EasyJet data breach is another example of why businesses should not and do not need to hold customers passwords at all...
EasyJet – the largest airline based in the UK and a regular occupant of the FTSE 100 – experienced a major security breach this April. A cyberattack resulted in the exposure of the email addresses and flight details of nine million of its customers.
As you’d expect from a business of this size, easyJet has responded by saying that it takes its customers’ data seriously and has robust measures in place to protect from attackers, but says that cyber attackers are using increasingly sophisticated measures.
What does this say to other online businesses - including the thousands of SMEs now operating online - who feel the burden of keeping their customers’ data secure when they have fraction of the resources of easyJet at their disposal?
It is quite a responsibility. What would be the implications if they did experience a security breach via their website, giving access to their customers’ vital personal information?
And we must wonder if the negative publicity around the easyJet and other high profile breach cases will make online users think twice about where they make purchases online. Will they want more reassurance of the measures the website owner has in place? Will they feel less safe dealing with a smaller business online? Will boutique, independent, non-plc enterprises struggle if they can’t demonstrate their robust system for keeping login data safe?
So what can online businesses do to keep their website data safe, and also reassure customers that they are a safe place to do their shopping?
One weak point in any website is its login function and most data breaches occur when individual websites are targeted for their login data.
Surprisingly, login and authentication still isn’t seen as a point of priority when websites are created. Many don’t take advantage of the maximum security options available for login functionality or meet the optimum encryption standards that are available. Many website owners don’t know to check, and have many other critical areas to give their consideration to when creating a new website.
But for online customers, the login experience is critical. Once they’ve found what they want to buy, they want to get through login quickly but they also need to know that their data is safe. Reading stories like the easyJet one are likely to make them even more keen for reassurance.
The problem is that ordinary people log into hundreds of websites a week, and they can’t reasonably remember a new and different, secure password for each of these websites - it just isn’t practical. So they start using ones they find easier to remember
One option is outsource the problem - to give the headache to experts and use third-party authentication. When users are invited to log in, they click through to a highly secure login provider’s interface, meaning they are authenticated securely before continuing smoothly with their purchase.
Various third-party login providers are available, and many still use the traditional alpha-numeric password format. This still involves remembering a series of (ideally random) letters, numbers, characters, and featuring both upper and lower cases.
PixelPin provides a different kind of login and authentication solution. Users click four points on a chosen picture (of their own choosing, so easy to remember), instead of remembering a password. It’s an innovative solution and it is also highly secure - it has been vetted by the National Cyber Security Centre and experts from GCHQ.
As well as the fact that the high number (1 million+) of potential click points on a picture (“entropy”) makes it next to impossible for a hacker to guess, it also doesn’t fit the mould for the average scammers who are breaking into websites to scan for password data. They aren’t looking for “picture passpoint” info. If you add to this the cast iron security, encryption and data hashing measures that PixelPin has in place to guard its login data, it becomes a very unattractive target for criminals. Despite extensive testing over several years, no one has successfully hacked it yet.
For website owners, this offers peace of mind, but it also allows them to offer customers something different and innovative, which is fun to use but has the necessary hardcore security credentials that they can trust.