LastPass by LogMeIn, a leader in password management, has revealed their ranking of the most and least secure UK online retailers ahead of the holiday shopping season. With Black Friday and Cyber Monday around the corner, the analysis has revealed that retailers still have work to do to encourage strong password security and support two-factor authentication (2FA).
LastPass identified the top 10 UK retailers by 2017 e-commerce sales and scored them on their security offerings. Features considered in the scoring included password requirements (length, special characters, numbers), if sites featured a password meter, if sites supported 2FA, what personal information is required at account set-up, and whether sites ran on secure HTTPS vs HTTP.
Key findings include:
· 2FA Fail
Nine out of the ten top retailers still don’t support two-factor authentication, Amazon being the only site that did support it. 2FA provides an additional layer of security toward preventing unauthorized access to an account. Unfortunately, these results tie in with LastPass’ recent Global Password Security Report which found that 45 percent of businesses use multi-factor authentication and that retail organisations are lagging behind other industries in password practices and adoption of multi-factor authentication (MFA).
· Despite passwords being a major cause of breaches, retailers aren’t promoting strong password practice
None of the top 10 retailers require special characters when creating a password, and only 2/10 sites (Asda and Very) provide a password strength meter to indicate weak to strong passwords.
· Amazon leads the pack in the UK
Amazon, the largest online retailer in the UK, ranks the top of the most secure retailers, set apart by being the only site to support 2FA. In contrast, Amazon is number 4 on the US Naughty and Nice List.
· All retailers succeeding in site encryption
Every retailer tested runs on HTTPS, the secure version of HTTP. With all communications between users’ browsers and the website being encrypted, this is good news for shoppers entering personal information and card details.
· The Fear of Forgetting: We know that fear of forgetting a password is the biggest reason people reuse passwords, but most sites make it fairly easy to create a new password if you forget it. If a password is forgotten, all 10 sites send users a reset link or a one-time code, rather than sending the original password to the registered email, making it harder for an imposter to pose as a customer to gain access.
Sandor Palfy, CTO of Identity and Access Management at LogMeIn said of the findings “Black Friday has fast become one of the biggest online shopping events of the year: £1.39 billion was spent in the UK on retail sites in 2017. With the wealth of personally identifiable information (PII) and sensitive data that online retailers process, all have a responsibility to ensure they take the necessary steps to protect their customers and educate them on best security practices. Consumers also have a responsibility to understand best security practices, so they can choose where to safely shop online.
Weak or stolen credentials continue to play a major role in breaches, so it’s worrying that the most popular UK retailers have pretty lax password requirements when hundreds of thousands of shoppers will be flocking to these sites for a good deal on Black Friday.
Customers should be encouraged to create a strong, unique login that is long and complex, containing a mixture of numbers, letters and special characters with the help of a password strength meter. This password should also be unique so if the worst was to happen and a brand was breached, other accounts would remain secure.
Given the damage a breach can cause organisations and the high-scale attacks in recent years, this should encourage retailers to assess their security posture before they get into the full swing of the holiday shopping period.”
Methodology
LastPass conducted the online retailer account security research in October 2018. Using market research firm eMarketer’s list of the top 10 U.K. retailers based on e-commerce sales in 2017, LastPass researched key password requirements and other account security features to develop a ranking of the most and least secure retail sites. Each site was analyzed based on a set of 17 criteria, with a scale of either 0 to 2 or 0 to 10 points depending whether and how well the criteria were met.
Criteria includes the following: password requirements, including minimum/maximum characters and character types allowed; whether these requirements and any helpful tips are given; whether the websites employ a password strength meter to encourage longer passwords; the use of security questions; whether HTTPS is used when any information is entered; how much personal information is collected (name, birthday, address, email, phone); the use of two-factor authentication; whether sites allow sign-on using social media logins; and, what companies do if a user forgets their password.
About LastPass
LastPass is an award-winning password manager helping millions organise and protect their online lives, at home and at work. For businesses of all sizes, LastPass provides secure password storage and centralised admin oversight to reduce the risk of data breaches and remove password obstacles for employees. With customisable policies, secure password sharing, and comprehensive user management, LastPass gives IT the tools to strengthen password hygiene across the organisation. For more information, visit https://lastpass.com.
LastPass is a trademark of LogMeIn in the U.S. and other countries.
About LogMeIn, Inc.
LogMeIn, Inc. (Nasdaq: LOGM) simplifies how people connect with each other and the world around them to drive meaningful interactions, deepen relationships, and create better outcomes for individuals and businesses. One of the world’s top 10 public SaaS companies, and a market leader in communication & conferencing, identity & access, and customer engagement & support solutions, LogMeIn has millions of customers spanning virtually every country across the globe. LogMeIn is headquartered in Boston with additional locations in North and South America, Europe, Asia and Australia.