![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Online Security Stupidity
Sep. 5th, 2015 02:53 pmYesterday I went shopping at the local Tesco supermarket. For those not in the UK, Tesco is one of the largest supermarket chains in the UK and elsewhere. It is quite sophisticated in its data collection, with purchases made against a Tesco Clubcard stored in the databases of Dunnhumby, and rewards doled out to loyal shoppers depending on how much and what they buy.
Up until recently, you had to have an actual credit-card-sized card scanned with your shopping. But, lo and behold, they turned out an iOS app, which has a scannable barcode and the ability to put your coupons on the app, so that they are automatically redeemed. No more fumbling for paper coupons.
All well and good. I'd been using the app for a while, with no problems. All of a sudden, yesterday, it asked me to log in. When you discover that you have to re-login at the till (US=cash register) you don't have enough time to do this, so I said, "Screw this, I'll log in tomorrow." and scanned my actual card.
Today, before my shopping trip, I went to the app and tried to log in. It didn't take my password. I tried another one that could have been the one I used, and it wouldn't take that either. So, I asked it to reset my password, and followed the link.
The first time I typed in a password, it said I'd already used that password, even though that was the password I'd typed in the first time I tried to log in. So, I typed in another, almost immediately. The app said that the previous login had expired and I'd need to ask for another password reset.
Irate, I did that and managed to type in a password that it would accept. It then asked me to type in three digits from my Clubcard number! Livid, I got my Clubcard out and typed in those three digits (from an 18 or 19-digit-long account number, I might add), and finally got into the app.
Now you might well ask, what would have happened if someone else had gotten my password. They would first have had to steal my phone, log in to that, open the app, figure out the app-password, and they would get access to the equivalent of £6 and a few coupons. Horace's line comes to mind: Parturient montes, nascetur ridiculus mus (The mountains are in labour, a ridiculous mouse is born.)
The rigamarole around the security of getting access to this app reminded me of Geraldo Rivera's hyping of Al Capone's vault and its fabled contents. He broke into it on television, and found (I believe) an empty whiskey bottle. Nothing worth locking up in that vault. Same with the Clubcard. While enough security to keep one's kids from getting into the app would be good, the level of security I had to hurdle is over the top. If I am logged out again and cannot get back in, I'm deleting the app. I shall go back to the card.
Up until recently, you had to have an actual credit-card-sized card scanned with your shopping. But, lo and behold, they turned out an iOS app, which has a scannable barcode and the ability to put your coupons on the app, so that they are automatically redeemed. No more fumbling for paper coupons.
All well and good. I'd been using the app for a while, with no problems. All of a sudden, yesterday, it asked me to log in. When you discover that you have to re-login at the till (US=cash register) you don't have enough time to do this, so I said, "Screw this, I'll log in tomorrow." and scanned my actual card.
Today, before my shopping trip, I went to the app and tried to log in. It didn't take my password. I tried another one that could have been the one I used, and it wouldn't take that either. So, I asked it to reset my password, and followed the link.
The first time I typed in a password, it said I'd already used that password, even though that was the password I'd typed in the first time I tried to log in. So, I typed in another, almost immediately. The app said that the previous login had expired and I'd need to ask for another password reset.
Irate, I did that and managed to type in a password that it would accept. It then asked me to type in three digits from my Clubcard number! Livid, I got my Clubcard out and typed in those three digits (from an 18 or 19-digit-long account number, I might add), and finally got into the app.
Now you might well ask, what would have happened if someone else had gotten my password. They would first have had to steal my phone, log in to that, open the app, figure out the app-password, and they would get access to the equivalent of £6 and a few coupons. Horace's line comes to mind: Parturient montes, nascetur ridiculus mus (The mountains are in labour, a ridiculous mouse is born.)
The rigamarole around the security of getting access to this app reminded me of Geraldo Rivera's hyping of Al Capone's vault and its fabled contents. He broke into it on television, and found (I believe) an empty whiskey bottle. Nothing worth locking up in that vault. Same with the Clubcard. While enough security to keep one's kids from getting into the app would be good, the level of security I had to hurdle is over the top. If I am logged out again and cannot get back in, I'm deleting the app. I shall go back to the card.
