TESCO

TESCO Information Systems Components: Security

TESCO Information Systems Components: Security

Introduction

The Information Commissioner's Office is to investigate claims that Tesco's website does not offer sufficient privacy protections to customers. The UK privacy watchdog's probe comes after security experts raised a number of privacy concerns about the retailer's main website. This paper would discuss why data security is important to Tesco and analyze what techniques can, and are, being implemented to improve the security of data.

Case Analysis

The news reads that the Office of the Information Commissioner has started investigating the assertions made by the experts regarding the main website of Tesco that it does not impart adequate protections for security and privacy for its customers. The major issue is regarding the manner in which Tesco hoards the passwords of the people shopping online through their e-commerce website; this issue has evolved after Troy Hunt, a security researcher, exposed off in the post of a blog that he had gotten through e-mail a reminder for password from Tesco which included his password in the form of plain text (www.information-age.com).

This clearly reveals that the password data of Tesco is not being hoarded cryptographically, as delivered by Hunt to the news reporters. The security experts settle on the point that a more safe means for the recovery of password, must be used by the website to send instructions to the users regarding the way they could change around their password, through emails, instead of baring the password itself (ISO, 2009). Furthermore, Hunt has raised criticism on the Tesco website for not employing the Hypertext Transfer Protocol Secure or HTTPS all athwart its entire website for protecting the users from data theft and phishing attacks. Despite the fact that the users log into the website of Tesco through HTTPS, the browser relapses back to HTTP that does not impart any security pledges to the users. Hunt says that since HTTP is a stateless protocol hence the only practicable means, by which a state like being logged in may be continued, is by exchanging cookies forwards and backwards amid the website and the browser. For the reason that the cookies are being dispatched through an HTTP connection, anybody able to view the traffic is also able to view those cookies as well as copy them for the purpose of hijacking the ongoing session (Warwick, 2012).

In a blog post consequent to this one, Hunt makes an assertion that Tesco website has serious security issues which go ahead of what he initially claimed about, counting in the unconfirmed injection susceptibilities of SQL as well as the confirmed cross site scripting susceptibilities. Hunt further claimed that he had forwarded the particulars of the XSS or the cross site scripting susceptibility to several people bearing superior roles of technology at Tesco; the susceptibility yet remains unfixed (www.troyhunt.com). Hunt asserts that to him, it interestingly appears that the rather distinctive strategy for data security would now be scrutinized by the ICO in the United Kingdom. Even as the statement like “”We are aware of ...