It has been reported that Boots has suspended payments using loyalty points in shops and online after attempts to break into customers’ accounts using stolen passwords. Customers will not be able to use Boots Advantage Card points to pay for products while the issue is dealt with. Boots said none of its own systems were compromised, but attackers had tried to access accounts using reused passwords from other sites. A spokeswoman for Boots said the issue affected less than 1% of the company’s 14.4 million active Advantage Cards – fewer than 150,000 people. But it could not give an exact number as the company was still dealing with the problem.
In cases like this, criminals utilise a technique known as ‘password stuffing’, where simple tools allow them to use passwords that have been stolen in a previous hack or breach to access multiple different accounts. On the dark web, huge lists of leaked passwords are available at very little cost to bad actors, or sometimes even for free.
Many consumers repeat the same two or three passwords across all of their different online accounts, which makes attacks like these even easier for criminals to carry out. Whilst it may be inconvenient to use a unique password for each of the logins you have, the benefits far outweigh the difficulties of keeping your data safe online. My advice would be to use a password manager, where you can store all of your individual, unique passwords robustly online, meaning that you don’t have to remember them yourself.
Another way to make password stuffing attacks more difficult for cyber criminals is to make sure you have implemented two factor authentication on each of their accounts. This extra step of security is essential in protecting your online accounts.
Over the past 72 hours, Tesco Clubcards and Boots Advantage Cards have had nearly a million personal details compromised and/or stolen by hackers. These hackers have used the credentials and passwords they have stolen from different sites to access these loyalty accounts.
But simply reissuing loyalty cards and asking users to change their passwords is not going to prevent the same from happening again. It’s time these businesses stop relying on the password to protect personal data, as passwords can be easily guessed and bypassed, and are also sold for pennies on the dark web as a result of prior data breaches.
Biometric authentication is significantly more secure, reliable, and delivers a much higher level of assurance. Leveraging biometrics will protect the next generation of consumers while avoiding the same basic security pitfalls that are fuelling the fraud epidemic plaguing enterprises and consumers alike.
This attack really emphasises the need for users to be far more savvy about their passwords. The hackers simply used existing, known compromised accounts to access the information, knowing full well that a lot of people use the same password for all accounts. Users need to realise that if they want to protect their personal information, they need to take some responsibility and employ password best practices, e.g. separate passwords for each account, long passwords using three random words.
The Boots breach is yet another reminder of how it\’s become almost a reflex now for retailers to contact customers saying \’we regret to inform you that due to a breach, your personal data may have been….\’ The number of identity compromises by this point is huge, and yet life continues. For the consumer, they should be working under the assumption that their personal information has been compromised many times over. As an industry until we can start making cyber crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive pay-outs.
Fool me once, shame on you. Fool me twice, shame on me. Fool me ten times, enough is enough! It\’s time to really up the ante: minimise the extent of possible breaches and compromises, minimise exposure when breaches like this occur. Having customer data is a privilege, not a right. The time to beef up security is long past. Explanations for breaches of this sort in the retail industry demand a little more than a form letter and business as usual. If crime actors find a new way to compromise data, the numbers shouldn\’t be in the 10s of millions, and the stories of how it\’s done should be getting more sophisticated. If not, it\’s like hanging a sign outside saying \”jobs wanted\” by the fraudsters and that\’s not acceptable in 2020.
Reused passwords are almost as dangerous as weak passwords. Typically, we are under the impression that the only problem posed by passwords is when they are short and simple, making it easy to guess. This is definitely true and explains why we are often reminded to create ‘strong passwords’ requiring a mix of capital and small-case letters, a length of 10-20 characters as well as the inclusion of numbers and/or special characters. However, we are rarely aware that even the most complex password is not enough if we reuse it across different accounts.
Consider all the various app logins, web portal accesses and email client authentications that require a username and password. Most will admit that they are reusing their logins on all these services. This means that if an attacker is able to hack into the user database of a webpage that has low security, they could also obtain access to one’s bank account. This is exactly what attackers are banking on.
Writing algorithms that tries logging into different services and checking for reused passwords is not a rarity. We read frequently about breaches of databases holding sensitive user information and the distribution of it, permitting bad actors from around the world free reign to do what they will with it. In fact, the attack on Boots is a clear example of this occurring.
Nevertheless, it is good to see that Boots had recognised the attack and stopped it before it became a problem. This is a great example how things should work. Stopping the breach, preventing the service from being manipulated, and notifying the public on what has happened is the best line of action. I would also suggest that Boots takes it upon themselves to block the use of all existing passwords and make it mandatory for users to recreate new passwords that comply with all the necessary features to make it ‘strong’.
While I understand the difficulty of creating various ‘strong’ passwords for each service used, one good way of overcoming this is through password managers. Password managers have the possibility to create and store different strong passwords for all your services, while you only remember one main password. You just need to be sure to use a password manager you can trust. Check which ones are recommended and where they come from. Keep in mind that not every app is a good app, and what is free is not always good.