Passwords – again!

keyIn the news today is another report of personal details being snaffled – this time Tesco is reported as being the fall-guy.

However, dig a little deeper into the story and it’s not as simple as you might believe.

Tesco has reported that over 2000 customer accounts have been suspended following ‘breaches’. Details of the accounts affected have been posted on the internet and journalists have been able to call some of the affected customers using phone number that have been made public.

But, were Tesco’s security systems overwhelmed & broken? No. It’s reported that the genuine credentials of the affected customers (email address & password) were used to login and access customer information.

So, what went wrong?

In this case, the attackers already had an email address & password combination for the Tesco customers, and had obtained these from other criminals – from a previously compromised account on a different internet site. What made it easy for the attackers, was that the same password was being used on the Tesco account as the previously compromised account.

Similar attacks could be made on Amazon, Ebay, Paypal, and many many more as far too many internet users re-use the same email address & password across multiple sites. If your account has been compromised on one system, it probably won’t be long before an attempt is made on other systems.

How can you check?

One website, Have I Been Pwned? records lists of previously compromised accounts which can then be searched to see if your email address (and presumably) other data has appeared on one of those lists. The common term for this is ‘Pwned’.

Here’s their tweet from today:

What can you do?

Firstly, do not use one password everywhere! If you can’t remember a different assword for every online account then at least use 3 or 4 different ones and spread them around! That way, only a third or a quarter would be hit!

Secondly, change the password regularly! At least once a quarter.

What’s at risk?

Your money & your credit record to name but two.

I’ll keep drumming on about passwords and security. Think about this? If you lost the key to your front door, or knew that it had been stolen, would you change the locks?