Tesco haven’t publicised it, but according to this newspaper report, they had “a small number of irregular transactions” on Clubcard accounts back in January. This post looks at what happened, how you check if you have been affected and the thorny subject of passwords – how to minimise the chance of similar situations with other websites affecting you in the future.
Some people use the same password for lots of websites. It seems that after criminals obtained some people’s passwords, probably through phishing but possibly also through lax security at other firms, they had the bright idea of seeing if the people used the same password for their Tesco clubcard accounts. At that time it was possible for a clubcard user to print off their clubcard vouchers by only inputting their password.
This is coming to light slowly as the affected people try to redeem vouchers they had previously printed – when they try to spend them the store says they have already been redeemed.
Tesco changed their system in the autumn to make a user enter 3 digits from their clubcard number and stop this sort of problem recurring.
Have you been affected?
The only way to tell is to try to spend any clubcard vouchers you have printed out and to check your clubcard account and see if there are any unexpected transactions. In the case in the newspaper, it was simple for the clubcard user to prove he was in a different part of the country to the store where his cloned vouchers were redeemed, but the more time that elapses, the harder it is for people to recall whether they did or did not redeem a voucher 8 or 9 months ago.
Tesco can’t tell which customers might have been affected and technically it wasn’t their security that was breached. They could however have advised clubcard users of the problem and improved their systems rather faster than they did. Their response to the problem has not been impressive.
How can you stop this happening with other accounts?
Using the same password for all your internet accounts is a very bad idea as a security problem in a trivial account could then affect your bank account or credit card.
Passwords and log-ons are generally becoming more and more irritating at the same time as they are becoming more important with the increase in cyber-crime. As the joke goes, “Sorry but your password must contain a number, a punctuation mark, a capital letter, a haiku and a hieroglyph.” And this xkcd cartoon points out that this doesn’t even give good security: “Through 20 years of effort we’ve successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess.”
Of course it’s easy enough to generate a random password – there is a simple Norton utility here that will do it for you, including capitals, punctuation marks etc as you specify. But then there is zero chance of remembering them unless you write them down (NO!), and if you want to be able to use them outside your home you have to store it on your mobile (NO! NO!).
So how do you handle passwords?
One answer* is a variation on the xkcd cartoon approach
- come up with a mental picture with several short words say “green wasp likes curry and wine and lego” – don’t write this down
- think of a standard beginning or ending with a number and symbol 6$ or #2 – you are going to just have to remember this
- then decide where in your words you will use a capital – always the second and third letters, or the last letter say
- then for each password pick two of your short words (or three for your most important accounts) and you keep a list** with hints as to which words and where your 2 characters are going to go – so “Tesco clubcard food animal end” prompts to the password currywasP6$ and “Lloyds drink toy colour start” gives the password 6$winelegogreeN
If you are worried this isn’t very safe, try giving the list to your partner and see if they can guess any of the passwords. If you think you should mix things up a bit, then after a while add rhino and record it in the lists as a “new animal”.
* of course this isn’t quite what I do – why would I describe that online?
** it might be a good idea to keep a backup of this list. And if you encrypt it, don’t forget the password!