Feeds

back to article Tesco in unencrypted password email reminder rumble

Tesco's admission that it still merrily emails passwords to punters in plain text has alarmed anyone with a grasp of computer security. The UK's supermarket behemoth reassured the world on Sunday that it stores passwords for online shopping accounts in an encrypted format, and only decrypts them when users forget their login …

COMMENTS

This topic is closed for new posts.

Page:

One (unlikely) danger is that these unencrypted email password reminders could be intercepted and used by crooks. But the bigger issue is that the method implies that the grocer stores password hashes in an unsalted format. If there was any kind of breach that exposed these password hashes then the corresponding plain text passwords can be extracted from the stored hashes using a brute force attack and rainbow lookup tables.

Not to be too pedantic, but these aren't hashes. Hashes are one way (salted or otherwise), these would actually be encrypted passwords. How is it the Reg calls hashes encrypted passwords, but when they could use the right term (even if by accident) they still cock it up.

Pales in comparison to the cock-up by Tesco though. When it comes to security every little helps

Getting me coat

13
0
(Written by Reg staff) Silver badge

Re: encryption, hashes, etc

Hello,

Yes, you're right - there was a misunderstanding at the editing stage. We do know the difference between encryption and one-way hashing functions. It's been fixed.

C.

4
0

This post has been deleted by its author

FAIL

Oh dear!

"But the bigger issue is that the method implies that the grocer stores password hashes in an unsalted format."

Very poor understanding, 1 out of 10

5
0
Thumb Up

Re: Oh dear!

Good reply. 9/10, would read again.

2
0
FAIL

So....

"But the bigger issue is that the method implies that the grocer stores password hashes in an unsalted format. If there was any kind of breach that exposed these password hashes then the corresponding plain text passwords can be extracted from the stored hashes using a brute force attack and rainbow lookup tables."

But if they were hashed then Tesco would not be able to send you your forgotten password without them brute forcing their own database. Sounds like they are encrypted in which case it does not matter if they are salted or not.... Allen always has something to say on salting.... http://www.youtube.com/watch?v=HB-qNONoYN4

1
6

Re: So....

You missed the point, you shouldn't be able to recover your old password. If you forget your password, it should make you reset it to a new one.

9
0
Anonymous Coward

Re: So....

I really hope you don't work anywhere near programming, especially security, Rod.

The only person that should know your password is you. Always. Never the system you've signed up for, barring a salted and hashed version (with a secure method) of it which even they can't brute force. Whenever a manager comes in saying I want to be able to log in to [x] account here they are told they are getting a sign in as button, and not plaintext passwords.

5
1
Bronze badge

Re: So....

> http://www.youtube.com/watch?v=HB-qNONoYN4

Interesting facial hair. It's visible through his microphone. I bet Groucho Marx never tried that idea.

0
0
Silver badge
Meh

To be fair to Tesco - they are one of the few eTailers(*) who have never leaked/sold my address to spammers. It's something I can track because I give everyone their own unique address. Frankly I've given up on the independents now. I got sick of having to blacklist their addresses.

(*)Kudos also to: Amazon(**), Laithwaites and eBuyer.

(**)A special award for Amazon given their use of resellers. There anonomising mailer is a bloody good idea.

3
0
Silver badge

That's most likely because the data is too valuable to Tesco to just go off and sell it someone else. All those lovely metrics about how often you shop, what time of day you shop, how far you drive to shop, how susceptible you are to promotions, how often you spend points, how many kids you have, who you're married to, whether you have a garden or not, etc. Most stores with loyalty schemes are likely the same.

If they sell data at all, it's the bare minimum, or they operate the database so the "preferred partner" has no idea how the data was mined out.

2
0
Anonymous Coward

I've had spam via Tesco Compare, although giving Tesco benefit of the doubt, this is portably down to the way the information is passed to various underwriters that has led them to leak the email address (which was unique to the quote for Insurance).

But still fail on Tesco for not ensuring the "no I don't want to hear from you or partners" check box actually does what it says.

0
0
FAIL

Funny you should say this!

