Yesterday, it was reported that Tesco was experiencing security issues, and had issued new Clubcards to 600,000 account holders. The supermarket giant said it believed a database of stolen usernames and passwords from other platforms had been tried out on its websites and may have worked in some cases. No financial data was accessed, and its systems have not been hacked, it added. It said this was a precautionary measure and apologized for the inconvenience.
Tesco is issuing new cards to 600,000 Clubcard account holders after unearthing a security issue.https://t.co/WsHoxbxbpw
— Jonathan Stock (@JonathanStock86) March 2, 2020
It’s no wonder that third-party risk has become the most significant cyber issue for organisations around the globe – lax understanding of third parties\’ security posture and practices is creating a massive weak spot for all organisations across all industries. Companies must continuously monitor their vendor relationships in order to get a better handle on supply chain risk.
90% of attacks start with some sort of automation, credential stuffing being a prominent one. The software for credential stuffing is so affordable that this type of attack has now become accessible for almost anyone. Hackers can now automatically cycle through thousands of username and password pairs and match them against login portals in a short period of time, until a match with an existing account is found. One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements. By using technologies that include behavioural analytics, automated activity is flagged at login before it can even test any credentials in the company\’s environment. At the same time, companies should stay alert for any leaked credentials of their employees or customers along with mentions of the company and brand names across the dark web to stay on top of this trend.
Hackers hit Tesco with an attack known as credential stuffing. In this attack, hackers attempt to log into accounts using usernames and passwords leaked from previous, unrelated data breaches and other sources. The attack demonstrates why customers should never reuse passwords across multiple accounts. If one account is compromised, criminals will attempt to reuse the same usernames and passwords on other accounts. This process is usually automated so that attackers can attempt hundreds or thousands of logins in a very short time. There\’s little Tesco could do to stop such an attack other than offer users two-factor authentication and limiting the number of login attempts. Two-factor authentication would require customers enter a one-time PIN number sent via SMS, email, or authenticator app whenever logging in from a new device.