back to article Tesco Bank limits online transactions after fraud hits thousands

Tesco Bank has restricted the operations of current accounts after funds were looted from a reported 20,000 accounts. The UK bank has confirmed a fraudulent attack, which is under investigation. In the meantime it has suspended online transactions from current accounts, including contactless transactions. Customer can still …

  1. Captain Badmouth

    Headers check

    The security check website https://securityheaders.io/ gives an F for fail on the tesco bank login site https://www.tescobank.com/sss/auth#.

    I suppose this is because the site is not active atm?

    1. Slabfondler

      Re: Headers check

      That page is certainly alive, though login may not be active. Still one would think the headers would be set normally, and they look pretty bad.

    2. Anonymous Coward
      Anonymous Coward

      Re: Headers check

      Probably the same underlying cause as most other large web security disaster areas: Something Open Source having a big fat security hole...

      1. Harry the Bastard

        Re: Headers check

        first rule of the interweb

        though shalt not blame open source for anything

      2. TechnicalBen Silver badge
        Facepalm

        Re: Open source to blame?

        Yes, because the design of roads being publicly open and free to everyone, means all the roads get used by criminals...

        ... now if only we had kept the design for roads and cars proprietary we would have stopped all bank and store robberies...

        1. Anonymous Coward
          Anonymous Coward

          Re: Open source to blame?

          "now if only we had kept the design for roads and cars proprietary"

          Or at least if the design included basic security features like door locks that worked...

    3. Alan Brown Silver badge

      Re: Headers check

      HSBC also get an F

      It'd be interesting to post a list.

  2. Andy Non
    Coat

    The fraudster was interviewed and is quoted as saying:

    "Every little helps."

    1. Joe Harrison

      Re: The fraudster was interviewed and is quoted as saying:

      A thread about it has been started by Tesco employees at www.verylittlehelps.com

    2. Green Nigel 42

      Re: The fraudster was interviewed and is quoted as saying:

      And the apology from Tesco shows (E)very little helps!

  3. Captain Badmouth

    Tesco bank headers missing

    Missing Headers

    Strict-Transport-Security HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value "strict-transport-security: max-age=31536000; includeSubdomains".

    Content-Security-Policy Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

    Public-Key-Pins HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.

    X-Frame-Options X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN".

    X-XSS-Protection X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".

    X-Content-Type-Options X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".

    A downvote for some reason. I see HSBC gets an F too.

    1. Valeyard

      Re: Tesco bank headers missing

      looks like the usual nikto output

    2. Ben Tasker Silver badge

      Re: Tesco bank headers missing

      When I last looked they all did a pretty poor job of using the tools/techniques available. Granted I was looking at their apps, but the situation looked more or less the same for their online banking login pages.

      Iornically enough, Tesco bank's holier-than-thou stance on security in one area was what prompted me to have a quick gander

      1. Captain Badmouth

        Re: Tesco bank headers missing

        Very interesting Ben.

      2. steeple

        Re: Tesco bank headers missing

        Interesting tests, Ben. My immediate response was that the Barclay's app gets a bonus star for not working at all... no? I realise this makes it harder to test the other controls but I would never usually trust an app on a rooted device as I would assume sandbox/walled garden integrity is compromised anyway.

        1. Gene Cash Silver badge

          Re: Tesco bank headers missing

          an app on a rooted device

          But how do you really know the device is not rooted? There are many toolkits out now for fooling these checks. They allow one to run the pokemon game, Android Pay, and yes, banking apps on a rooted device.

        2. Ben Tasker Silver badge

          Re: Tesco bank headers missing

          > My immediate response was that the Barclay's app gets a bonus star for not working at all... no?

          I did think about that, but decided against. It's more than possible the failure to run was something I did (or didn't) think of, so probably shouldn't give them an additional point (which might be misleading) just in case the app is actually swiss cheese in reality. Given the much wider range of permissions their app asks for, I figured it was better to err on the side of caution

        3. Ian Emery Silver badge

          Re: Tesco bank headers missing

          I have no issues with the Barclays mobile app on several mobiles; perhaps you arent holding yours in the correct way.

          As for Tesco, their IT system is such an omnishambles, I wont even have a loyalty card for fear of my details getting leaked.

