"I strongly suspect that the (Tesco) Clubcard system has been breached"
That's a pretty big claim to just throw in there. Is there any more information on that?
A former techie at the UK's Tesco Bank reckons the recent high-profile breach may be down to security shortcomings at the bank's parent supermarket. Earlier this month Tesco Bank admitted that an estimated £2.5m had been stolen from 9,000 customer accounts in the biggest cyber-heist of its kind to affect a UK bank. The …
If your starting point is systems are inherently insecure, then unless you can prove otherwise (think about it) it's a valid assertion.
So the focus should be on ensuring data breaches can't be of use to hackers. Encryption at rest seems a good start.
Otherwise you are just aping the moronic HMG "can't happen here" stance. Which is scary.
A pertinent thing to consider is that most large retailers / manufacturers need to maintain a competitive price and a margin, so they have adopted / bastardised the old "Minimum Viable Product" from developers to their own ends.
We see this with "Internet of Things". Want an internet enabled Kettle? Ok, no problem, should we put security on it? Well yeah of course it will be more expensive...Ok then to keep the price point down, we won't do anything on security!
Businesses are under extreme pressure to keep costs down, and a re-architecture of your systems when you are Size of TESCO is Hundreds of Millions if not Billions. So yeah, they aren't gonna do it solely for "Security", it has have all the other priorities like reducing costs, efficiency etc.
It is absolutely no secret that major retailers have massive issues with Legacy systems and just keeping the "lights on" is a major challenge, and they haven't got the Will or desire to change. So if we have a "Minimum Viable Product" keep it going, and minimise the investment to maintain margin.
I don't suppose it's possible at all, let alone probable, that any of these "Legacy" systems are pretty much fit for purpose and working just fine, except they're maybe written in (say) COBOL, sometimes might even use a CODASYL-style database, and worse stilll might not even run on Windows/x86? And that what they need isn't a complete rewrite but a bit of intelligence and a lot of glue code to integrate them into this week's fashionable "modern" stuff?
Sure is a good thing that Tesco's bank app won't run on phones with Tor installed. That certainly stopped the bad guys. Kind of like the old joke about looking for one's lost wallet under a street light because the light is better, rather than looking for it over where one lost it.
"We refunded each customer account in full and have taken steps to help reassure our customers that they can bank safely and securely at Tesco Bank."
http://www.ibtimes.co.uk/tesco-bank-under-investigation-possibly-ignoring-warning-potential-cyberattack-1593709
"Three unspecified sources told The Times that while most banks updated their systems; Tesco Bank allegedly ignored the warning, leaving its systems vulnerable to cyberattacks. In the event that the probe finds any evidence of the bank having ignored warnings, Tesco Bank could face penalties as well as potential backlash from its customers."
Arguably it's a much wider problem than just Tesco. If it was card not present fraud as I suspect, then it's really showing how insecure it is to use your card online. Many merchants / acquirers / issuers are not enforcing validation of anything beyond the card PAN and CVV, you don't even need the name of the cardholder in many cases to use the card fraudulently online. EMV has sorted out much of the card present fraud by making card skimming very hard/impossible, and even the 'Merkins have seen the light and moved to EMV. But that has made card not present the chink in the armour, with the only suggested means of defence being the awful secure 3D (e.g. Verified by VISA, etc) which merchants dislike due to the amount of checkout abandonment. The Tesco Bank situation just appears to be about someone getting en-masse access to their complete list of debit card PAN and CVV data, but the actual exploitation of that data could just as easily affect any card issuer.
An awful lot of speculation and the true cause will probably never reach the public.
In particular of note is the linked National Cyber Security Centre memo from 7th November.
Given the investigation thus far and the evidence at hand, the National Cyber Security Centre is unaware of any wider threat to the UK banking sector connected with this incident.
You may find that the position regarding other banks may have changed since 7th November and while not directly a security failing there is an underlying weakness in the convenience of the way the world now banks.
Most of it is there in the article.
Tesco Bank was originally run by RBS for Tesco. Therefore if the vulnerability was in the banking system it's likely that RBS would also be affected because the most likely transfer of operations from RBS to Tesco would be reproduction of the RBS systems at Tesco. The fact that some ex-RBS people are involved suggests that this is probably true.
The NCSC says it doesn't affect wider UK banking i.e. there's a low chance that the problem is common to Tesco and RBS. Therefore it is something that Tesco has done that has introduced the problem. Connecting a banking system to any other system is risky, the staffer says it was connected to Clubcard. That would be a stupid thing to do. We don't know which other Tesco systems are connected but it's reasonable to suggest that retail systems will not be secured to the same standard as banking systems.
The staffer also says there's no protective monitoring for the Tesco systems. That's downright irresponsible but typical of low-margin retail which would not like to pay the high day rates for SOC analysts who know their stuff.
This is back to "I told you so" territory because any halfway decent Security Architect could have told them that connections to non-banking systems are a bad idea and that skimping on monitoring is a *really* bad idea.
"Therefore it is something that Tesco has done that has introduced the problem."
* Tesco Bank ignored a warning about a security flaw from Visa a year ago regarding POS entry code 91 fraud (Contactless, using magnetic-stripe data rules). Europol repeated this warning in September.
* Tesco Bank allows contactless transactions in foreign currencies which do not have the £30 UK limit (other major banks do not allow contactless transactions in foreign currencies).
* Tesco Bank fraud prevention system did not detect a brute-force attack against debit card numbers, expiry dates, and dCVV (Dynamic Card Verification Value) of the contactless interface.
"(other major banks do not allow contactless transactions in foreign currencies)"
Blatantly untrue. In fact, Halifax (at least, quite probably others) are beholden to the contactless payment limit of whatever country they're being used in. In my case, I was regularly using contactless without issue up to the Canadian limit of $100 (~£60).
Unless you mean contactless foreign currency transactions *inside* the UK. Even Eurostar doesn't take euros at St. Pancras (annoyingly), and buying forex still counts as a GBP transaction.
"Blatantly untrue. In fact, Halifax (at least, quite probably others) are beholden to the contactless payment limit of whatever country they're being used in."
Maybe this has changed recently in response to the Tesco Bank hack...
https://www.halifax.co.uk/bankaccounts/debit-cards/contactless/Default.asp#Can-I-use-my-contactless-card-overseas
"[+] Common Enquiries
12. Can I use my contactless card overseas?
Although you can use your Halifax Visa debit card abroad, you can only use contactless for purchases in the UK at the moment."
Card scheme (e.g. VISA, Mastercard) rules mandate online authorisation of contactless transactions I believe. So your contactless transaction in the US for example, made with a Tesco Bank issued debit card, will get referred back to the issuer for online authorisation. It should be they who decide if the contactless limit of £30 is applied, not the terminal at the merchant in the US.
"Card scheme (e.g. VISA, Mastercard) rules mandate online authorisation of contactless transactions I believe. So your contactless transaction in the US for example, made with a Tesco Bank issued debit card, will get referred back to the issuer for online authorisation. It should be they who decide if the contactless limit of £30 is applied, not the terminal at the merchant in the US."
This is not correct.
http://blog.imaginecurve.com/curve-explains-the-difference-between-online-and-offline-transactions/
"When you make a Contactless payment, because the cap is at £30, the merchant doesn’t have to be ‘online’ to process it there and then. They can choose to do it later that day, or even the following day in a big batch - which is what Transport for London does. They even go one step further and process next working day, so you could see a payment made on Saturday appear in your transaction list on Monday. In contrast, Chip & Pin payments are always online, and are processed there and then."
https://en.wikipedia.org/wiki/Contactless_payment
"The UK (and the rest of the world) version of the contactless applications differ from the U.S. one. The UK version has the capability of transacting offline, based on the limit stored in the application."
Which leads to a situation where contactless fraud can can continue for months, even after the card has been reported as stolen:
http://www.moneysavingexpert.com/news/cards/2016/09/card-lost-or-stolen-beware---you-could-be-the-victim-of-contactless-fraud-months-after-youve-cancelled-it
https://www.theguardian.com/money/2015/dec/19/contactless-payments-card-fraud-after-cancellation-bank-account
"Card scheme (e.g. VISA, Mastercard) rules mandate online authorisation of contactless transactions I believe. So your contactless transaction in the US for example, made with a Tesco Bank issued debit card, will get referred back to the issuer for online authorisation. It should be they who decide if the contactless limit of £30 is applied, not the terminal at the merchant in the US."
