Online Security Stupidity

[chrishansenhome]

Yesterday I went shopping at the local Tesco supermarket. For those not in the UK, Tesco is one of the largest supermarket chains in the UK and elsewhere. It is quite sophisticated in its data collection, with purchases made against a Tesco Clubcard stored in the databases of Dunnhumby, and rewards doled out to loyal shoppers depending on how much and what they buy.

Up until recently, you had to have an actual credit-card-sized card scanned with your shopping. But, lo and behold, they turned out an iOS app, which has a scannable barcode and the ability to put your coupons on the app, so that they are automatically redeemed. No more fumbling for paper coupons.

All well and good. I'd been using the app for a while, with no problems. All of a sudden, yesterday, it asked me to log in. When you discover that you have to re-login at the till (US=cash register) you don't have enough time to do this, so I said, "Screw this, I'll log in tomorrow." and scanned my actual card.

Today, before my shopping trip, I went to the app and tried to log in. It didn't take my password. I tried another one that could have been the one I used, and it wouldn't take that either. So, I asked it to reset my password, and followed the link.

The first time I typed in a password, it said I'd already used that password, even though that was the password I'd typed in the first time I tried to log in. So, I typed in another, almost immediately. The app said that the previous login had expired and I'd need to ask for another password reset.

Irate, I did that and managed to type in a password that it would accept. It then asked me to type in three digits from my Clubcard number! Livid, I got my Clubcard out and typed in those three digits (from an 18 or 19-digit-long account number, I might add), and finally got into the app.

Now you might well ask, what would have happened if someone else had gotten my password. They would first have had to steal my phone, log in to that, open the app, figure out the app-password, and they would get access to the equivalent of £6 and a few coupons. Horace's line comes to mind: Parturient montes, nascetur ridiculus mus (The mountains are in labour, a ridiculous mouse is born.)

The rigamarole around the security of getting access to this app reminded me of Geraldo Rivera's hyping of Al Capone's vault and its fabled contents. He broke into it on television, and found (I believe) an empty whiskey bottle. Nothing worth locking up in that vault. Same with the Clubcard. While enough security to keep one's kids from getting into the app would be good, the level of security I had to hurdle is over the top. If I am logged out again and cannot get back in, I'm deleting the app. I shall go back to the card.

Comments

[rejectomorph]

Safeway stores here have an app too, but as I don't have a cellphone I don't use it. But for about five years it's been possible to go to their web site and load digital coupons onto your card. I've never had any problems with their system. I don't know if their phone app works as well as the web site or not, but I've always had the feeling that their computer is actually smarter than most of their clerks, so maybe it does.

[chrishansenhome.livejournal.com]

Theoretically the Tesco app is better than Safeway's (as you describe it), as you can load coupons directly in the app, no fiddling around with computers required.

My difficulty is that the amount of security required to log on and to change your password is overkill for the amount of loss one could suffer were the password to escape.

[rejectomorph]

You can load coupons with Safeway's app, too. While shopping you can scan the bar code of a coupon item (there's always a shelf sign if a coupon is available for it) with your phone's camera and the app instantly loads it to your account. I don't have a cellphone though because the reception here is so crappy. That's why I'm still loading coupons from their web site with the computer.

[bigmacbear]

Yes, I do this for a living, and have some insights on why password resets can be such a PITA (and no, I'm not referring to Mediterranean flatbread ;).

It appears Tesco have been slapped silly for computer security high crimes and misdemeanors like storing passwords in clear text and emailing them as reminders (see Lessons in website security anti-patterns by Tesco by Troy Hunt for the list).

I'm thinking they are erring on the side of caution since their data breach last year as linked from the above post. One of the big items that annoyed you so is that you cannot use the password you "forgot" ever again; you need to pick a new password, and the email that sent you to their password reset site -- or the reset page itself -- should have told you that. It's the never-ending trade-off between security and usability.

It might be helpful to find out why the password needed to be reset in the first place though. It may be a case of identity theft thankfully thwarted.

[chrishansenhome.livejournal.com]

Everything that you say is true, but I still return to the fact that the payoff for cracking my Tesco password could be as high as £6. Perhaps they have an overexaggerated idea of their own worth, or perhaps in the future they might be tempted to try to put payments from a credit card into their app (I'll resist that).

I think that, like the New Yorker, they probably log your phone out of their system each month. I had trouble with the New Yorker over that, and rather than take the time to bother with re-logging in (their nagwindow telling me that I had no more free views kept preventing me from logging in) I just delete their emails now and read the paper magazine or read on my iPad, which hasn't suffered the same fate as my computer. I doubt that the Tesco situation was identity theft, as I only log in on my phone and there is no cross-pollination between my phone and my computer.

In any case, I'm going to complain after I get out of the hospital after my foot operation. Maybe I can get a coupon out of it!