    3. Joe Harrison

      Re: Tesco bank headers missing

      The trouble with all this SSL mumbo-jumbo is that it just makes things more likely to break. Foillowing Globalsign's accidental revocation problems I still can't get to many sites for example wikipedia - certificate pinning won't let me click "yes I understand this certificate is technically invalid but I will take the risk".

    4. Anonymous Coward
      Anonymous Coward

      Re: Tesco bank headers missing

      Public-Key-Pins HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.

      You better make damn' sure you get this right, first time, and have good, bullet-proof processes for updating your cert chain if you do this.

      Unless you fancy locking out The Internet from accessing your site.

    5. patrickstar

      Re: Tesco bank headers missing

      I can promise you that none of these missing headers resulted in the funds of 20k customer accounts growing feet and walking away...

      Or that any missing headers in a web server response ever resulted in something similar.

      1. Ben Tasker Silver badge

        Re: Tesco bank headers missing

        > I can promise you that none of these missing headers resulted in the funds of 20k customer accounts growing feet and walking away...

        Agreed. It's much more likely that someone gained access to their internal systems (whether that's an internal job or otherwise)

        >Or that any missing headers in a web server response ever resulted in something similar.

        On this scale? Probably not.

        It's certainly feasible on a smaller scale though. Cert authorities have been compromised in the past, and likely will be again. The authentication method LetsEncrypt uses when requesting a cert is known to be vulnerable to DNS poisoning, so there's a potential avenue to obtaining a trusted-but-fraudulent certificate there too.

        What's the defence against an incorrectly issued, publicly trusted certificate?

        Certificate pinning. Which none of the buggers is using. As mentioned earlier in the thread, configuring it isn't without it's risks, but it's just a case of needing careful management.

        Incidentally, that LetsEncrypt issue I mentioned, can be mitigated by DNSSEC, which, again, none of the buggers is using.

        Given that banks are "trusted" to hold our money, you'd think the bar would be somewhat higher for what they consider the bare minimum.

        Personally, I think it'd be better if browsers got their act together and implemented support for DANE, but that's a whole other topic (and would require the banks to set up DNSSEC in any case).

      2. Alan Brown Silver badge

        Re: Tesco bank headers missing

        "I can promise you that none of these missing headers resulted in the funds of 20k customer accounts growing feet and walking away..."

        No, but they do point to a lack of care and attention - which is what enabled the events to occur.

        1. patrickstar

          Re: Tesco bank headers missing

          Cert pinning isn't even possible with all setups. Like if you have a (gasp!) proper setup with the certs not existing outside HSMs, possibly acting as SSL accelerators in front of the actual web servers. If you have more than one of those and are actually trying to keep your SSL certs from growing legs and walking away by keeping them in the HSMs which generated them, then you might very well end up with the same web server being presented with different, but equally valid, SSL certs.

  4. Mike 125

    Is this different?

    Is this different in nature from what has gone before? This is a mass random ability to extract cash from a huge number of accounts. This is not some jerk clicking on a dodgy email. Is it a zero day on the 2 factor authentication system? Are all the affected accounts accessed by mobile?

    The frustrating thing is that we will never be told the detail. Whistleblowers blow, stop sucking.

    1. This post has been deleted by its author

    2. Brewster's Angle Grinder Silver badge
      Joke

      Re: Is this different?

      I think it will turn out to be zero-factor authentication causing a 2-day outage.

    3. Les Matthew

      Re: Is this different?

      Don't know if this is connected but EE is offline at this time.

    4. katrinab Silver badge

      Re: Is this different?

      A lot of the accounts are people who put £3000 in to get the 3% interest and don't use it as their main account. They say that they've never used the debit card, and I would imagine they don't use the mobile app for something they are using as a long-term savings account.

  5. Warm Braw Silver badge

    Tesco have set a trend...

    Virgin money has been having trouble this morning and Newcastle Building Society are still offline as far as I can tell, intermittently saying the site is undergoing maintenance but mostly just spinning the cursor. It could, of course, simply be that everyone is logging in to check their money is still there...

    1. dgncl

      Re: Tesco have set a trend...

      NBS is fine, just logged in ok.

