NCSC: British Retailers Need to Move Beyond Passwords

  • The UK’s National Cyber Security Centre (NCSC), part of GCHQ, has launched two pieces of guidance on September 21, 2022 to help organizations protect themselves and their customers online.

    The two guides, respectively called ‘Authentication methods: choosing the right type’ and ‘Removing malicious content to protect your brand,’ are specifically suited to companies with online customer accounts, or who are at risk of being spoofed by criminals seeking to exploit a brand’s reputation.

    In the first document, the NCSC advised organizations to move ‘beyond password authentication,’ a method that, however cheap, easy to implement and well understood by users, is vulnerable to attack when implemented alone.

    The agency then suggests alternative models for authentication, such as two-step verification (2SV), OAuth, FIDO2, magic links and one time passwords. It also includes a summary of when it is appropriate to apply each method – and when it isn’t – as well as example scenarios. “Although the guidance includes examples from the retail, hospitality and utility sectors, it can be used by any organization that needs to manage online accounts,” adds the document.

    The second guide focuses on protecting your brand. It provides a step-by-step guide on how an organization can remove malicious websites which have spoofed their brand to make it seem legitimate. This can include false representation of products and services, fake endorsements or cyber-criminals using your brand in phishing campaigns.

    It also includes new takedown guidance covering how an organization can submit a takedown request and what they should consider when choosing a takedown provider, who can submit the request on their behalf.

    “Online shopping is bigger than ever and that’s something to be welcomed – but unfortunately it comes with the risk of shoppers’ accounts being exploited. […] Following this guidance will allow businesses to help keep their customers safe online as well as protecting themselves from potentially crippling cyber-attacks,” said Sarah Lyons, NCSC’s deputy director for economy and society resilience.

    This guidance is a new step in the UK government’s commitment to driving down the volume of cybercrime, for which it has recently launched a nationwide call for information from individuals.