Feeds

back to article THOUSANDS of Tesco.com logins and passwords leaked online

Thousands of Tesco customers have had their emails and passwords posted online after hackers got their hands on the login details. A list of over 2,200 Tesco.com accounts was published on Pastebin yesterday and some customers have complained that their vouchers have gone missing from their accounts. Tesco customers took to the …

COMMENTS

This topic is closed for new posts.

This post has been deleted by its author

Coat

Is this Tesco's fault?

Not the first, won't be the last.

If users have the same username / password on multiple sites, is this really Tesco's fault?

However it wouldn't be difficult to implement two factor authentication, requiring, for example, a pin, birth date, last random digits of the Tesco club-card number etc. to prevent this occurring in the first place.

I personally don't use Tesco's , but I do use LastPass to create a unique password for every site where I have a logon. However I have had the greatest difficulty getting er-in-doors to use LastPass, she used to have the same username/password combo for fakebook/paypal/ebay/next etc.

4
4
Anonymous Coward

Re: Is this Tesco's fault?

Do you work for Tesco or something ?

Of course its their fault !

If they don't have any any sort of monitoring in place, any sort of lockout policy after X attempts, or their login system gives away too much information (e.g saying "username invalid" instead of "username or password invalid") .....then of course its their fault.

The loss of 2000+ records is not insubstantial, they should have had monitoring systems that would have picked up a sudden influx in attempts.

Obviously not sure if any/all of the above apply to Tesco, and whilst its obviously a good thing to use a different username/password everywhere, it doesn't solve everything when it comes to security.

5
8
Bronze badge

Re: Is this Tesco's fault?

Eh No..... you'd think that a LOT of login attempts from the same source (ip etc..) would start to raise a red flag somewhere. If your customer base is in the UK and the IP address come from somewhere else, then this is not likely to be your customer.

This looks like is a mix of sloppy user security (if Tesco are being truthful) and a lack of security on incoming requests.

3
3
Anonymous Coward

Re: Is this Tesco's fault?

>If your customer base is in the UK and the IP address come from somewhere else, then this is not likely >to be your customer.

Not only that, but you can easily keep a log of where your genuine customer has logged in from the last few times.

A change in pattern for that customer (perhaps combined with an overall view of the change in pattern across your customer database) could give you a clue as to whether something's going on.

You could even maintain a list of high-risk IP ranges ... more login attempts than "normal" on your platform from those ranges could trigger an alarm.

The technology's all out there.....

2
1

Re: Is this Tesco's fault?

"However it wouldn't be difficult to implement two factor authentication, requiring, for example, a pin, birth date, last random digits of the Tesco club-card number etc. to prevent this occurring in the first place."

Not difficult but potentially a nightmare to manage. Distribution, revocation and verification of the second factor is hard enough when companies deal with their employees - Tescos has an elastic user base so there would be a reliance on an externally provided source of the second factor. Apart from anything else, there has to be a decision on how many new customers will go elsewhere when they are told to get the dongle / app / whatever rather than just click and buy.

Then you hit the problem about users needing a second factor for every different site they manage. Or do we have a federated second factor service which instantly throws up issues around being a single point of failure etc.

All tescos needed to do here was have better security controls around how it allowed access. 2FA may have helped but is far from the only answer.

1
0
Silver badge

Re: Is this Tesco's fault?

> If your customer base is in the UK and the IP address come from somewhere else, then this is not likely to be your customer.

Except I used to work at a customer site in the UK that due to the nationality of their ISP all websites thought was in France. Sites that blocked non-UK IP addresses seriously pissed me off.

> Not only that, but you can easily keep a log of where your genuine customer has logged in from the last few times.

> A change in pattern for that customer (perhaps combined with an overall view of the change in pattern across your customer database) could give you a clue as to whether something's going on.

Oh yes very nice except it will inconvenience customers. Steam use a system like this and last week I had to confirm I was at a new location 3 or 4 times just to use my Steam account. Annoying for me, for your average luddite member of the public this would drive them to another supermarket.

