Tesco online security being investigated


One of the biggest retail websites in the UK is to be asked to explain the alleged poor security practices of its website to the Information Commissioner's Office (ICO).

The inquiry into follows investigations by security bloggers who have vented their dismay at what they claim are unsafe security practices used by the company.

Tesco stores login and password information is allegedly stored 'unhashed', 'unsalted' and, probably, unencrypted, they say. It emails passwords to people in plain text, instead of sending a link to a secure web page where they can be reset. It also follows bad practices on the secure pages of its website by loading up some components in plain HTTP, not HTTPS. It enables shoppers to shop without encryption after having logged in, enabling traffic and, hence, credentials wrapped up in session cookies to be sniffed, and the session to be hijacked.

The retailer’s passwords policy is also under scrutiny. The only passwords allowed by the website are weak, no more than ten characters in length, with upper and lower-case characters treated the same. This indicates old underlying technology, believe security specialists.

For Get Safe Online's information and advice about safe online shopping, click here.


Written by

In partnership with