I had to order a replacement clubcard just the other night and I couldn't remember my password, so I was somewhat suprised after resetting it to find my password emailed directly to me... I then changed it to something secure but totally throwaway, because anyone who stores my password in plain text (Or as good as if it can be decrypted on demand) shouldn't be holding them in the first place.

In this case the fail icon is truely justified!

3
0

Tesco isnt great at security. They've been sending sms monthly bill reminders to my wife for over a year that go along the lines of "Dear [password], your Tesco Creditcard statement is online". Same everytime. She's phoned and told them more than once, makes no difference.

2
0
Anonymous Coward

Re: Dear [password]

Ah - sounds like she has accidentally entered her name in the "Name" field and password in the "Password" field.

If she enters her password in the "Name" field and name in the "Password" field, this issue will be resolved.

We randomise the fields to increase your security. Or hide our mistakes. Remember: every little helps....

Tesco Web Security Support (deceased)

9
0

Glad this is finally going mainstream

This issue has been known by Tesco, and by the tech community for years. I have been having a two year dialogue with Tesco about it myself.

Maybe the scrutinity of the media might overcome Tesco's resistance to even trying to understand the problem.

0
0

What are we talking about here?

If its Tesco Bank, then yes, emailing passwords which could allow a third party into your bank account is improper and there is cause for concern.

But if it is just access to your grocery list, then its a storm in a tea cup. Is anybody really going to break in to your account just to look at your clubcard points and order you a milliion teabags?

2
6
Anonymous Coward

Re: What are we talking about here?

No it's not a storm in a teacup, it has been shown time and again that people reuse passwords on multiple sites. A a security breach at one site can potentially compromise accounts at other websites which may be far more serious than viewing clubcard points and teabag orders.

There are also far more issues here than just the passwords, Tesco's frankly embarrassing use of SSL, obsolete platform and most worrying to me their total disregard for their customers security (apparently they've been aware of these problems for years, done nothing and if fact still deny they exist).

4
0

Re: What are we talking about here?

Post your Tesco login credentials up here for us will you?

3
0

Re: What are we talking about here?

They also have online shopping - yep, including your credit/debit card number if you've decided to let them store it.

0
0

Re: What are we talking about here?

Given some of the miscreants on the net nowadays, yes they might well break in and order you 20,000 cans of beans for 'Teh Lulz'

And as others have said, it's not just your grocery account that may be at risk

1
0
Silver badge
FAIL

Epic fail

passwords should be stored via a one-way hash. Forgotten passwords need to be reset.

1
0

Re: Epic fail

That's the bottom line, Jimmy.

PS: Can you tell Robert Plant he still owes me a fiver ?

1
0
Silver badge

Re: Epic fail

If you know what his 1969 Christmas present to the entire Zeppelin road crew was, you'd know why you haven't got it

(It was a bottle - singular - of scotch).

1
0
Silver badge

What happened to the death of El Reg icon?

"One (unlikely) danger is that these unencrypted email password reminders could be intercepted and used by crooks."

Because no one has ever had their email hacked. Oh no.

1
0
Silver badge

Re: What happened to the death of El Reg icon?

These days they go for the whole database.

Would be advisable to any Tesco customers who reuse their password on other sites to go round changing them before it gets hacked. Can see it being a valuable target to hackers now that the word is out.

0
0

Re: What happened to the death of El Reg icon?

If someone wants to hack my Tesco grocery account, and have them deliver me 120 cucumbers and a boat load of cooking apples, they're more than welcome. hell, i'll give them my password. Its worth it to see the look on teh wifes face.

2
0

Re: What happened to the death of El Reg icon?

Go on then - post the details.

0
0
Joke

Re: What happened to the death of El Reg icon?

Someone hacked my account once for a joke - they change my order from a weekly shop to 120 cucumbers, 60 pots of Vaseline, 80 pairs of Marigold rubber gloves, 40 bottles of Johnson's Baby Oil, 140 cans of squirty cream, 50 packs of rubber johnnies, 20 packs of 200 clothes pegs and one copy of What HiFi Magazine.