      1. Warm Braw Silver badge

        Re: Tesco have set a trend...

        It does seem to be back up and running

  6. Stratman
    Coat

    Tesco bank accounts...

    ...can now be found in the frozen aisle.

    1. monty75

      Re: Tesco bank accounts...

      Unexpected item in the banking area

      1. Commswonk Silver badge
        Thumb Up

        Re: Tesco bank accounts...

        Worth logging in just to upvote the previous two posts.

        Edit; why on earth has someone downvoted one of them?

        1. horse of a different color

          Re: Tesco bank accounts...

          Unexpected downvote in the comment area?

        2. Captain Scarlet Silver badge

          Re: Tesco bank accounts...

          Possible some Tesco Bank users do not find it funny, I must admit if I was a customer I wouldn't find it funny.

          1. TechnicalBen Silver badge
            Trollface

            Re: Tesco bank accounts...

            You wouldn't find being a customer funny?

            1. Captain Scarlet Silver badge

              Re: Tesco bank accounts...

              Why do account holders get to throw cream pies at the staff?

      2. Anonymous Coward
        Anonymous Coward

        Re: Tesco bank accounts...

        Credentials spillage in Aisle 3.

  7. TRT Silver badge

    Value banking...

    Should have got a Finest account.

  8. Captain Badmouth

    In the interests of balance

    I am looking at all the bank sites :

    Lloyds bank gets an E.

    Barclays - something went wrong.

    Halifax gets an E.

    Nationwide gets an E.

    1. Dan 55 Silver badge

      Re: In the interests of balance

      Odd how Nationwide's main website seems to do nearly everything properly yet the online banking part doesn't.

      1. Captain Badmouth

        Re: In the interests of balance

        That's because it's http and not https I would have thought.

        1. Dan 55 Silver badge

          Re: In the interests of balance

          Most of those headers are still applicable for HTTPS though.

  9. Geoff Campbell
    Facepalm

    Oops...

    I notice that Tesco Bank announced a couple of months back that 250 jobs were being moved from Edinburgh to Glasgow.

    Disgruntled employee, perhaps?

    GJC

    1. Stuart 22

      Re: Oops...

      If its an inside job - then the Tesco Bank software was developed (and supported?) here: http://www.tescobengaluru.com/

      1. Sir Runcible Spoon Silver badge

        Re: Oops...

        I know how that Bank was thrown together at the start. I'm only surprised something major took this long to occur.

        1. Walter Bishop Silver badge
          Linux

          Re: Oops...

          "I know how that Bank was thrown together at the start. I'm only surprised something major took this long to occur."

          How was it put together, give details.

          1. Sir Runcible Spoon Silver badge

            Re: Oops...

            "How was it put together, give details."

            Well, to start with it was mostly done in 6 months, that should tell you plenty.

    2. Anonymous Coward
      Anonymous Coward

      Re: Oops...

      "250 jobs were being moved"

      I hate companies that outsource support to 3rd world countries where the locals speak English with horrible accents....

  10. 0laf Silver badge

    Corners cut?

    Mate of mine works at a major bank who lost many staff to Tesco when they started up. Former workmates of his described Tesco Bank to him as being the "wild west"

    1. Sir Runcible Spoon Silver badge

      Re: Corners cut?

      Tesco & Tesco Bank have pots of money, but they are seriously shy with their money. Penny pinchers.

      1. Doctor Syntax Silver badge

        Re: Corners cut?

        "Tesco & Tesco Bank have pots of money"

        Rather less these days that the stock market was hoping for. I believe they still have pots of honey.

    2. This post has been deleted by its author

  11. Dr Who

    This is really bad

    The options surely are :

    - a failure in the two factor authentication

    - a web app vulnerability that allows the bypassing of some or all of the authentication process.

    What else could this be? Even if somebody has my "Something I know" they still haven't got my "Something I have " unless they nicked it. It's a bit unlikely that the attacker had nicked the "something I have" fom 20,000 people.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is really bad

      Or they accessed the iSeries from the inside.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is really bad

        Nothing a quick pwrdwnsys restart(*no) wouldn't sort.

