Tesco Clubcard password security problem (updated)

Tesco haven’t publicised it, but according to this newspaper report,  they had “a small number of irregular transactions” on Clubcard accounts back in January 2013 **UPDATE – and again in Feb 2104, see below** This post looks at what happened, how you check if you have been affected by this Tesco clubcard password problem and the thorny subject of passwords – how to minimise the chance of similar situations with other websites affecting you in the future.

Tesco clubcard password - shaould you change yours?The Clubcard problem

Some people use the same password for lots of websites. It seems that after criminals obtained some people’s passwords, probably through phishing but possibly also through lax security at other firms, they had the bright idea of seeing if people used their Tesco clubcard password for their other accounts. At that time it was possible for a clubcard user to print off their clubcard vouchers by only inputting their password.

This is coming to light slowly as the affected people try to redeem vouchers they had previously printed – when they try to spend them the store says they have already been redeemed.

Tesco changed their system in the autumn to make a user enter 3 digits from their clubcard number and stop this sort of problem recurring.

Have you been affected?

The only way to tell is to try to spend any clubcard vouchers you have printed out and to check your clubcard account and see if there are any unexpected transactions. In the case in the newspaper, it was simple for the clubcard user to prove he was in a different part of the country to the store where his cloned vouchers were redeemed, but the more time that elapses, the harder it is for people to recall whether they did or did not redeem a voucher 8 or 9 months ago.

Tesco can’t tell which customers might have been affected by this Tesco clubcard password problem and technically it wasn’t their security that was breached. They could however have advised clubcard users of the problem and improved their systems rather faster than they did. Their response to the problem has not been impressive.

How can you stop this happening with other accounts?

Using the same password for all your internet accounts is a very bad idea as a security problem in a trivial account could then affect your bank account or credit card.

xkcd cartoon

(click to enlarge)

Passwords and log-ons are generally becoming more and more irritating at the same time as they are becoming more important with the increase in cyber-crime. As the joke goes, “Sorry but your password must contain a number, a punctuation mark, a capital letter, a haiku and a hieroglyph.”   And this xkcd cartoon points out that this doesn’t even give good security.

Update – the problem recurs in 2014

In Feb 2014 details of more than 2,000 Tesco Clubcard passwords were published online. This seems likely to be a new symptom of the 2013 security breachs discussed above – passwords obtained illegally elsewhere were then tried out on the Tesco Clubcard system.

Although it was not Tesco’s systems that were hacked to get passwords, if Tesco had alerted all Clubcard holders to the 2013 problems and suggested they should change their passwords and not use the same one on other accounts, the current problem could not have arisen. So by trying to keep quiet about the 2013 difficulties, Tesco are partly to blame for the 2014 problems.

add your comment