Contactless cards fail to recognise foreign currency - 1 November 2014
http://www.ncl.ac.uk/press/news/legacy/2014/11/contactlesscardsfailtorecogniseforeigncurrency.html
"A flaw in Visa’s contactless credit cards means they will approve unlimited cash transactions without a PIN when the amount is requested in a foreign currency.
New research by experts at Newcastle University, UK, has highlighted a ‘glitch’ in the Visa system which means their contactless cards will approve foreign currency transactions of up to 999,999.99 in any foreign currency.
Side-stepping the £20 contactless limit, transactions can be carried out while the card is still in the victim’s pocket or bag. Transactions are carried out offline, avoiding any additional security checks by the bank, and although the current system requires the credit card to authenticate itself, there is currently no requirement for the POS (point of sale) terminal to do the same."
Link your TESCO Bank Debit card to your TESCO Club Card and receive 500 points!!!!!!!!!!
No need to scan your TESCO Club Card when you pay with your TESCO Bank Debit Card.
So much more convenient for you, our precious customer and FREE POINTS into the bargain.
Go on, you know it makes sense
TESCO Every little helps.
Sorry AC what was that you were saying?
Ha ha ha ha.
What the fuck does any of that prove other than you expect people to believe you because you wrote a few words on a forum on the arse end of the Internet.
It's true because you says it's true.
Ha ha ha.
You should get out of technology and into religion or politics.
It's more suited to your skillset.
<massive speculation alert>
Maybe using the same purchase tracking system so they can "understand their customers better"?
It doesn't even need to be that system which was compromised, as soon as you start linking lots of IT systems between companies or company divisions, someone's bound to have some communication system with a flaw in it.
You've used a vpn? That's nice, now my attack is encrypted...
" ... and there are much bigger and better targets if a gang has access to relevant zero-days."
Odd how this argument is vehemently rejected by one and all as a contributing factor as to the relatively low rates of infection of Apple and Linux-based kit vs the hated MS, yet is floated as a Keep Calm and Carry On edict when it comes to a bank.
Former Tesco Employee Blames Tesco for the Breach at Tesco bank.
No Proof of any kind. Just their speculation why.
Apparently we have to take it as fact, because, and get this, because they say so.
It's fucking parody at this point.
The whole MSM are so full of shit it's absolute untrue.
If they're going to ban Fake News from Facebook, then might as well ban every single Mainstream Newspaper, and every single website going.
Register a Tesco account with an email address containing a plus sign. All other Tesco sites work, but the Clubcard one will burn in flames - unless you find your way to "Beta" through Tesco Direct.
I spent way too much time with Clubcard customer support to convince them to at least tell the development team (in Bangladesh most likely) to have a look. At one point they decided to delete my account altogether. But they didn't tick the box for "also delete clubcard account" so upon re-registration the system insisted that my card was already registered, while, at the same time, told me it didn't know anything about it. It was Schrodinger's Clubcard account for real.
Emails with plus addresses seem to be the benchmark of code quality when you don't know anything about the code. If they don't URLencode that correctly then it's likely they have other problems in their codebase too.
Having worked in IT for a major UK retailer nothing in this article surprises me at all. With margins paper thin and a bevvy of programme managers ready to throw architects to the wolves for 'over-engineering' if they even mention doing some design things can be in a pretty bad state.
That's before you even get into the issues caused by the IT department not even having anything to do with some of the major systems and being seen by the commercial departments as just the guys who keep the networks and tills running. E-commerce, customer, back-end and logistics systems being run by completely different departments, all of them making their own independent purchasing decisions with no integrations beyond some batch files flying around or manual data movement via Excel? Business as usual.
You'll also find a heady mix of senior IT staff who've 'come up through the business' literally from the shop floor and have never worked anywhere else. They've never seen IT done right and have no technical or design training. It's Dunning-Kruger in full (in)effect.
Never trust your sensitive data with a major high-street retailer.