        Or like a newbie with *allobj access I knew once did a chgobjauth all(*no) type command for every object on the box... authority lookup went through the roof until it fell over :)

    2. Anonymous Coward
      Anonymous Coward

      Re: This is really bad

      Someone worked out how to drop a BACS type payment list into the middle of the system? No user account hacking required.

      1. katrinab Silver badge

        Re: This is really bad

        The reports are of debit card transactions in Brazil, so more likely they got the details to clone a load of cards.

    3. Anonymous Coward
      Anonymous Coward

      Re: This is really bad

      If I was to hazard a guess I would go for the mobile app.

      It runs on rooted devices.

      It allows "Balance Peek" without entering a pin code. Not sure how this works in the Android ecosystem, if you don't authenticate within an app does this exclude you from the secure parts of Android?

      If you reverse engineer the app with Apktool what do you get? Not something I would try due to the obvious legal implications.

      When you consider Tesco's reaction then this is not some run of the mill hack. I can understand online restriction but to suspend contactless is an indication that not only do they have access to accounts but they also have access to a lot more information and are able to use that information. Does this mean their NFC keys are compromised?

      1. Seajay#

        Re: This is really bad

        I don't get why people think that running on rooted devices is such a security hole. Browsers run on rooted devices. Almost all home windows PCs are running as root. Why is that ok but running the app on a rooted phone not?

        And it can't be the cause of this fraud because security holes in the app are only relevant for people who

        a) have the app installed and

        b) have specific tesco-robbing malware on their phone.

        People who set the account up some time ago and aren't routinely using it are reporting losses , so a) doesn't apply and the speed and scale of this suggests that if b) is true it is extremely well coordinated.

  12. RainForestGuppy

    A sophisticated and determined attack.....

    ...is what it'll say in the press removing release to make it look like Tesco are a victim.

    I've worked in security in a number of large retailers (including some with a finance/bank arm), most staff including customer service staff, have far too much access to customer data. I've had to handle a couple of cases where customers have had money removed from bank accounts and most of the time its CS staff who capture the data and then sell it on, if you're on minimum wage, selling a couple of hundred customer account details might be worth the risk. However if it only affects a few customer the banks have tended to refund the money, give a little financial compensation and hush the whole thing up.

    Now add to the fact that in August Tesco announced they were closing some offices in Edinburgh moving the roles to their Edinburgh HQ building and moving 250 customer support roles from Edinburgh to Glasgow and Newcastle.

    So you now have a number large number of staff who may have been told to relocate or be put 'at risk'.

    Very likely to be inside job.

    1. Mark 110

      Re: A sophisticated and determined attack.....

      I agree its potentially an inside job.

      However almost all banks I have used or worked with require card and card reader to set up a new beneficiary or verification via email. Even if customer PAN/PCI data had been stolen there shouldn't be an easy way to set up a new beneficiary on 1000s of accounts from the outside. Customer security authentication data is also normally encrypted and impossible to access by staff and changes are normally by emailing an OTP to customer so that the employees should never know the security.

      Customers security wasn't changed in this case as customers were stilll logging in to check their balances.

      Either:

      a. Rogue employee added the new beneficiary direct to the accounts on the mainframe and found a way to make payments to those beneficiaries

      b. External party hacked in and did it

      I hope we are told the attack vector so we can protect ourselves and our employers/clients in the future.

      1. Mark 110

        Re: A sophisticated and determined attack.....

        As per comments further down from people that were more awake than me this morning this looks like Card Not Present fraud. I wonder where they got the card data.

      2. Ian Emery Silver badge

        Re: A sophisticated and determined attack.....

        At least one guy on a forum I visit claimed he had never used his card other than at an ATM, so chip and pin machine based online fraud seems out.

        With the companies reputation for stinginess, any bets compensation will be paid as Tesco ClubCard points??

  13. Steve Graham

    Tesco's shopping accounts were notorious for NOT one-way encrypting passwords.

    I don't know how the banking site works, but, given a breach in the shopping site, if a customer had unwisely used the same credentials, could an attacker gain access?

    1. Bananimal

      No, completely different security. Has Username, Password and PIN, and also requires a one time access code to be sent via SMS if on a computer they don't recognise (javascript cookie).

