In response to this morning’s news that Tesco.com has experienced a significant data breach, David Emm (senior security researcher at Kaspersky Lab) and Jason Hart (vice-president of cloud solutions at SafeNet) offer advice on how consumers can make sure their data isn’t compromised in this type of attack.
“This latest data breach experienced by Tesco.com serves to prove the dangers of using one password across the board,” asserted David Emm (senior security researcher at Kaspersky Lab), “as this simply means that cybercriminals can gain access to all your online assets in one fell swoop.”
Emm continued: “It’s possible to create strong, memorable passwords which don’t use personal data. We’ve all heard the advice from security professionals:
1. Make every password at least eight characters long… and 15 plus is better
2. Don’t make passwords easily guessable. There’s a good chance that personal details such as your Date of Birth, place of birth and partner’s name, etc can be found online (maybe even on your Facebook wall)
3. Don’t use real words as they’re open to ‘dictionary attacks’ (whereby someone uses a program to quickly try a huge list of possible words until they find one that matches your password)
4. Combine letters (including uppercase letters), numbers and symbols
5. Don’t ‘recycle’ passwords (eg ‘david1’, ‘david2’, ‘david3’, etc)
“We are all aware that, if we follow this advice, there are too many, and they’re too complicated to remember – especially in the case of an account we don’t use very often.
“Instead of trying to remember individual passwords, start with a fixed component and then apply a simple scrambling formula. Here’s an example… Begin with the name of the online resource. Let’s say ‘mybank’. Then apply your formula. For example…
1. Capitalise the fourth character
2. Move the second last character to the front
3. Add a chosen number after the second character
4. Add a chosen non-alphanumeric character to the end
“This would give you a password of ‘n1mybAk;’.”
There is an alternative method, too. “Instead of using the name of the online resource as the fixed component,” stated Emm, “create your own passphrase and use the first letter of each word. So, if your passphrase is ‘the quick brown fox jumps over the lazy dog’, the fixed component of each password starts out as ‘tqbfjotld’. Then apply your four-step rule.”
Emm also commented: “By using either of these methods, consumers can ensure they have a unique password for each online account and therefore secure themselves against these types of breaches that make use of previously gained information.
“If you find even this too complicated, consider using a password manager – software that automatically creates complex passwords for you, keeps them secure and auto-enters them when you need to log in.”
Companies must focus on what matters most – the data
A former ethical hacker for more than 15 years, Jason Hart (vice-president, cloud solutions at SafeNet) explained: “In 2013, there were over 595 million data records lost or stolen, demonstrating that conventional breach prevention and perimeter-based security are not sufficient for protecting modern data. It’s clear that it’s not a matter of ‘If’ a data breach will occur, but ‘When’.
“On that basis, it’s vital that organisations are taking the correct precautions to ensure their most sensitive data remains protected.
“While the latest Tesco data breach was not a result of a direct attack on the Tesco.com website, it does highlight the wider implications of data breaches. Many people often use the same password across multiple sites, so the true impact of the any data breach is always likely to be bigger than first anticipated.”
Hart went on to state: “This is not the first time that supermarkets have fallen foul to a cyber attack and should serve as a reminder to all retailers of the threat posed by data breaches. Too many Security Departments hold on to the past when it comes to their security strategies, focusing on breach prevention rather than securing the data that they’re trying so hard to protect.
“Methods used by cybercriminals are becoming increasingly sophisticated and, if they want to hack the system or steal data, they will find one way or another to do so.
In conclusion, Hart stressed: “Companies need to focus on what matters most – the data. By using technologies such as encryption that render any data useless to an unauthorised party, as well as tamper-proof and robust key management controls, companies can be safe in the knowledge that their data is protected whether or not a security breach occurs.”