You could have the most secure site in the world but no customers because it will be a pain in the arse to use. You have to work out a realistic threat model and apply reasonable security rules to mitigate the actual risks whilst not over inconveniencing the customer. This isn't corporate IT where you can force the users to jump through your security hoops because you say so.

2
0
Silver badge

Re: Is this Tesco's fault?

No need for dongles, there are plenty of authentication apps for smartphones, or SMS or a phonecall with a spoken code...

There are lots of methods that don't include them having to have a dongle. They are all inconvinient, but the question is, does the inconvinience outweigh the loss your control over the account?

0
0
Anonymous Coward

Re: Is this Tesco's fault?

Your birthdate or a PIN number is not 2 factor authentication. And LastPass is only free for iPad fanbois.

I do hope you don't give out security advice for a living.

0
1

Re: Is this Tesco's fault?

If your customer base is in the UK and the IP address come from somewhere else, then this is not likely to be your customer.

That's a parochial view you're adopting of how people use the Internet. Being able to order from overseas is v.handy. I ordered bottles of wine from Tesco for the folks while I was in Australia.

0
0

Oh dear

I seem to remember Tesco being covered on El Reg a year or two back. I also remember several people at the time objecting to their clearly storing passwords in clear text, as opposed to salted hash.

In short then, it's not like they were not warned...

I'm not certain about this, but I think they got shirty with the guy who originally exposed them as well.

4
0

Re: Oh dear

Here we go:

http://www.theregister.co.uk/2012/07/31/tesco_website_insecurity/

Exit stage left security team...

1
0

Re: Oh dear

Another sign of just how seriously Tesco take the security of their customers:

https://www.ssllabs.com/ssltest/analyze.html?d=secure.tesco.com

0
0
WTF?

Re: Oh dear

I saw this a couple of years ago, did a "password forgot" link. Instead of a reset link type response, they emailed me the current password in plain text. Wow.... I changed it straight away to a Tesco specific one, and spouted off about how bad practice that was, but noticed that others also knew this, but everyone, including Tesco, knew what they were doing.

I'm surprised it's taken this long for it to stripped bare.....

0
0
Silver badge
FAIL

Unencrypted passwords ?

who at Tescos thought that was in anyway a Good Thing ?

The "Fail" icon just isn't big enough for this one.

3
2

Re: Unencrypted passwords ?

Like I said above, they were warned about this a year or two back...

0
1
Silver badge
WTF?

Even worse

They *needed* warning ?????????

1
2

Re: Even worse

I know...

I remember discussing with colleagues how come we (pokey works management system at the time) were aware of salted hashes, and the team behind a site like Tesco.com, with multi-million pounds in transactions, either were not aware, or didn't consider it important...

0
0

parallel lives

I checked the data and just found out that someone who has the same name as me also has a dog with the same name as my dog. It took me 10 minutes to work out whether it was me and I had been drunkenly creating accounts or not.

1
0
Bronze badge
FAIL

CrapTastic

Just changed my password for Tesco as a matter of course.

Passwords can only be between 6 and 10 characters, and doesn't seem to support complex characters, only Upper, lower and numerical.

What year is this, 2002?

3
1
Bronze badge
Coat

Every little helps

For the hackers, obviously.

0
0
Anonymous Coward

Re: very little help

There, fixed it for you :)

1
0

complexity

The data is well worth a quick skim through. Quite impressive how many people think disney and tigger are acceptable passwords. Stop it.

1
0

Re: complexity

Indeed, I just compiled a list of the most popular. Seems a lot of yummy mummies need some basic education about information security:

10 instances: charlie

6: sophie

5: elizabeth, jessica

4: barney, benjamin, george, joshua, liverpool, louise, november, shopping

3: arsenal, cameron, caravan, connor, dexter, disney, dragon, francesca, hannah, jasper, jessie, kipper, manchester, marmite, michael, rachel, rebecca, scotland, shannon, smudge, stanley, thomas, tigger, tinkerbell, william, willow

(plus additional variations with "1" or "01" suffix)

0
0
Anonymous Coward

Worth reading...

