UK supermarket giant Tesco was in the news recently for the wrong reasons after details of 2,240 customer accounts appeared on Pastebin. Tesco moved quickly to suspend the accounts in question, but an unlucky few did have store vouchers stolen; not to mention email addresses and passwords on display for the world to see.
This is not the first time that Tesco has received bad press over security; in 2013 Tesco ClubCard holders were reported to be victim of a security breach. However, what makes this incident interesting is that no security attack actually occurred. It is thought that this compromise was based on previous data breaches, with no new hack of Tesco data, thus highlighting the fact that personal data leaked on the internet can have lasting repercussions. It exposed accounts on separate sites as well as providing threat actors with a wealth of social engineering material to mount spear-phishing, scamming emails and identity theft attacks. Hackers were able to use usernames and passwords collected on unconnected sites in order to compromise Tesco customer accounts. This demonstrates the danger of using the same password across multiple accounts. However, the average user will have the same logins for supermarkets, online banking, train tickets, online shopping, email, social media… Need I go on? We have busy lives and as everything moves online the number of accounts and passwords to keep track of is proliferating for the average user. There are best practices that users can follow to keep themselves protected. This is not new advice, I am afraid, but still insecure password practices are rife! So listen up.
Change your passwords regularly, and if any password breaches that may affect you hit the news, change that password across all accounts. Whilst it is best to not reuse passwords, if having individual passwords on every single account seems too daunting then ensure you categorise your passwords based on the sensitivity of that service. For example, do not have the same password for your online banking as your iTunes account. From an organisation’s point of view, keep yourself out of the cyber security news by addressing web application security, as this is where the majority of breaches are coming from, not the network perimeter. A range of analysis techniques are available for scanning web application code for vulnerabilities. Seek advice from application security experts on how to get the best coverage for your budget, with a solution that allows for regular scanning- conscious of the ever-evolving threat landscape. Know your web perimeter. Attackers will target the least secure site in your inventory- often an old site that wasn’t even on your team’s radar- so that maximum damage can be inflicted with the least amount of effort or risk of detection. Lastly, take user authentication and session management very seriously. A wide variety of practices are available to ensure that users adopt secure password practices – whether they like it or not- for example, multi-factor authentication, password rotation, and password complexity policies.