In a "password spraying" attack, a scammer uses previously compromised passwords or automated tools to try lots of common weak passwords. Image / Herald graphic
New World Clubcard members are being asked to change their online passwords after a cyber attack.
One expert is questioning why customers were allowed to set weak online passwords and have “0000″ passwords on their physical cards.
“Foodstuffs North Island and Foodstuffs South Island have identified a recent attempt by scammers to gain unauthorised access to a limited number of New World Clubcard accounts,” a spokesman for New World owner Foodstuffs said.
“This activity is consistent with what’s known as a ‘password spraying’ attack, where commonly used or previously compromised passwords are tested across many accounts.
“We want to reassure our customers that Foodstuffs’ systems have not been breached or compromised in any way.
“The issue has arisen where some customers’ passwords have been successfully guessed by scammers using automated tools.”
The spokesman said no personal credit card data has been compromised: “Foodstuffs never stores full [credit] card numbers.”
However, a New World Clubcard account can have “New World dollars” loaded to it, earned under a rewards scheme, that can be used to buy groceries.
“As a precaution, we have temporarily disabled the ability to redeem New World dollars on affected Clubcard accounts and removed stored payment tokens linked to them,” the spokesman said.
Citing security, the spokesman would not answer questions about whether scammers had been able to order groceries, whether refunds had been paid if they had, or how many accounts were affected.
“To restore access and ensure ongoing protection, we are asking affected customers to reset their passwords, choosing a strong and unique passphrase,” the spokesman said.
Hamish Krebs, a cybersecurity incident response expert with security firm CyberCX, who also happens to be a New World customer, got the Foodstuffs email this morning as a New World Clubcard customer. Like a number of other customers, he was told his account was not affected but that in keeping with “security best practice” he should update his account anyway.
In Krebs’ view, any transactional site should require a strong online password from the get-go.
Physical New World Club Cards also had a 0000 default PIN number - and some never changed it.
“I can confirm New World Dollars have been disabled for those customers’ cards too,” the Foodstuffs spokesman said.
Another concern for Krebs: He said he could also only find one “multi-factor authentication” (MFA) option in the New World Clubcard app – to have a code sent to a cellphone number. He said the drawback was that once logged into a Clubcard account, a scammer could change the associated cellphone number to their own.
Krebs said a scammer who accessed a Clubcard account could spend a customer’s New World reward dollars – but because a credit card could be tied to an account, they could also spend beyond the rewards balance “and buy $500 worth of beer and wine and get that delivered to any address or click and collect”.
As a New World customer, I placed an order through New World’s app, going beyond my Clubcard rewards dollar balance of $10.73 to place a $19.73 click-and-collect order with the balance charged to my stored credit card without a three-digit security code being requested.
Once logged into the New World Clubcard website, items could also be added to an order – and charged to a saved credit card – without a security code being requested.
While it seems the scammers had the potential ability to charge New World purchases to the credit card associated with a compromised account, they could not see the card number, name, expiry date or three-digit security number.
“We store an encrypted token, not credit card details,” the Foodstuffs spokesman said.
“That allows the credit card to be used in transactions but ensures the card details themselves are not at risk.
“For the customers successfully targeted by the attackers, we deleted the encrypted tokens, ensuring that if the attackers attempted to use their account to order online [once the breach had been discovered], they would not be able to make a payment, thus protecting our customers.”
“To restore access and ensure ongoing protection, we are asking affected customers to reset their passwords, choosing a strong and unique passphrase,” the Foodstuffs spokesman said.
“We are closely monitoring for any further malicious activity and working alongside external cybersecurity experts to further reinforce our defences.
“We apologise for the inconvenience. Protecting our customers’ privacy, data and trust is a top priority, and we are taking every step to respond quickly.”
Foodstuff recommends customers follow the guidelines below when resetting their New World Clubcard password.
CyberCX’s Krebs said he agreed with all the guidelines, including the recommendation to “use at least 12 characters” but that as of this morning, after receiving Foodstuffs’ warning email, he still had the option in the New World Clubcard app to set a less secure six-character password.
A second cyber security expert was more positive in his take on Foodstuffs’ response.
“This is a common form of attack in which passwords have been lost in another breach, or attackers are simply trying to guess common passwords,” Aura Information Security general manager Patrick Sharp said.
“It is not a data breach, and is not caused by a weakness in New World’s systems.”
A password manager, such as LastPass or Bitwarden, is a good way to manage complex passwords on many sites effectively, Sharp said. The latest web browsers also act as password managers, suggesting strong passwords then remembering them for you (as long as you remember your master password to access your “vault” of logons).
“Foodstuffs are doing the right thing communicating proactively about this – they’ve given good detail and great advice,” Sharp said.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.