Security hole found in top price-comparison sites
Exclusive: PC Pro investigation reveals price-comparison websites are failing to protect customers' personal data
A PC Pro investigation has revealed a gaping security hole in leading price-comparison websites.
While sites such as Confused.com and Comparethemarket.com might save you time and money, the true cost could be higher than you think courtesy of a basic flaw when it comes to securing customers’ personal data.
In order to gain full access to the entire quote history of an account holder all that was required was their email address, surname and date of birth
Following a reader tip-off, we visited Comparethemarket.com and clicked on the retrieve a quote button. In order to gain full access to the entire quote history of an account holder all that was required was their email address, surname and date of birth - details that could be easily harvested from social-networking sites such as Facebook.
This was enough to unlock a veritable treasure chest of further valuable data including telephone numbers, car registration and make details, occupation, personal details of spouse as well as property details where house insurance quotes were available. And all of this without any need to enter an account password or click a link in a validation email sent to the account holder's address; just click the submit button and all that data appears on screen.
Confused.com was little better: all we needed to do was fill out a simple web form to reset the account-holder password and access the quote history for anyone who had 'forgotten their password' which could, of course, include identity thieves.
This time all we needed to change the account password and get instant access to the quote-history data was an email address, date of birth, postcode and surname. Again, all information that is in the public domain and easily obtainable. The account holder would be none the wiser - no email is sent to even confirm the password had been changed.
PC Pro contacted both Comparethemarket.com and Confused.com last week to inform them of the findings of our investigation and to enable them to improve their security before we published this story. We received no reply to our communications from Comparethemarket.com, but a spokesperson from Confused.com told us: "We take our customers' data protection seriously. We are currently in the process of upgrading our password reset and retrieval methods to enhance security for our customers including use of additional security questions, and this will be available in the near future."
At the time of publication neither company has made any changes to the security of the quote retrieval process.
To read the full version of this investigation, read Davey Winder's Real World Computing column in issue 194 of PC Pro, on sale mid-October.