I was fucking well embarrassed! Not by the obvious orgy supplies but by the hifi mag!

2
0
Anonymous Coward

Re: What happened to the death of El Reg icon?

Sure, they go for the whole database... it makes sense. With a little investigation Mr Hacker discovers that Tescos store passwords as plain text, after doing a password recovery.

Considering MD5 passwords, non salted, are ripe for the brute force... a nice plaintext database with an email address is a goldmine. Especially for someone as large as Tesco.

0
0
Thumb Down

It's not just bad practice that Tesco are guilty of in my opinion. Tesco's Clubcard is likely to be incompatible with our statutory rights as data subjects because they are unable to separate the marketing from card; if you want a Clubcard then you must have the associated marketing. But section 11 of the DPA98 entitles data subjects to opt-out of ALL direct marketing from an organisation. However , when I asked Tesco to comply with my section 11 request they informed me that they would have to cancel my account. So I can't have an account unless I have the marketing which means that Tesco must have civil law terms - either actual or implied, that are incompatible with my statutory rights. The ICO are investigating.

1
1

But section 11 of the DPA98 entitles data subjects to opt-out of ALL direct marketing from an organisation.

I suppose they'd argue that the fact you don't have to have a clubcard and can cancel at any time is probably giving you that option.

Wouldn't expect the ICO to do anything either to be honest, not necessarily because Tesco are right, but because the ICO are, well useless when it comes to big business

0
0
Vic
Silver badge

> the ICO are, well useless when it comes to big business

That sentence is six words too long...

Vic.

2
0
Silver badge

Just this morning

I registered my kid for an online game on Nickelodeon's website. After filling my email and password in, the first thing it did was email the plaintext straight back to me. Stupid websites are stupid.

0
0

Tone and severity of criticism

"The tone and severity of criticism against Tesco would be justified had its systems had actually been hacked and unsalted password hashes or plaintext passwords exposed - as has happened to other and still more prominent organisations in recent times - but this doesn't appear to be the case."

What? So we're only allowed to complain about poor security once something bad has actually happened? It doesn't matter whether or not Tesco's server have been hacked. What matters is that they're falling short of the most basic security standards, and should do something about it *now*, instead of waiting until something blows up.

5
0
Anonymous Coward

PCI-DSS anyone?

Rather astonishingly Tesco are represented on PCI Security Standards Council Board of Advisors https://www.pcisecuritystandards.org/organization_info/board-of-advisors.php but seem unable to adhere to the development standards set out for PCI-DSS.

0
0
Silver badge

Re: PCI-DSS anyone?

Peripheral Component Interconnect? What have Tesco got to do with that?

3
1

Re: PCI-DSS anyone?

The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical

and operational system components included in or connected to cardholder data. If you are a merchant

who accepts or processes payment cards, you must comply with the PCI DSS.

https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf )

Pretty sure the card payment and storage of your payment card is very secure on the Tesco website and meets those requirements.

The hashing of user accounts is a separate issue IMO but needs resolving as it allows access to that individuals card payment details so potentially they could be seen as not doing everything to protect the card from misuse.

0
0
Anonymous Coward

Customary expansion of initialism

as Peter didn't know, or maybe feel it was relevant:

Payment Card Industry Data Security Standard

0
0
Meh

Ocado do it too. Although they claim to have encrypted it after they emailed it to me when I contacted them.

But when I forgot my password the forgotten password reminder that was emailed to me was was my unencrypted password and not the sentence I had set when I registered. I'm not so stupid as to have set my password reminder to my password!!

0
0
Anonymous Coward

You have to remember that IT is not Tesco's core business, and therefore they employ the cheapest staff possible, and have done for some time, and they don't invest in leading edge technology or in unnecessary training. Many of their IT staff aren't "up to date" with IT good practise as all they do is "keep what's there running". A lack of new blood leads to stagnation and a failure to innovate, especially if the middle management don't change.