      1. Sir Runcible Spoon Silver badge

        Tesco and Tesco Bank are also effectively separate organisations.

        1. Anonymous Coward
          Anonymous Coward

          Tesco and Tesco Bank are also effectively separate organisations.

          I think you'll find that they have the same shareholders and the same ultimate controlling board. I'd also guess that the corporate culture of the dominant retail business will be replicated in the banking arm.

    2. Dan 55 Silver badge

      Tesco Bank also held passwords in plaintext and e-mailed them back to you. Security's improved since 2014 but obviously not enough.

      1. Bananimal

        Except all the examples used in that article are from Tesco, including the tweet, not Tesco Bank which uses a completely different security model. Pretty basic oversight by the author.

        And Tesco Bank have never used email as a channel for online banking security either. Another basic oversight.

        There is another tweet where a customer claims the bank emailed him his password, turns out in that instance the customer used their password as their security word for Bank communications I.e. the word that will be included in electronic correspondence to identify it is from the bank. Although I believe they only do that on the credit card side if things.

  14. FuzzyWuzzys
    Happy

    Tesco Loan

    I have 18 months left on a 5 year loan, I wish they'd zero'd the balance on that, I could do with some extra pocket money for Xmas!

  15. Anonymous Coward
    Anonymous Coward

    Tesco Value Banking...

    I guess you get what you pay for.

  16. This post has been deleted by its author

  17. Anonymous Coward
    Anonymous Coward

    Currently unable to view transactions online.

    That's useful if I want to check if any money has gone.

  18. Anonymous Coward
    Anonymous Coward

    Would somone please think of the Sysadms

    Breaking 2FA or insider job? Not likely. Spear fishing attack to someone who has the (in)appropriate access and from there the world was their oyster as they hop from system to system exploiting zero dayers or simple lack of controls.

    Stay strong Tesco Sysadms we are all rooting (no pun intended) for you.

  19. wolfetone Silver badge

    Quite refreshing that Tesco haven't used the line "Security is very important to us...".

    Well, not yet anyway.

  20. TheProf

    Convenience store

    "Tesco Bank customers were notified of the breach by emails and text messages. One reader reported receiving a text at 5.40am."

    Is there a convenient time to receive bad news? Would the 'one reader' have been happy if the text hadn't arrived?

    (Yes I know the 'one reader' would prefer not to have money taken from her bank account but she's whining about being texted.)

  21. Anonymous Coward
    Anonymous Coward

    Id say...

    Something about horses bolting in regards to security here.

    However, that would would just confuse the executives since they will have all the horses accounted for...

    I could go on but theirs neigh point in putting the hoof in.

    1. I ain't Spartacus Gold badge
      Happy

      Re: Id say...

      As all good Tesco executives know, horses don't belong in the stable - door bolted or otherwise. Horses go in the lasagne.

      It's horses for courses don't-you-know. Main courses.

  22. Captain Badmouth

    HSBC

    Seems hsbc are working on their rating, currently a D with a re-direct in operation.

    1. Captain Badmouth
      Happy

      Re: HSBC

      Seems I've attracted the attention of The Associated Register Downvoters Society.

  23. Clive Galway

    Fail

    "In the meantime it has suspended online transactions from current accounts, including contactless transactions"

    Translation: "We fucked up, but we are putting the hurt on our customers to minimize our losses".

    1. Dan 55 Silver badge
      Trollface

      Re: Fail

      Time for Tesco Bank customers to test offline contactless transaction functionality, just to see if they're accepted by the bank or not.

    2. AIBailey

      Re: Fail

      Translation: "We fucked up, but we are putting the hurt on our customers to minimize our losses".

      I kind of see your point, but what's the alternative. Ultimately it's not their money going missing, it's yours (assuming you're a customer). They could of course allow all transactions to continue unchecked, fraudulent or not .....

      1. Adam 52 Silver badge

        Re: Fail

        Hard to follow your "theirs", but this is the bank's money going. No customer's money has been taken. It's a fraud *against the bank* whatever the headlines say. Just like bank robbery.

        [At the moment, the bank's are trying to change that]

        1. Richard 12 Silver badge

          Re: Fail

          Ultimately the money mostly comes from the shareholders - our pensions - via reduced dividend.

