Thursday, August 2, 2012

What can an online retailer learn from Tesco's security fail


UK retailer Tesco came under fire earlier this week for website security practices that may be leaving customer data vulnerable to hackers.
The incident started when software architect Troy Hunt noticed a tweet indicating that Tesco must be storing customer passwords in a manner that doesn't adhere to best practices because the retail giant emails customers their passwords in plain text.
After experimenting, Hunt confirmed that this is indeed the case, and he also found numerous other security faux pas, including issues with Tesco's use of SSL encryption.
Given the high risks and costs that come with security breaches today, security should be top of mind for any company operating online. This is particularly true for online retailers, most of which collect sensitive and valuable information from customers, such as credit card numbers.
There are numerous things that online retailers can learn from Tesco's fail. Here are five of the most important.

1. Somebody is paying attention

It's often easy for companies to believe that nobody is watching. If we don't employ best practices, for instance, or we haven't updated something that should be updated, who is going to notice?
It may take a while, but chances are that if your company has any visibility in the markets it serves, somebody willeventually notice. So instead of pretending that you can get away with doing a less-than-stellar job, it's far better to raise the bar and do what's right.

2. The good guys usually aren't the first to notice your flaws

While Hunt deserves credit for bringing the issues he stumbled onto to the attention of Tesco and the public, the unfortunate reality is that those who aren't so well-intentioned are usually the first to know.
For retailers, this means one thing: by the time somebody tells you that you have major security gaps, chances are those who would seek to exploit them are already trying to figure out how to.

3. There are no legitimate excuses for not doing the basics

The internet has seen a growing number of high-profile security lapses over the past several years, and for good reason: data, be it credit card numbers or compromised accounts, is valuable. The particularly disappointing news: in many cases, the worst security breaches have been the result of long-standing techniques that a half-decent web developer knows about being ignored.
There's absolutely no excuse for this and companies that aren't adhering to the most basic of security best practices will increasingly have little ability to defend themselves against charges of incompetence and laziness. In the case of Tesco, this is particularly true given that it has apparently been storing passwords insecurely since 2007.

4. Social media isn't always your friend

Arguably one of Tesco's biggest mistakes was quickly responding to Hunt via Twitter. Obviously, one of the individuals responsible for managing Tesco's Twitter account saw Hunt's tweet about Tesco's password storage security and felt the need to respond.
But in writing "Passwords are stored in a secure way. They're only copied into plain text when pasted automatically into a password mail," that person stepped into a technical discussion that was clearly above his or her head, as the response essentially confirmed Hunt's argument.
Which serves as a valuable lesson for companies: important issues deserve meaningful, informed responses. Occasionally, this may require the people in charge of a social media account to bring an issue elsewhere in the organization before a response is provided.

5. A company's respect for its customers is best reflected by how it treats their data

Perhaps one of the most interesting things about Troy Hunts post were some of the comments from individuals claiming to have first-hand experience with Tesco. One wrote "Having worked for Tesco.com...around 5 years ago, non [sic] of this surprises me", while another added "Tesco used to be a customer for a company I worked for. This is the tip of the iceberg."
The accuracy of these comments is unknown, but it does raise an interesting rhetorical question for online retail executives to ponder: in an industry that is dependent on the consumer like few others, if your organization doesn't treat its customers' data carefully, how customer-centric can its culture really be?

(via)

No comments: