key would have limited validity - say, until the employee checks out, and it would be easily revoked and reissued if lost or stolen.

    The floor staff wouldn't need much training beyond "Don't lose it. But if you do, go scan your employee badge on this machine in the back and get a new code." Getting a new QR would invalidate the last QR issued to this employee. While not exactly RSA token secure, it's convenient for the employees and it's better than post-it notes and Password123 as the national password, with the benefit of very frequent password changes.

    1. MarkP

      Re: Revokable, frequently refreshed credentials

      I love this idea. Only downside is you need some way to keep the QR generation machine secure. If the password on that is just "ArgosStore123" you haven't helped much...

  9. eJ2095

    This sprang to mind

    https://www.youtube.com/watch?v=a6iW-8xPw3k

  10. Anonymous Coward
    Anonymous Coward

    Argos Staff

    Not that sharpest tools in the shed.

    A friend of mine used to manage a branch of Argos. He then went to work at HSBC where he managed to realise the dreams of a guy.

    A shopkeeper went into the bank and required a £2000 cash withdrawal to purchase stock.

    My friend didn't have enough cash in his drawer so he asked the manager to get him £2k.

    The manager gave him £20k to top his drawer up.

    My friend being the dozy idiot he is didn't hear the manager and didn't count the cash and handed over the full wad to the shopkeeper who duly said nothing and walked out with it.

    The manager on realised something was up when my friend asked for a top up for his drawer.

    They never did get the money back. Apparently there is no legally enforceable way to get it back.

    Apparently these cock ups are rife. Its not just a monopoly card.

  11. Dr Patrick J R Harkin

    But it's hard to change passwords...

    ...once they've been written down in the Laminated Book of Dreams!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like