Tesco doesn’t have a great track record with security as Troy Hunt has pointed out in the past with such articles as The Tesco hack – here’s how it (probably) happened and Lessons in website security anti-patterns by Tesco. I was still surprised though when I attempted to log into my online account at Tesco Bank with only my username (that turned out to be incorrect), only to be greeted with a page informing me that my username didn’t exist. Hang on a minute, what just happened there?!
Here’s a nice animated GIF of Tesco Bank disclosing the presence of usernames for their BANKING customers. Yes, you read that right, I said banking customers! Of all the systems you’d want to make sure you don’t disclose the presence of user accounts, you’d hope your banks online login system wasn’t one of them!
During the recording of the GIF on my Windows machine, I also noticed Internet Explorer asked me if I wanted AutoComplete to remember my username. I was surprised by this and immediately took to viewing the source of the login page in order to dig into it a little more.
As you can see from the above screenshot of the source of Tesco Bank’s login page, the username input field (login-uid) doesn’t have the autocomplete=”off” attribute set, so the browsers autocomplete feature offered to store my username. It get’s even worse though on the first page of their “forgotten your username” process that asks for your credit card number along with other personal information such as name and DoB, yet none of these fields have AutoComplete disabled either!
Like seriously Tesco, have you not heard of public computers and how letting the browser offer to save your username yet alone a credit card number could be dangerous?! I’d like to have thought Tesco would have learned their lesson the first time around!
To round this
rant post off, I decided to tweet Tesco Bank about my concern with their user disclosure though to no avail as you can see below. Thanks for reading and here’s to hoping you don’t bank with Tesco too! Ha.