Thursday, 2 August 2012

Tesco Value Online Security

There has been an interesting storm brewing on twitter thanks to Troy Hunt all centred around Tesco's on-line security and has hit many news sites - 1,2,3 and 4. Quite frankly its appalling for such a large company and I'm going to try and explain why that is the case in plain English.

*Please Note: This post was written on the 1st of August 2012 so please keep in mind that things may have changed since then.

The reassuring statement 

It seems to have started with a generic customer service statement from UKTesco on twitter which is a verified account so we know this is a representative of Tesco Plc. They stated "Password are stored in a secure way. They're only copied into plain text when pasted automatically into a password reminder mail"



"Passwords are stored in a secure manor" - Well I should hope so.

"They're only copied into plain text when pasted automatically" - Oh no, This is where things go bad.

"Reminder mail" - And just got worse.


Ok, There is a lot of more technical information out there but lets not get to technical and explain why this sentence should make you cautious



Password Reminders are very bad

If you think about it you don't like the idea of someone knowing your password. Saying its copied automatically is, at face value, a comfort. That is until you consider that all data in a computer is retrievable either by the system administrators or by hackers and therefore in order to have a secure system it should not be possible to retrieve passwords. 

Additionally, Under ABSOLUTELY NO CIRCUMSTANCES should passwords, or any other sensitive information for that matter, be emailed to anyone or anywhere. The reason for this is emails are not secure. The dirty secret of the internet is that emails are transmitted in plain text. They may go from your provider to you under an secure connections but out on the internet they where not secure, relying on the nobility of every system and network engineer that it happens to cross between the person the sent it, their service provider, your service provider and yourself. In fact this is such a sore point for the security minded there are websites dedicated to shaming the companies who do this - http://plaintextoffenders.com/

Don't worry if you didn't know that email was an insecure communication method, neither did Tesco (Part 1, Part 2). For a company to display that kind of fundamental misunderstanding of the technology is embarrassing and I can only hope the the IT staff, CTO and CIO do not hold the same belief

This leaves a question that you might have picked up on.

If you can not retrieve passwords how do you confirm I entered it correctly?


Well this is where we risk getting technical but understanding is important to gain context. Encryption has been an important tool in security from the Caesar cypher in Roman times, to the enigma machine in the Second World War and is vital in modern IT. Indeed all important information should be encrypted to protect data from unauthorised access. 

Such technology helped a Brazilian drug dealer frustrate the FBI for over 12 months before they admitted defeat in accessing the suspected evidence on his computer. This is an unfortunate example as the roles of good and evil are reversed but you can appreciate that if implemented correctly we have the facilities to protect information from people we do not want to have access.

The difference with passwords is that you do not want anyone to see your password and that includes the minimum wage employee, the web developer, the system administrator and the CEO. You wouldn't give it to them in person why should they be able to call it up on the computer.

This is done using a process called Hashing which is done with some interesting maths but rest assured I am not about to explain this, I'd only get it wrong and embarrass myself. It is engineered so whatever you entered is converted into a fixed length string of gibberish and so that it is impossible to return this collection of gibberish back into your password. 

The interesting part is when you apply the hashing process to the same value then this results in the exact same string of gibberish. This allows the company to verify you entered the same password without ever seeing what the password is ensuring that you and only you know your password

How does this apply to Tesco and why there is a bigger problem

Well as we have already established Tesco email you a password reminder, this means they can retrieve your password from their system and this exposes your password. Well it goes deeper, take a look at the image below.



















I said this points to a bigger problem and most of you will not have blinked your eyes at the screen above but it both worries and frustrates me. We all know longer passwords are more secure so the minimum of 6 characters is reasonable and if anything these minimum requirements are fairly relaxed with no requirement for different case or the use of letters and numbers.

The scary part however is the 10 character maximum. As stated earlier passwords should be put through a "Hashing" process that results in a fixed length string of gibberish. So no matter if you use a 5 character password or a 55 character password it will result in the same length of gibberish.

Why then are Tesco passwords limited to 10 characters?

When databases are designed you select a length of each field, for Tesco to enforce a password character limit of 10 this suggests they are not hashing your passwords but storing them directly into the database in a field limited to 10 characters.

Why is this a problem? Well you've no doubt heard about hacking in the news from LinkedIn, Last.fm, eharmony and Sony. The worry is if someone does hack Tesco they will get a plain text password.

They have my password, so what?

Well if the hackers just have a huge list of passwords we need not worry as they are hardly going to match a random password to you. Well this may be true but it is not really the point. No hacker worth his salt is going to get into the system and just take passwords. They are going to take everything they think will be of use including your email address and any other details they can grab including email address, delivery address and credit card details.

Further evidence of an apathy towards security.

Well we have established that Tesco do not follow up to date best practices for web security. Lets have a look at a few other aspects to Tesco's website

The picture on the right is the information displayed when you click on the "Why It's safe to shop at Tesco.com" link.

There is two worrying aspects to this page. First is the red HTTPS, this means that not ALL of the page is secure. Again we are risking a drift into the technical but lets just say there is no reason in this day and age not to use HTTPS across all aspects of the website.

The second is the comment about Secure Socket Layers (SSL) and version 3.0 of explorer and version 3.02 of Netscape. Well I presume "Explorer 3.0" is a reference to Internet explorer and Netscape, essentially, went out of business in 2003. Lets just say there has been numerous security issues in the 16 years since those software versions where current. Do you even have a single item of technology that is 16 years old?


There is also a message posted on-line (although it cannot be verified, so I'm not going to link to it) that stinks of arrogance and incompetence including the statement
to my knowledge we've never been hacked and they've tried
A good hacker won't leave a trace meaning it may have already happened and based on the arrogance of that statement I'd guess you are not paying as much attention to your servers as you should be.


I'm closing my account

We now have multiple examples of Tesco's design and security being not only behind the times but woefully inadequate. We have also established that if a hacker does infiltrate Tesco's infrastructure then chances are then are going to end up with a fair amount of info. Well your instinct is probably the same as mine: I'm going to delete my account.

Except you can't do that on-line, you have to phone them and pay for that call....



P.s. For any Tech people who do read this far, I would like to point out a lot of this is a simplification but I was trying to convey the concepts behind this in way that is a bit simpler to understand.