Thumbs up for the sub-head.
UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher. Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many …
In January, Hatton responsibly contacted Halfords to warn the company of the vulnerability. Sadly, his efforts were rewarded mostly by a stony silence until The Register got in touch.
A spokesperson told us: "Halfords takes the security of our customer data very seriously.
I'm not sure those two statements agree!
> "<State_company_name> takes the security of our customer data very seriously."
It's the phrase clearly indicating they don't give a flying ...
If they had, they would had given some meaningful statement instead of this hackneyed and meaningless stock phrase derived from "Your call is very important to us (please wait till kingdom come)". At least the original had the purpose to flatter the victim, this version is just shameless mockery considering the situation after which it is usually uttered:. "Yeah, yeah, you're very important to us - NOT!"...
it doesn't matter that those statements agree, somewhat agree, disagree, take a piss, etc. The person (or bot) with a job to reply to media queries, replied to a media query by coping a reply to a media query copied from a reply to media query that was copied from a reply to a media query.
What, you think I'm being flippant? Well, how else would you interpret the reply that clearly indicates you don't understand the question and / or you don't care about the question / answer and / or you don't give a flying monkey about what people think about the answer (and your company), because you're not paid enough to care. You don't care, Halfords don't care that you don't care, everybody's happy...
They also supply bulbs. I needed two urgently for my motorbike and click'n'collect should have been the solution. They were in stock at, shock horror, a reasonable price.
In order to complete the order (sorry!) you put in the registration of the vehicle. 'Invalid it came up. Sadly DVLA disagree and continue to demand road tax and MOT. You can't order what you want without a 'valid' number plate. Repeating in upper/lowercase with/without spaces to no effect. Eventually I put in a random reg of a car parked in our street.
It worked. Apparently. Got order number and text to say the bulbs were ready to collect.
Collecting should have been straightforward - yes? Sorry - you really don't want to hear about the connection between Halford's order system and our local branch. Thank goodness they still have dedicated humans ready to ignore it and go collect them off the shelf.
Time to get the hardware/software up to wetware standards Halfords!
Back in the days when Halfords was a chain of much smaller shops on the high street, you could pretty much guarantee that all the people working there had a good idea about cars and engines and at least one would be a proper petrol-head. Nowadays, they are primarily "shop assistants" IME, with little practical knowledge.
Why the perl would you need to give them rego? What possible reason would they need it for?
There's motorcycle sites in the states that try to be "helpful" by demanding make/model/year to make sure your non-generic part fits, but then they also have a "buy it anyway" button.
As with most things in life, use the local companies as they will almost certainly be small outfits that pay proper tax and have knowledgeable staff ( or they would have gone under years ago.) I don't understand the obsession with using huge chain stores for everything. They are invariably populated by clueless staff who mostly don't give a shit what they sell you and then try to get you to sign up for a loyalty card or account or extra insurance etc. as this is where they make money.
As others have said - people get what they pay for.
In my experience Halfords MOT shops are either criminal or incompetent in ways that just happen to generate revenue for fixing stuff that isn't broken. For example, claiming surface rust on solid (unvented) brake discs was affecting the structural integrity, etc., and that I needed to pay them >£2k to change pads and discs - but not mentioning the pinhole in the brake line which they didn't want to replace because it's a nightmare job on that car.
I mean, they're so incompetent in non-revenue-raising ways too that I hesitate to put it down to venality. But either way it's a load of hassle you don't get at any proper mot shop.
My MOT man charges full whack £55 roughly (I forget how much it is these days - or I choose to forget) but he gets my business because he is through, honest and knows my spannering abilities. Same place for 30 years and in a five car family that's good wedge of moolah - more than I've ever spent on buying a car, that's for sure!
All the times I've gone to Halfrauds for anything I've never been asked why when I say no to the email.
I have noticed on their website though that if you try to use the wildcard email thing (as in, putting + after your name on the email to fill it with any identifiable garbage to you) that while they accept it they won't send an email to it. Three times now I've been screwed out of a £5 voucher after buying oil from them.
That said, in defence of Halfrauds, their Advanced tools are fantastic. I'll always go to Halfrauds for that, but not much else.
Christ! I don't even put that stuff in my Alfa, which allegedly requires it.
If that's a reasonable price, you must be using some new definition of the word "reasonable". HINT: If you can't find the, equally as good, Castrol Edge for half the price, you're not trying.
"If that's a reasonable price, you must be using some new definition of the word "reasonable". HINT: If you can't find the, equally as good, Castrol Edge for half the price, you're not trying."
