Experts: Data at risk on price comparison sites

Customer data on Comparethemarket.com and Confused.com is at risk of disclosure due to weak authentication, according to security experts.

An outsider armed with a handful of personal details such as email address and date of birth can access further data on the price comparison sites, ZDNet UK has confirmed. This puts customer privacy at risk, and the data could be sold on to cybercrime rings, experts from F-Secure and Sophos said on Thursday.

On Comparethemarket.com, people who want to get a quote for insurance policies are required to enter a swathe of information. For example, to get a quote for car insurance, customers must give data such as details of car ownership, telephone number and marital status.

However, to access this information, anyone can use a button at the bottom of the home page labelled 'Retrieve your quote'. People are then prompted to enter an email address, surname and date of birth, to view the information provided during previous sessions.

This level of authentication is not strong enough, according to F-Secure labs security adviser Sean Sullivan. He noted that social-networking sites such as Facebook publically display the email address, surname and date of birth of users.

"Email, surname and birth-date is not good enough. Black-hat scripts can scrape data from Facebook accounts," said Sullivan. "Just throw it into a database and write a script to enter the data [on the Comparethemarket.com prompt page]. I have no doubt someone would try it."

Any personal data fetches a price on underground cybercrime forums, giving cybercriminals an incentive to access price comparison quotes, he added. "The more data you stockpile, the more commodity you have to sell," said Sullivan. "It's the wild wild west [on the internet], and there's a million entrepreneurs."

Confused.com also has weak authentication on its password retrieval, as was first highlighted in an investigation into price comparison site security by technology publication PC Pro. It is possible to access a quote history on Confused.com by requesting a password reset, via a button saying "forgotten?". Users are sent to prompt page which asks for an email address, date of birth, postcode and surname.

Sophos security expert Graham Cluley said that the addition of a postcode question made it slightly more difficult to get into Confused.com accounts than Comparethemarket.com accounts, but that authentication was still inadequate.

"[The postcode] makes it a bit more tricky, but that information is still publically available," he said. "You would hope these sites disable those [functionalities] while they get them fixed."

Cluley recommended that price comparison sites institiute a user identification number, or a password, or a reference number, for quote retrieval.

Comparethemarket.com told ZDNet UK that it is working on strengthening its data protection processes, and that it will have password protection for quote retrieval by the end of the month.

"The security of our customers' personal data is of paramount importance to us," a company spokeswoman said on Thursday. "We comply with and are registered under the data protection laws in the United Kingdom. We are confident that our current levels of security are appropriate for the type of data that we hold on our site. As we do not take any payments, the site does not hold financial data such as credit card details."

"However, we do understand that data privacy is a growing concern for consumers and we were already moving towards the introduction of password protection for quote retrieval, to give our customers greater levels of assurance on the security of their data. We have decided to accelerate this process and aim to have password protection in place by end of September," the spokeswoman added.

Confused.com said it has started work on improving its password-retrieval process by adding more questions, and a company spokeswoman said it expects the work to be completed "in the near future".

"Confused.com takes security of its customers data very seriously and regularly carries out review of the measures it has in place," the company said in a statement. "A planned upgrade of the password reset and retrieval methods to include additional security questions is currently being implemented, which will offer enhanced protection for new and existing customers."

The spokeswoman declined to give any details of what kind of questions would be added to the password retrieval process, or when they would be added.