Monday, August 20, 2012

Tesco Web Safety 'flaw' Probed

The UK's information privacy watchdog is examining the safety of Tesco's website after a fibre of experts highlighted concerns.

Specialists have criticised the way in that the universal supermarket sequence stores the passwords of shoppers on Tesco.com.

One consultant told the BBC he had warned Tesco about other major problems that he has not done open since their sensitive nature.

Tesco mentioned its safety was "robust".

"We know how critical internet safety is to customers and the measures you have are robust," the firm mentioned in a statement.

"We are never restored and work every time to give customers the certainty they can emporium securely."

There is no indication to indicate Tesco has been targeted by hackers, nor that customers' personal information is at risk.

Troy Hunt, a safety consultant who suggested sum of the flaws on his blog , told the BBC he believed the Tesco website was violation a few essential information storage rules.

"When a website stores passwords, how they're stable in the database is important," he explained.

"If that database is breached, the usually thing saving someone's qualifications is the way they're stable in storage. What should have come about is that there should be a few form of cryptographic storage - not in solid text."

Mr Hunt sharp out that as Tesco was able to email users their cue in solid text, this showed the information was not being stored cryptographically.

A more secure way of cue liberation is for websites to email users instructions on how to reset their password, rsther than than divulgence the cue itself.

Security consultant Graham Cluley echoed Mr Hunt's concerns.

"It does show up as even though Tesco didn't unequivocally follow attention most appropriate use with their site.

"That's not to say that people's item are at danger or that they're in danger of being hacked - but it's startling to see how Tesco has written its site with regards to how it stores its passwords."

Mr Hunt moreover criticised Tesco for not using - Hypertext Transfer Protocol Secure - opposite its whole site.

He mentioned this left users receptive to phishing attacks or even the interception of information - quite when using common wi-fi networks.

The Information Commissioners Office (ICO) fixed to the BBC that it was creation enquiries in to Tesco concerning the complaints, but would not criticism serve until more information had been gathered.

Mr Cluley mentioned Tesco was by no means the usually major website to have "out of date" storage methods, but mentioned the supermarket should pierce to encourage online shoppers that the matter is being taken seriously.

"They must be do a full examination of their website safety and ensure they're subsequent to great attention practice," he told the BBC.

"With the number of websites they have, that isn't going to be a tiny task. But it is something that they'll wish to residence and encourage people they've got it sorted out."

No comments:

Post a Comment