From what I recall Castrol's retail oils are only available in 4 litre cans, as opposed to the 5 litre cans that everyone else sells for about the same price. The only way I can get 5ltr Castrol Magnatec 5w-30 for my Ford is to order it online from a dealer (Vospers parts, they do great value service kits)
Castrol edge is usually more expensive than Syntium ime. Generally the cheapest decent oil I've found has been Syntium on half price offer - there's always an offer on somewhere for one oil or another of that quality, which is the one I'll get, and most commonly it's been Syntium.
"That said, in defence of Halfrauds, their Advanced tools are fantastic. I'll always go to Halfrauds for that, but not much else."
The Advanced tools range is fantastic when you want something good quality enough to stand up to abuse (e.g. scaffolding tube on a spanner) but not so expensive you're afraid of losing it.
--> It's also lifetime-guaranteed.
Yep, and they don't piss about when you need to use the guarantee either (at least at my local store). Only ever had to replace one thing, a T40 bit socket where the shaft broke. Straight up to the store, showed the lass on the counter, 2 minutes later walking out with the replacement.
Definitely worth watching out for the discounts, although they seem to have shifted to a paid-for loyalty scheme now to get the best discounts
I can't find it now, but I remember reading about a case where a customer of Comcast or Verizon reached out to them about a similar problem with an insecure API involving a sequential ID number and they were ignored. So after a responsible length of time they went public with it and were then prosecuted and actually convicted. Just ridiculous.
I'd have to look it up (and I cba) to be sure whether this is even a disclosable breach. People seem to have got a funny idea of what data is private, and the bar is set much higher than commonly guessed. Your name and address are not private data in general, although in some cases they can be.
If it is a breach, it's only a very minor one. It's mot booking data, not std treatment appointments. Failing to report it appropriately would be a further breach of regs, but again a minor one.
So seriously that they don't pen test their public facing systems?
However over the last couple of decades, almost no business I've consulted with has had their public presence actively pen tested. They've pretty much all relied on automated 'vulnerability scans', that of course don't find breachable logical errors like this one. I guess it's a matter of cost - that is - a short sighted view of cost.
Having placed an order with Halfords for an oil change I clicked on the link to track my order.
I'm not sure if this is the exact same thing as the story but I saw my browser made a request to a URL where it passed my email address. I won't post the URL as I'll report it responsibly. It returned a JSON object with details of my car. The first 3 characters of the reg plate were asterisked out. But it contained details of the MOT date, make, model and colour of the car.
There's nothing too sensitive in it but it does make me wonder if I could pass any other email address and get a response. Haven't tried it and don't want to! I'll report it anyway.
DVLA sells everyone's details to just about anyone who asks: insurance companies, tyre (not tire) and exhaust fitters, car park extortion rackets, ferry companies, etc. There doesn't appear to be any opt-out and the ICO doesn't give a shit.
All your data are belong to us. Have a nice day.
"All your data are belong to us."
That may be so. But in this case it's exposing personally identifiable information tied to details of the car. Admittedly knowing when someone's MOT is due and being able to match that to an individual's email address is hardly the breach of the century but it's bad practice nonetheless.
You can of course look up things like all of the data I mentioned even off the DVLA's official website only from giving a reg number. But it doesn't tell you *who* the vehicle belongs to!
You can easily look this up.
The DVLA has a positive duty to _disclose_ vehicle registration details to anyone who makes a reasonable request. It is not private date, it's a public registry. There's no loophole, the system is working as we intend it to work.
Next you'll be complaining the electoral role is also public data.
The request in this case wasn't reasonable. I had permission to be there and was thus exempt from their poking and prying. It's spilling of personally identifiable information to poorly vetted or totally UNVETTED basically criminal gangs in some cases (yes, there ARE decent responsible private parking companies but they're the exception.) If DVLA is required by law to share the data (as the link you provided seems to show, ta for that), then maybe the companies that they share it WITH should be strictly regulated by law? Just an idea
The UK government makes the basics for any registration number freely available. https://www.gov.uk/check-vehicle-tax gives you vehicle's make and colour, year of manufacture, month of first registration, fuel type, cylinder capacity and more. https://www.check-mot.service.gov.uk gives model, plus date, mileage and pass/fail for each test. There's enough there to allow a rough valuation.
Halfords IT always seems odd:
1. Trying to buy a new main beam bulb I put in my car's reg. on their in-shop system. It came up with a bulb different from the one I had just taken out. So I sought help and also dug out the handbook. The dead bulb was as listed in the handbook but the shop assistant argued. His final suggestion was that Volvo had obviously got it wrong!
Then I remembered that a lifetime ago I had tried to sell Halfords a point-of-sale system. "It won't work because bar-coding won't take off", was a serious observation from quite a senior person.
Halfords has passed through many owners over the year but its IT always seems a bit odd.