This is NOT just a dig at Tesco. This is a dig at OUR INDUSTRY, and the lack of support it receives. It's easy for us to sit here and snipe about "how bad is that", but in reality IT is expensive and mostly a cost - for most businesses it is at best an enabler, and it isn't generating revenue.

We ALL need to work together to bring more focus on the minimum expected standards. And we need to listen to the rest of the IT world and be open to changing how we operate to keep ahead of the game.

It sounds like Tesco is close to a security breach.

They aren't the only one.

It is just a matter of time.

Unless they learn some new sports

1
0

"You have to remember that IT is not Tesco's core business, and therefore they employ the cheapest staff possible, and have done for some time, and they don't invest in leading edge technology or in unnecessary training."

True to some extent, I'm sure, but getting people to use their online shopping (as opposed to Ocado, Asda, etc) IS their core business.

Note that they sometimes do invest in "leading edge" technology (or at least half-decent R&D). See the archives of http://techfortesco.blogspot.co.uk It's been a bit quiet, recently, but they've done a few interesting things along the way.

0
0
Anonymous Coward

"isn't generating revenue"

No, I'm pretty sure Tesco have significant revenues made from on-line shopping that they would be reluctant to give up.

0
0
WTF?

"The tone and severity of criticism against Tesco would be justified had its systems had actually been hacked and the passwords exposed - as has happened to other and still more prominent organisations in recent times - but this doesn't appear to be the case"

-- so what's wrong with people trying to persuade Tesco that prevention is better than cure?

If you're doing something stupid and dangerous, the fact that you've not hurt someone else *yet* doesn't make what you're doing any less stupid or dangerous. It just means that at least you're lucky as well. And any sensible organisation would realise how lucky they'd been and fix things up instead of defending the indefensible.

0
0
Megaphone

"it's hardly the most wretched of security sins."

Yes it is. I seriously believe this is a sacking offense. Any DB Administrator, developer or SysAdmin who creates a password store (database or otherwise) and doesn't employ proper encryption or hashing techniques needs to be shown the door without question. Hashing passwords before storing them and not e-mailing them but employing the password reset method is a fundamental necessity and common knowledge in IT. I've been e-mailed a few of my passwords myself and it does my head in.

3
0
Anonymous Coward

I don't have this problem

Down ASsociated DAiries !

0
0
Anonymous Coward

Dear Tesco,

Why is it that I, a UK citizen, can buy goods online from every fucking retailer on the planet, including Amazon US, using my Visa Electron card, except from Tesco.

Luv,

Mr. W. T. Fork.

0
1

Re: Dear Tesco,

A guess, based on experience is as follows.

With Cardholder Not Present (CNP) transactions, different providers have different requirements when it comes to who's liable when things go wrong (i.e. some git uses your card!). It may be that the Electron side of Visa mandates that the retailer accepts liability for any chargebacks, and Tesco's have decided it isn't worth the risk. I don't know for sure, but similar things happen elsewhere.

For example, any business can still swipe your Chip n Pin card and check the signature. They key difference is, if they do then they are liable for any chargebacks, which is why most places will refuse to do it even if the chip is fried, again varies between providers though.

The thing about banks, is they are always trying to shift potential liability onto someone else, and have two soft targets: us poor sods who have to use them, and retailers who have to use them. So perhaps that's why Tesco won't accept them online, though I'm sure Electron used Verified by Visa last time I had one (pushing liability back onto you). Of course, perhaps Tesco haven't/won't implement VbV which would push the liability square onto them AFAIK

0
0

passwords on sites that I run are salted and then hashed as soon as they are entered,

password reset is done via email containing a link along the lines of resetpassword.php?email=fred@email.address&id=3b76a20ec4c96105f8fc48c5d9dadab0

the id section of the link is created by salting and hashing the current hash of their password, this way anything related to their password that leaves the server is salted, hashed, salted again and then hashed a second time (and no the 2 salts are not the same)

another advantage is that if the password has been changed it is not possible to re-use an old password reset link

1
0
Anonymous Coward

zOMG that's cool I will copy that for my website MUHAHAAHAAAA

0
0

Page:

This topic is closed for new posts.