Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
Editor's Blog and Industry Comments

Are consumers or Tesco to blame for latest cyber-breach?

17 February, 2014
2000 Tesco customers have had their accounts compromised after their credentials were cross-referenced from other sites.

Retailer Tesco has come under criticism for a security problem relating to over 2000 of its online customers. The login credentials were discovered and published on a sharing site and have since been reset. However, the site itself hadn't been hacked, the credentials were uncovered on other sites and used to see if they corresponded to Tesco login details.

This latest exposure of online customer data is less clear cut in who's responsible though with some blaming Tesco for poor control and others blaming the consumers themselves for recycling passwords between different online accounts.

Tim Keanini of Lancope sees Tesco as the culprit, blaming the retailer for not having the foresight or controls in place to prevent something that Tim believes was entirely predictable. Lack of analytics is a common problem that exposes customer data just as much as not having the right internal safeguards in place.

Tim told us, "If these retailers would spend half the time on cybersecurity analytics as they spend on consumer analytics predicting buying patterns, the cybercriminals would have a very hard time being successful as their behaviour could be predicted and retailers would have more effective defences.  This I believe is evidence that retailers do not feel like cybercrime is a part of doing business yet but how many more times will they need to be compromised before incident response is part of the business process?"

Callum MacLeod of Lieberman Software holds a similar view, expressing his concern that retailers such as Tesco are continuing to put the minimum of investment into security and are more interested in ticking compliance boxes than solving problems. Like Lancope, Lieberman Software also sees anomoly detection as the means of preventing this kind of breach. According to Calum, "Until these organizations recognise that the fundamental component of securing themselves is controlling their privileged credentials and continuously monitoring to detect anomalies, everything else they do is irrelevant."

This need for analytics and an unconventional approach to security for online subscribers reflects recent changes in the threat landscape and the need for less reliance on "traditional" security tools and more emphasis on protecting against modern advanced threats. Whilst recognizing the fact that consumers should do more to protect themselves by not recycling passwords, Jason Hart of SafeNet nonetheless sees the need of retailers to protect those who put their trust in them.

According to Jason, "It’s vital that organisations are taking the correct precautions to ensure that their most sensitive data remains protected.  While the latest Tesco data breach was not a result of a direct attack on the website, it does highlight the wider implications of data breaches.  Many people often use the same password across multiple sites, so the true impact of the any data breach is always likely to be bigger than first anticipated."

He went on to explain how they can achieve this. "Too many security departments hold on to the past when it comes to their security strategies, focusing on breach prevention rather than securing the data that they are trying so hard to protect. Methods used by cybercriminals are becoming increasingly sophisticated and if they want to hack the system or steal data, then they will find one way or another to do so. Companies need to focus on what matters most – the data. By utilising technologies such as encryption that render any data useless to an unauthorised party, as well as tamper-proof and robust key management controls, companies can be safe in the knowledge that their data is protected, whether or not a security breach occurs.”

Web filtering company, Bloxx, believes users should make themselves more secure by selecting passwords that aren't easy to guess and using a different one for each account they hold.... no easy task since, as Bloxx points out, "We live our lives online". Bloxx CEO, Charles Sweeney explained, "Our natural instinct is to simplify and use the same password and username combination for everything. But this is very risky as attacks like these demonstrate. Whilst it might be convenient for you, it also makes it easier for hackers to steal your details from the multiple sites that you've signed up too."

This highlights the dilemma faced by users. Everyone know that they shouldn't recycle passwords but remembering unique combinations of upper and lower case letters and numbers that don't spell common words for as many as 20 online accounts is impossible and in fact unreasonable. The industry that's placing these demands on consumers should be supplying them with a workable solution otherwise the industry itself is burying its head in the sand.

So while everyone waits for the industry to turn up with something that supplies consumers with usable security, what can they do? Rapid7 suggests the use of password vaults. The company's global security strategist, Trey Ford advises users "“If you’re concerned that your accounts may be at risk, take the initiative to set up a password vault. From a trusted computer, trade out your old shared passwords for new unique ones. Change your email password first, it is the one key to rule them all – password resets go to your email."

The Tesco breach would suggest that the compromised accounts were discovered on less secure sites than Tesco's and that makes sense. Most users have a range of online accounts, some of which are more sensitive than others. The temptation is to pay less attention to supplying an unbreakable password to a tea manufacturer's "Cuppa Club" than to your "Air Miles" account since air miles are more valuable as a currency than vouchers for colourful tea-pots. The tea manufacturer might have top class security on its site but subscribers have no way of knowing that and by supplying trivial passwords, they could be giving hackers access to all their other higher value sites.

However, according to David Emm of Kaspersky Lab, it is possible to create strong and memorable passwords without them bing trivial. David told us that the standard advice on password creation is already well-known but it's too complicated so he offered a more practical approach.

David's formula for creating strong passwords that are convenient to remember is to start with a fixed component unique to the site you're accessing then scramble it in a fixed way, similar to coding algorithms.

So for the Cuppa Club you could start with the fixed component "cuppaclub" then apply a formula to it, for example:

1 - Capitalize the fourth letter (cupPaclub)

2 - Move the second last character to the front (ucupPaclb)

3 - Add a chosen number after the second character (uc3upPaclb)

4 - Add a chosen non-alphanumeric character to the end (uc3upPaclb*)

It's much easier to remember the formula and apply it to all online accounts and to remember a phrase relating to each account than it is to remember several unique strings.

David Emm concluded, "By using this method, consumers can ensure they have a unique password for each online account and therefore secure themselves against these types of breaches that make use of previously gained information."

Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan


Bookmark and Share