News & Views
Hackers target Loyalty programmes
Two of Britain's biggest retail chains, Tesco and Boots, have seen their loyalty card programmes targeted by hackers. In both cases, breaches have been carried out by using password information stolen from databases belonging to other websites through credential stuffing attacks.
The attacks act as a reminder of the inherent weakness of password-based authentication methods, and why websites that continue to use them is putting users' sensitive information at unnecessary risk.
“The dangers of relying on passwords alone have been demonstrated numerous times by high-profile data breaches that have had significant consequences for both users and enterprises,” says Andrew Shikiar, executive director, FIDO Alliance (www.fidoalliance.org).
“The dangers of relying on passwords alone have been demonstrated numerous times by high-profile data breaches that have had significant consequences for both users and enterprises. Attacks against credentials are effective because consumers and employees are easily tricked into giving them away – and the use of stolen, weak, or default passwords makes authentication the top priority for the industry to solve. What’s more, the risks are further compounded by the fact that databases containing vast swathes of passwords are effectively sitting ducks for cyber criminals to exploit via credential stuffing attacks, as seen in these latest incidents.”
“While they will not disappear overnight, there is at least a growing understanding that passwords are no longer fit for purpose as a means of authentication. It’s time that users are freed from the associated risks and inconvenience of using passwords, and the good news is that the tide is turning,” says Shikiar.
“Instead of encouraging users to change all of their online passwords – which more often than not results in easy-to-remember passwords being recycled across different accounts – website and app developers must look to standards such as W3C’s Web Authentication API (WebAuthn - https://fidoalliance.org/w3c-and-fido-alliance-finalize-web-standard-for-secure-passwordless-logins ) to enhance security while improving their users’ experience. This is a major step forward in making secure web practices more accessible for users worldwide, representing many years of industry collaboration between the FIDO Alliance and W3C to develop a practical solution for phishing-resistant authentication on the web, while reducing our global reliance on passwords.”
The FIDO Alliance (www.fidoalliance.org) is the non-profit consortium that brings together some of the largest tech and finance companies across the world to develop standards for safe authentication.