Customers of the UK’s Tesco Bank are likely to have their confidence rattled after it is confirmed that tens of thousands of accounts were raided by hackers this weekend.
The Guardian reports:
Tesco Bank has frozen online transactions after customers were affected by fraudulent activity and pledged to refund those who had money taken from their accounts over the weekend.
Benny Higgins, chief executive of the supermarket chain’s banking arm, said the decision to stop online transactions was an attempt to protect customers. He said 40,000 accounts had been affected, half of which had had money withdrawn in what he described as “online criminal activity”.
If you visit the Tesco Bank website you’ll see a statement to concerned customers from Higgins:
Although Tesco Bank hasn’t shared details of precisely what happened, the scale of the fraud (some 20,000 accounts being plundered) indicates that this wasn’t a conventional attack against individual bank accounts, where victim’s PCs are typically compromised and login credentials stolen.
Instead the attack’s size suggests that there was a serious security vulnerability in Tesco Bank’s online systems, that allowed fraudsters to gain access and move money out of accounts without having to go through all the usual authentication checks.
That’s the nightmare scenario for an online bank, and there will inevitably be customers who are deeply concerned about what has happened – even if the bank has promised to refund anyone who has had money stolen from them over the weekend.
Some victims report that they have had as much as £600 stolen from their Tesco Bank accounts by the hackers over the weekend.
It’s possible that the thieves resisted the urge to completely empty accounts in an attempt to reduce the chances of triggering alerts inside the bank that unusual transactions were taking place. I wonder if the timing of the attack – over the weekend – was also deliberately chosen by the online criminals.
Tesco Bank will need to work hard and quickly to rebuild the confidence of its customers, or find some of them choosing to jump ship. The best approach is for the bank to be as transparent as possible about what has occurred – as customers will be demanding answers.
Of course, it may take some time for the bank to confirm precisely how the crooks broke in, and to be certain that it cannot ever happen again.
Meanwhile, we can expect the Tesco Bank and the National Crime Agency to be taking a keen interest into where the stolen funds were moved, if there might have been some assistance from a rogue insider, and whether there is any prospect of either having some of the money returned or identifying the culprits.
TescoBank have a message on their home page but not on the log in page that many people will no doubt have book-marked. Also when I checked earlier today there were plenty of messages on their Twitter pages but nothing I could find on Facebook or LinkedIn pages. Lots of people complaining about TecoBank's attitude, long waits for phone calls to get answered, and clueless call centre staff. Wonder if they had an adequate response plan in place.
When I had a Tesco bank account, they issued you with a little card reader for verification. You put your debit card in the gadget, entered your pin, and it displayed a one-time code that you used to log in. My Barclays account still uses this system.
Then Tesco decided to change to using mobile phone verification, where they would send a code to your mobile each time you logged in, and you used that. I closed my account at that point, because I have no cell phone coverage at home in my rural location.
Either of these systems seem resistant to the usual user-based hacking approaches, suggesting a server level compromise.
It was also Nov 5th, so the criminals may have timed it for the small hours after a national festival when people wouldn't be checking their online bank accounts.
As Tesco used to be a joint venture with RBS, I expect that Tesco still uses RBS's infrastructure, and we know that RBS infrastructure has had major issues in the recent past. It would also be interesting how much of this infrastructure is outsourced to other countries.
Tesco Bank now uses an off the shelf American "bank in a box": the website is probably not from the same source.
Last November (2015) Tesco Bank was crowing that it had adopted AWS cloud as 'business as usual' in eight months.
Looks like a MITM attack since they do not enforce HSTS Preloading.