Here's an explanation of what *MIGHT* have happened and exactly how poor Tesco's security actually is regardless...

http://www.troyhunt.com/2014/02/the-tesco-hack-heres-how-it-probably.html

1
0

Here's a very good analysis, and from cross matching the data it doesn't look like the data has been pulled from other sites: http://www.troyhunt.com/2014/02/the-tesco-hack-heres-how-it-probably.html Though it doesn't say why the sample is so small, or why it's unattributed.

1
0
Anonymous Coward

Tesco Security - Password Restriction

Password can only be between 6 and 10 characters and you can not use special characters - not very secure IMO.

0
0
Bronze badge

Re: Tesco Security - Password Restriction

I know over the years we've made made much about the length of passwords, however I suggest that the length only really becomes important when there are no other protection mechanisms and someone is able to get hold of a site's credentials file containing encrypted passwords and run an off-line brute force attack against it.

I suggest that a 4 digit PIN can be adequate, if: it and other credentials are only communicated in an encrypted form, the number of failed attempts is severely limited (three say) and that the account becomes locked until the user through some other channel unlocks the account - as per bank ATM cards.

0
1
Anonymous Coward

There are some important steps you can take to make sure online retailers don't get away with this

1. Reject any offer of 'help to reduce the impact of identity theft'. "Identity theft" is a concept dreamed up by Credit Reference agencies and retailers to push responsibility for a data loss incident back onto the consumer.

2. Tell the offending retailer that you will use your own remediation service (at cost) to them. Change passwords, backup some stuff, stop using Password123 or whatever. If the retailer says they won't pay, make a complaint to the ICO, detailing what happened and why you don't want to use the retailer's preferred 'solution' to the 'identity theft' incident.

3. Go to town. Hey, every little helps. Take a taxi to the photocopying shop, rack up some expenses and then put them forward as part of your claim to the ICO. The ICO will rule against the retailer and you'll get costs and time.

4. Go back to the retailer and tell them the ICO's decision - at that point they will offer to settle. Their alternative is to face court and lose.

5. PROFIT!

0
0

Tesco (.com and .net) have useless password protection. After the last breach I tried to change my password to a much stronger one. When it changed but I found I couldn't logon I contacted their Help. "Only use the first 10 characters of that password and you'll be fine..."

It was an unusual and inaccurate definition of the word 'fine'.

1
0
Anonymous Coward

Tesco telling porkies?

I don't think Tesco is being entirely truthful here. Sloppy user security? My Tesco password was reasonably strong and not associated with any other site, yet today I discover that the (very) few points linked to my Tesco account are gone. As of tonight, Tesco still hasn't got back to me.

0
0

Was it just me that, the day before this breach was announced, received a phishing email asking me to fill out a form giving my opinion of Tesco, in return for a credit of £60 or so to my clubcard account? Perhaps the data was lost by people who filled out the form and gave their clubcard info? I did try to forward the email to Tesco but could not find an abuse@ or phishing@ email to send it to. Ho, hum.

0
0
Anonymous Coward

Could be worse ...

Next still allow customers to sign into their accounts with northing more than an account number and date of birth - the same account number that's quoted in all email correspondence with customers.

0
0

Banking security

At least Tesco Bank have 2 factor security. Maybe people will stop complaining about 2 factor being a hassle now (doubt it).

0
0
Anonymous Coward

Do any still work?

None of these accounts still work ..

0
0
Anonymous Coward

Tesco IT infrastructure?

Not that this has anything to do with the current incident ...

0
0
Anonymous Coward

@AC "Password can only be between 6 and 10 characters and you can not use special characters "

In response to this I logged in to my club card account and changed p/w, it required 8-15 characters including at least one upper case, one lower, one digit and one other (£$%etc).

Also to spend my vouchers it asks to confirm e.g. digits 10, 11 and 15 of my clubcard number.

Have they put this in place in response to the story? If so they would appear to have redeemed themselves somewhat. (although I guess Pa$$word!23 would work, I wonder if there's an easy way to prevent passwords like that?)

0
0
This topic is closed for new posts.