Vertical Markets

Clubcard comment

by Mark Rowe

The retailer Tesco suspended thousands of online accounts after cybercriminals targeted log-in credentials and Clubcard points.

The deactivation came in mid-February after thousands of usernames and passwords – taken from non-Tesco websites – appeared on a text sharing website. Fraudsters then used that data to crack accounts at Tesco.com, relying on the fact that some people use the same usernames and passwords for various websites.

Tesco said that it was “urgently investigating” the appearance of the data on the websites and only a ‘very small’ number of voucher holders were hit.

Comment

The ethical hacker Jason Hart, VP Cloud Solutions at SafeNet is among speakers at the Midlands Fraud Forum annual conference on Thursday, February 20 in Birmingham. He said: “In 2013, there were over 595 million data records lost or stolen, demonstrating that conventional breach prevention and perimeter-based security are not sufficient for protecting modern data. It’s clear that it’s not a matter of if a data breach will occur, but when, so it’s vital that organisations are taking the correct precautions to ensure that their most sensitive data remains protected. While the latest Tesco data breach was not a result of a direct attack on the Tesco.com website, it does highlight the wider implications of data breaches. Many people often use the same password across multiple sites, so the true impact of the any data breach is always likely to be bigger than first anticipated.

“This is not the first time that supermarkets have fallen foul to a cyber-attack and should serve as a reminder to all retailers of the threat posed by data breaches. Too many security departments hold on to the past when it comes to their security strategies, focusing on breach prevention rather than securing the data that they are trying so hard to protect. Methods used by cybercriminals are becoming increasingly sophisticated and if they want to hack the system or steal data, then they will find one way or another to do so. Companies need to focus on what matters most – the data. By utilising technologies such as encryption that render any data useless to an unauthorised party, as well as tamper-proof and robust key management controls, companies can be safe in the knowledge that their data is protected, whether or not a security breach occurs.”

Peter Armstrong, director of cyber security, Thales UK suggested large companies need to realise that cyber security is a business issue, not just an IT issue.

He said: “It’s a shame to see that another large organisation has fallen prey to cyber criminals in this latest attack on Tesco.com. There is currently a high level of naivety in the market regarding cyber security, resulting in many organisations unintentionally putting themselves at risk. It is important that companies realise cyber security is a business issue, not just an IT issue. In fact, if they’ve not already realised this, their organisation is already on the back foot. The consequences of cyber-attacks are now so severe that cyber defence has become a board room discussion where companies explore what measures need to be put into place to ensure they are acting proactively – not reactively.

“Best practice cyber maturity should centre around continuous policy evaluation and adaptation to ensure your organisation is protected against the latest evolution of threat and attack vectors.”

And David Emm, senior security researcher at Kaspersky Lab said that this latest data breach served to prove the dangers of using one password across the board; as this means that cybercriminals can get access to all your online assets in one swoop.

“It is possible to create strong, memorable passwords which don’t use personal data. We’ve all heard the advice from security professionals:

1. Make every password at least eight characters long – and 15 plus is better.
2. Don’t make them easily guessable. There’s a good chance that personal details such as your date of birth, place of birth, partner’s name, etc. can be found online – maybe even on your Facebook wall.
3. Don’t use real words. They are open to ‘dictionary attacks’, where someone uses a program to quickly try a huge list of possible words until they find one that matches your password.
4. Combine letters (including uppercase letters), numbers and symbols.
5. Don’t ‘recycle’ them, e.g. ‘david1’, ‘david2’, ‘david3’, etc.

We are all aware that, if we follow this advice, there are too many, and they’re too complicated, to remember – especially in the case of an account we don’t use very often.

Instead of trying to remember individual passwords, start with a fixed component and then apply a simple scrambling formula. Here’s an example: start with the name of the online resource, let’s say ‘mybank’. Then apply your formula: e.g.

1. Capitalise the fourth character.
2. Move the second last character to the front.
3. Add a chosen number after the second character.
4. Add a chosen non-alphanumeric character to the end.

This would give you a password of ‘n1mybAk;’.

There is an alternative method too. Instead of using the name of the online resource as the fixed component, create your own passphrase and use the first letter of each word. So if your passphrase is ‘the quick brown fox jumps over the lazy dog’ the fixed component of each password starts out as ‘tqbfjotld’. Then apply your four step rule.

By using either of these methods, consumers can ensure they have a unique password for each online account and therefore secure themselves against these types of breaches that make use of previously gained information.

If you find even this too complicated, consider using a password manager – software that automatically creates complex passwords for you, keeps them secure and auto-enters them when you need to log in.”

Calum MacLeod, VP of EMEA at Lieberman Software Corporation, said: “There’s no point in buying technology that never gets implemented either because it is not fit for purpose or ends up costing astronomical fees to implement. It’s time companies started to realise that too many vendors see customers as cash cows who end up discovering that 20% of cost is the product and 80% is locked in professional services

“Until these organizations recognise that the fundamental component of securing themselves is controlling their privileged credentials and continuously monitoring to detect anomalies, everything else they do is irrelevant.”

And Lancope CTO, Tim ‘TK’ Keanini said: “These events are about as hard to predict as the sun rising tomorrow morning. The problem is not the fact that cybercriminals break into these networks, but that they can go undetected while they figure things out and ultimately exfiltrate the files without being seen. Having eyes on a popular text-sharing site is not an effective method of detection by anyone’s standard. In a recent survey performed by the Ponemon Institute on incident response, companies using the operational metric of Mean Time To Know (MTTK) was at a miserable 23 per cent so it is just far too easy for cybercriminals these days to operate effectively.

“This is not Tesco’s first security incident, and let’s hope they are experienced enough now to have in place the right telemetry for a timely and precise investigation – because the time to put up the security camera’s is not after the incident – if you know what I mean. Given the way the reports say the incident was discovered, it does not seem that they have the right technology in place when facing this advanced threat. Sadly, most retailers do not.

“If these retailers would spend half the time on cybersecurity analytics as they spend on consumer analytics predicting buying patterns, the cybercriminals would have a very hard time being successful as their behaviour could be predicted and retailers would have more effective defences. This I believe is evidence that retailers do not feel like cybercrime is a part of doing business yet but how many more times will they need to be compromised before incident response is part of the business process?”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing