Security flaw exposed on Home Shopping Network

February 8, 2010 6:55:29 PM PST
A potential security flaw may expose the customers of one of the biggest television shopping networks to credit card fraud. But, some changes are now being implemented thanks to 7 on Your Side.

Shopping via television is big business. In 2008, HSN reported sales of nearly $2 billion. So, when an HSN customer said a new feature on the channel left her feeling vulnerable, 7 on Your Side decided to investigate.

Mishal Boscana was flipping through TV channels when something caught her eye. The icon in the upper right hand corner said "Select OK to shop." It is part of HSN's "Shop by Remote" feature.

"So, I just said, 'Let's see what this is.' I hit my remote then I hit 'OK,' Boscana said.

The prompts directed the Vallejo woman to input some basic information. Just like that, her name, address and part of her credit card number appeared on the screen. Hitting "OK" again would have completed her order.

That made her feel uneasy.

"They don't require any password or pin numbers. There's no security on it, with it, at all," she said.

7 on Your Side wondered if her fears were founded, so we consulted Doug Tygar, a computer security expert at UC Berkeley. He said they probably were not.

"Home Shopping Network can determine, if they use all the information available to them, from what television an order is being made," he explained.

But, Tygar suggested we find out for ourselves. So, we went back to Boscana and with her sister's permission, inputted her sister's information. She hit "OK" and the order was processed.

"I was very surprised because all I had to do was hit 'OK.'" Boscana said. "I could have easily done it without her even knowing about it, and then I could change the shipping address without her even knowing about it"

She did exactly that. She phoned HSN and talked them into sending the order to her address instead of her sister's.

"You aren't safe. You aren't safe at all," said Boscana's sister Paula Robinson. "I don't understand how they could let something like that go through. They should have more testing."

We brought the results back to Tygar.

"I didn't believe it," he said. "I was shocked that you could do that, that such an obvious and large hole would be left open."

Tygar says requiring passwords is an industry standard. In fact, HSN requires both a user name and passwords when customers shop online. But, that same level of security is not part of its "Shop by Remote" feature.

"I would imagine they would be able to deploy a password mechanism in a matter of days. It shouldn't take that much effort," Tygar said.

But after several discussions with HSN representatives, the company decided not to add password security. Instead, in a statement emailed to 7 on Your Side, the company said: "We are implementing an additional verification step for customers who wish to change the shipping address on their order."

The caller must answer security questions correctly before changing the shipping address. Tygar says that is not enough and Robinson agrees.

"I would have to prove I didn't do it. The burden would be on me because how would they know I didn't do it. I have to fight to say I didn't do it and that's the issue," Robinson said.

Tygar also says someone not expecting a package may be more vulnerable to theft. But, HSN says it has not had a security issue in its 30-year history.

If you feel the system is unsafe, you can call HSN and opt out of the "Shop by Remote" feature.