It’s been reported that at least a couple of thousand Tesco customers have had their online details breached.
Find below comments from Thales UK and Lieberman Software, plus advice from Kaspersky Lab on how consumers can make sure that their data isn´t compromised in this type of attack:
Peter Armstrong, director of cyber security, Thales UK
“It’s a shame to see that another large organisation has fallen prey to cyber criminals in this latest attack on Tesco.com. There is currently a high level of naivety in the market regarding cyber security, resulting in many organisations unintentionally putting themselves at risk.
It is important that companies realise cyber security is a business issue, not just an IT issue. In fact, if they’ve not already realised this, their organisation is already on the back foot. The consequences of cyber-attacks are now so severe that cyber defence has become a board room discussion where companies explore what measures need to be put into place to ensure they are acting proactively – not reactively.
Best practice cyber maturity should centre around continuous policy evaluation and adaptation to ensure your organisation is protected against the latest evolution of threat and attack vectors.”
Calum MacLeod, VP of EMEA, Lieberman Software Corporation
“I would say that Tesco is typical of retailers who continue to invest in the minimum security to keep auditors happy and invest in technologies that don’t solve real problems but tick compliance boxes.
“There’s no point in buying technology that never gets implemented either because it is not fit for purpose or ends up costing astronomical fees to implement. It’s time companies started to realise that too many vendors see customers as cash cows who end up discovering that 20% of cost is the product and 80% is locked in professional services
“Until these organizations recognise that the fundamental component of securing themselves is controlling their privileged credentials and continuously monitoring to detect anomalies, everything else they do is irrelevant.”
David Emm, senior security researcher at Kaspersky Lab
This latest data breach experienced by Tesco.com serves to prove the dangers of using one password across the board as this simply means that cybercriminals can get access to all your online assets in one fell swoop.
It is possible to create strong, memorable passwords which don’t use personal data. We’ve all heard the advice from security professionals:
1. Make every password at least eight characters long – and 15 plus is better.
2. Don’t make them easily guessable. There’s a good chance that personal details such as your date of birth, place of birth, partner’s name, etc. can be found online – maybe even on your Facebook wall.
3. Don’t use real words. They are open to ‘dictionary attacks’, where someone uses a program to quickly try a huge list of possible words until they find one that matches your password.
4. Combine letters (including uppercase letters), numbers and symbols.
5. Don’t ‘recycle’ them, e.g. ‘david1’, ‘david2’, ‘david3’, etc.
We are all aware that, if we follow this advice, there are too many, and they’re too complicated, to remember – especially in the case of an account we don’t use very often.
Instead of trying to remember individual passwords, start with a fixed component and then apply a simple scrambling formula. Here’s an example: start with the name of the online resource, let’s say ‘mybank’. Then apply your formula: e.g.
1. Capitalise the fourth character.
2. Move the second last character to the front.
3. Add a chosen number after the second character.
4. Add a chosen non-alphanumeric character to the end.
This would give you a password of ‘n1mybAk;’.
There is an alternative method too. Instead of using the name of the online resource as the fixed component, create your own passphrase and use the first letter of each word. So if your passphrase is ‘the quick brown fox jumps over the lazy dog’ the fixed component of each password starts out as ‘tqbfjotld’. Then apply your four step rule.
By using either of these methods, consumers can ensure they have a unique password for each online account and therefore secure themselves against these types of breaches that make use of previously gained information.
If you find even this too complicated, consider using a password manager – software that automatically creates complex passwords for you, keeps them secure and auto-enters them when you need to log in.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.