Tesco has been alerted to problems with its password security for the last five years and has clearly ignored them.
According to Troy Hunt, whose research on Tesco sending passwords in plain text led to him detailing further security flaws in its website and a huge response on Twitter, Tesco has been alerted to security issues time and time again and has chosen to ignore them.
He told SC Magazine that he was alerted to the Tesco situation by a specific tweet that showed up in his Twitter search for references to his blog and after looking at the Tesco website, as he had a Tesco account, he said it was easy to verify.
“Given the glaringly obvious issues and Tesco's assertions to the contrary I thought I'd write up some info for developers who may not be au fait with these security principles,” he said.
Hunt pointed me to a blog at Jemjabella.co.uk from 2007 that highlighted flaws in Tesco's email security.
While the findings were surprising, there was some level of encryption used. I asked Hunt is this something that is difficult to implement or fix?
Hunt said: “In terms of cryptographic storage, it's not at all complicated to implement, in fact it can literally be a five minute job. Modern web frameworks – such as ASP.NET, which Tesco uses – make it extremely easy to not only hash the password, but do so with a strong hashing algorithm (i.e. 1,000 PBKDF2 rounds) and a cryptographically random salt.
“Complexity is not the issue so we keep coming back to education of people – developers, architects, CIOs – as they are not aware of the value proposition of secure cryptographic storage. I do think there is a much better understanding of this today than, say, two years ago (largely thanks to the AntiSec shenanigans), which is why in cases such as LinkedIn there was such outrage when it turned out passwords were stored as a straight hash without salt.
“We don't know precisely how Tesco stores its passwords, all we know is that they're not hashed and there's a very strong likelihood they're in plain text.”
I put the same question to security researcher Robin Wood. He said that he could think of a couple of reasons why Tesco was doing things wrong, and the first would be business pressure.
He said: “Someone in the business made the decision that in the event of a lost password, the site had to be able to tell the users their current password. This would mean that the password would have to be stored in an unhashed format, i.e. encrypted or clear text. I've seen an instance of this where despite the developers' best efforts to educate the people making the decisions the developers lose and are forced to build an insecure system. Unfortunately security minded people don't always win.”
Wood said that the second reason is a lack of awareness by the developers, mainly as a lot of people do not understand the difference between hashing and encryption and assume that encrypting a password makes it secure and would stop anyone else from reading it.
“There are a few problems with this: the first is that the website has to have access to the encryption key, and so an attacker who gains access to the site to steal the data could also grab the key and so negate the encryption,” he said.
“Even if they can't gain access to the key they may still be able to brute-force the key to give the data, especially as they could potentially perform a ‘known plain text' attack, which means the attacker knows the password (they sign up to the site using a password of their choosing) and the encrypted password and then has to work out the key that converts one to the next.”
Aside from the revealing of passwords in plain text to the user, there are some serious security concerns about what Tesco is doing.
Wood claimed that adding of hashing or salting does not affect the speed or functionality of the site, and the only change for Tesco would be that it would have to implement a new forgotten password system to replace just sending the current password.
I asked Hunt if he felt that the security problems highlighted could impact credit cards or (corporate or customer) financial data? He said that credit card data would be the big concern, and this has led to a number of people mentioning the potential PCI DSS ramifications.
However he said that nothing he had seen indicated that Tesco was in breach of compliance as far as card handling goes, but the generally bad practices combined with what is clearly a fundamental misunderstanding of security concepts gives me cause for concern.
When I spoke to a Tesco spokesperson, they reassured me that "security plays a big part in what we do", and that it believes it has a robust system in place and stressed that it has never had a problem with security and online matters.
The official statement said: “We know how important internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence that they can shop securely.”
Tesco also told me that it is "not complacent" and having seen the comments on Twitter and research, it would look into this.
What is fairly distressing about this research is the impact upon members of the public and the fact that this has gone on for five years.