Nine out of 10 UK retailers are failing to boost customers' log-in security with two-factor authentication (2FA), according to new research from LastPass.
The LogMeIn company used the Black Friday shopping period this weekend to raise awareness about the continued security failings of many online retailers.
Only Amazon passed the 2FA test among the top shopping sites in the UK by 2017 retail sales. Asda, Very, Marks & Spencer, Argos, John Lewis, Sainsbury’s, Tesco, Ocado and Next all failed.
This is despite most retailers on the list making an annual revenue of over £1 billion, with a couple (Tesco and Argos) well over that.
Even worse, none of the 10 retailers require special characters when creating a password, and only two, Asda and Very, provide a password strength meter to help customers choose stronger passwords, according to LastPass.
It’s well-known that passwords represent a major security risk, both to corporate users and consumers. Phishing attacks were linked to 93% of all data breaches investigated by Verizon last year, for example, and consumer account takeover fraud is also on the rise.
Aside from phishing for log-ins, hackers have multiple tools and techniques at their disposal to hijack accounts. Automated credential stuffing tools, for example, try username/password combinations stolen or bought off the dark web on a variety of sites in the hope that users have reused their log-ins.
In this respect, both a password manager or, even better, 2FA can help to mitigate the risks associated with log-in security, although retailers believe the latter could add friction to the authentication process and therefore potentially affect profits.
Despite these concerns, more and more companies are investing in 2FA. According to LastPass, 45% now use it, versus just 25% the previous year.
However, retailers continue to lag, with one of the worst Security Scores of any sector: 48% versus an average of 52% for the 43,000 customers benchmarked by the LastPass.
One the plus side, all of those appraised were found to be using HTTPS. However, another report this week found four top high street names which were not: Cards Galore, Selfridges and Arcadia Group’s Dorothy Perkins and Topshop.
It's estimated that UK consumers will spend £2.5bn online this Black Friday.