The news that over 2,000 user credentials from Tesco have been posted online does not come as a surprise given the recent frequency of attacks on major retailers.

The news that over 2,000 user credentials from Tesco have been posted online does not come as a surprise given the recent frequency of attacks on major retailers.

From a security expert’s point of view there are significant differences in the Target and Tesco attacks and one striking significant similarity.

It appears the Target attack may have been orchestrated through a malware-laced phishing email that moved customer credential data to a certain location to be farmed later. In Tesco’s case, the attack seems to have been more of a “brute force” attack where the credentials are retrieved directly from the log-on page by various methods, including trial and error.

The differences account for the quantities of data sets stolen  - Target lost 110 million card details while just over 2,000 customer accounts were compromised at Tesco. The problem for Tesco and its customers is that the credentials can be used by a fraudster to access their accounts and transact fraudulently, which is the similarity between the two attacks.

The attack patterns appear to be nothing new in principle, although the detail may vary. In the case of Tesco we see an example of the modern internet relying on 30 year-old concepts of username and passwords as a login method. This technology is inherently insecure and presents a significant attack vector, which is vulnerable to brute force and other exploits. This puts the entire username and password database at risk of being stolen, published and used fraudulently.

Additional layers of security common in other sectors such as banking include passwords sent over SMS or key-fob password generators. However, these are extremely expensive, diminish the customer experience and really are only a band aid to the core problem of username and passwords.

To establish trust and prevent these types of attacks, online retailers and other organisations need to look beyond username and password protection and even common two-step authentication and should urgently consider technologies that remove the username password altogether so that there is nothing to be stolen or compromised in the first place.

The Tesco attack suggests that no human error or organisational process is to blame – it is another example of a lack of investment in modern authentication technology to protect customers, their data as well as the reputation of the retailer, which unfortunately continues to prevail.

  • Brian Spector is chief exeuctive at CertiVox

Tesco customers targeted in cyber attack