Tesco web security 'flaw' probed by UK data watchdog

Updated on: 2012-08-20 || Source: bbc.com

The UK's data privacy watchdog is examining the security of Tesco's website after a string of experts highlighted concerns.

Specialists have criticised the way in which the global supermarket chain stores the passwords of shoppers on Tesco.com.

One expert told the BBC he had warned Tesco about other serious issues which he has not made public because of their sensitive nature.

Tesco said its security was "robust".

"We know how important internet security is to customers and the measures we have are robust," the company said in a statement.

"We are never complacent and work continuously to give customers the confidence they can shop securely."

There is no evidence to suggest Tesco has been targeted by hackers, nor that customers' personal data is at risk.

Cryptographic storage

Troy Hunt, a security expert who revealed details of the flaws on his blog, told the BBC he believed the Tesco website was breaking some fundamental data storage rules.

"When a website stores passwords, how they're protected in the database is important," he explained.

"If that database is breached, the only thing saving someone's credentials is the way they're protected in storage. What should have happen is that there should be some form of cryptographic storage - not in plain text."

Mr Hunt pointed out that as Tesco was able to email users their password in plain text, this showed the data was not being stored cryptographically.

A more secure method of password recovery is for websites to email users instructions on how to reset their password, rather than revealing the password itself.

Security expert Graham Cluley echoed Mr Hunt's concerns.

"It does appear as though Tesco didn't really follow industry best practice with their site.

"That's not to say that people's detail are at risk or that they're in danger of being hacked - but it's surprising to see how Tesco has designed its site with regards to how it stores its passwords."

'Full review'

Mr Hunt also criticised Tesco for not using HTTPS - Hypertext Transfer Protocol Secure - across its entire site.

He said this left users susceptible to phishing attacks or even the interception of data - particularly when using shared wi-fi networks.

The Information Commissioners Office (ICO) confirmed to the BBC that it was making enquiries into Tesco regarding the complaints, but would not comment further until more information had been gathered.

Mr Cluley said Tesco was by no means the only major website to have "out of date" storage methods, but said the supermarket should move to reassure online shoppers that the matter is being taken seriously.

"They need to do a full review of their website security and make sure they're following good industry practice," he told the BBC.

"With the number of websites they have, that isn't going to be a small task. But it is something that they'll want to address and reassure people they've got it sorted out."

News

Blackphone 2 'privacy' Android handset revamped いつも楽天カードをご利用いただきありがとうございます。
Security firm Silent Circle has revamped its smartphone that helps people manage 詳しく
Chinese smartphones mount massive web attack
More than 650,000 Chinese smartphones have been unwittingly enrolled in a massive attack that overwhelmed a web
Hilton investigates hack claims
The Hilton hotel group has said it is investigating claims its US shops and gift stores may be the source of
Twitter website 'blocked' in Turkey
Twitter users in Turkey report that the social media site has been blocked in the country.

SIGN UP FOR NEWSLETTER

Sign up to received our free newsletter!
Name:
E-mail ID:

MOST READ

Views: 6583 Times
Jump Menu using form tag READ MORE
Views: 3492 Times
'Badass' bug kills off Borderlands 2 characters READ MORE
Views: 3540 Times
Groupon given deadline to improve READ MORE
Views: 6771 Times
Top 10 Google Hacks READ MORE
Views: 8268 Times
Adobe Flash Tutorial - Basic Animation READ MORE

Home|IT News|Computer Tips|Video Tutorials|Download Softwares|Subjects|Contact Us
Copyright © 2021. Jumbo Education (Information Technology). All rights reserved.
Free counter and web stats

Large Visitor Globe