Security firm Retainagroup makes "inexcusable" online security error

A company specialising in motor vehicle security has been running an insecure website leaving users' details open to interception.

A website run by Retainagroup Ltd, which allows customers to submit their personal details including addresses, credit card information and vehicle registration details, used an unsecure online form for over a month until Computeractive alerted it to the error.

The company's operations manager Terry Gibson said that "We are still investigating how an unencrypted version of the Change of Owner form came to be live but we now know it happened on the 10th January 2012."

Security experts were critical of the error. Graham Cluley of Sophos described the use of HTTPS security as "web security 101", and said that "it is inexcusable in this day and age not to have implemented such forms securely".

Retainagroup is a company specialising in vehicle security. It runs a database called the International Security Register. Details such as VIN numbers and licence plates of cars, bikes and other valuables can be entered onto the database. In addition, the ownership details of resold vehicles or items can be updated for a fee.

The company allows customers to update these details online via forms on two websites: www.retainagroup.com and www.isrcodecheck.com.

And while forms held on www.retainergroup.com were properly secured using HTTPS authentication, www.isrcodecheck.com contained a form soliciting address, vehicle and credit card information via the internet without any encryption.

This means that anyone able to intercept the information contained in the form on its journey across the internet could read and, potentially, misuse it.

Retainagroup operations manager Terry Gibson said that only two customers had used the form in question during the time it was insecure.

In a statement to Computeractive Gibson wrote:  "As a company that has been maintaining sensitive data for nearly 30 years, we treat all aspects of security very seriously indeed and make strenuous efforts to avoid something like this occurring."

"We are very relieved that you have brought the problem to our attention and are now conducting a further review of all our website forms to make 100% certain that no others have been similarly affected."