News & Views
Yubico comments on Boots breach
Boots has suspended payments using Advantage Card payments following an attempt to break into customers’ accounts using stolen passwords. While the company stated that its systems had not been compromised, attackers had reportedly tried to access accounts using reused passwords from other sites. This comes just days after Tesco announced it was issuing new Clubcards to 600,000 account holders as a precaution after discovering that a database of stolen usernames and passwords gathered from other platforms had been tested on its websites.
“We’ve known for some time about the risks posed by databases containing usernames and passwords. Not only is this combination woefully ineffective as a standalone method of authentication, the security risks are also compounded by the fact that these databases have become prime targets for cyber criminals to exploit,” warns Nic Sarginson, Senior Solutions Engineer at Yubico (www.yubico.com).
“Brute-force attacks, in which these details are stolen and used against a host of other sites, unfortunately often prove successful given that so many consumers re-use credentials across multiple accounts.”
Yubico’s own research (www.yubico.com/authentication-report-2020) that while protecting customer information and personally identifiable information (PII) is a top priority for IT professionals, 62% reported that customer accounts have been subject to an account takeover.
“It’s time to reduce our collective reliance on inconvenient and insecure passwords, instead encouraging consumers to use two-factor authentication (2FA) at a minimum,” continues Sarginson.
“However, we can’t ignore the well-known vulnerabilities with basic 2FA – such as SMS OTP one time password (OTP) spoofing – which means embracing new standards such as WebAuthn (https://webauthn.io/), which offers proven levels of protection, while also looking to more sophisticated forms of technology such as biometrics. The onus must not just be on consumers to get this right; it’s essential that organizations take responsibility for making use of modern authentication technologies that will help protect their customers and internal systems.”