  24. Mark 110

    Banking license?

    When are the FCA going to start pulling companies banking license for these kind of screw ups. I can't see how they will be able to demonstrate they had the necessary fraud detection controls in place.

    1. Commswonk Silver badge

      Re: Banking license?

      While I fully understand why you asked the question there is the point that it would result in an awfully large number of people being forced to make alternative banking arrangements at the same time. At that point the FCA would come in for a lot of stick from said people.

      Furthermore, it would cause additional pressure on other banks, possibly resulting in errors arising in transferred accounts; cue more complaints.

      In all fairness we don't know the extent of Tesco Bank's culpability in all this, so talk of pulling its licence seems rather premature.

      Disclaimer: I am not a TB customer.

      1. defiler Silver badge

        Re: Banking license?

        To be fair, Mark didn't single out Tesco Bank - just "these kinds" of fuckups. And it's a fair question. At what point are licenses revoked?

        And an awfully large number of people having to change banks is surely better than the same people having their funds raided. Otherwise it looks like security should take a firm second place to convenience. Whilst there has to be a compromise between security and convenience (otherwise the system would be unworkable), I think the line needs to be drawn more logically.

        1. PrivateCitizen

          Re: Banking license?

          Mark / defiler,

          I agree it is a fair question but I dont think there is an easy answer.

          In this incident, ~40,000 people have been affected. If the FCA pull Tesco Bank's licence, ~8 million people are affected. I agree something should be done, but is this the right thing? (However, I have no idea if the FCA considers things to this level, it might simply be a toothless tiger).

          One point to consider is that this is a risk to the Bank not its customers. In theory, no customer should lose any money from this and Tesco are obliged to refund all the affected accounts.

          This kind of means the breach is a fine on Tesco for shit security. Seems the hackers are doing the FCA's job for it....

  25. Anonymous Coward
    Anonymous Coward

    I guess we'll never know the full story.

    Can any Tesco Bank customers provide some background info on how the Tesco banking does authentication - do you have a dongle or keypad or some other extra method beyond username and password for setting up new payments ?

    1. Anonymous Coward
      Anonymous Coward

      Re: I guess we'll never know the full story.

      While not perfect, customer access to your account uses a 2FA system setting up a soft token on your computer. Can't remember if it re-verifies for new payments.

      However if you read about what has happened and what is now blocked it would appear the web access to accounts is NOT the vector of attack. Sheer volume would indicate it's something else.

      Customers can still logon, and can still make payments from their account online. What is currently blocked is debit card payments online to external retailers.

      So it would appear someone has acquired a database of card numbers and leveraged an external dodgy merchant to place tens of thousands of "purchases". Could also be done if you had account and sort code (e.g. direct debit), but that should be easier to trace and therefore less likely.

    2. Anonymous Coward
      Anonymous Coward

      Re: I guess we'll never know the full story.

      The extra authentication for new payments is a 6 digit code sent by text which technically is 2fa, though if logged into the web side there is no 2fa, at least not the last time I set one up.

  26. Anonymous Coward
    Anonymous Coward

    As I understand the situation

    Tesco bank has not been directly hacked as part of this event although there are a lot of comments suggesting it has been. There may have been a previous "quiet" compromise in advance however.

    Fraudulent transactions on accounts appear to be formed by external card payments (possibly compromised merchant?)

    For me, the questions are:-

    If a compromise on individual customers or merchant why would accounts attacked just belong to Tesco?

    If inside job then its a big one if performed by individual CS agents, I find it hard to believe that a single agent could compromise 40000 accounts in a reasonable period of time to execute this fraud.

    If inside access was gained, why bother with all the different card transactions over time and not simply make a big payment and run. Tesco apparently successfully declined about 50% of the attempted transactions too.

    Its more akin in symptoms to running a test payments file against and using production data (clearly bad news)

    My experience suggests this is not the beginning or end of this story and there is likely to have been inside help,, poor controls, or system compromise for some time to plan this.

    I look forward to the next instalments in this story.

    1. TheVogon Silver badge

      Re: As I understand the situation

      "Tesco bank has not been directly hacked as part of this event although there are a lot of comments suggesting it has been"

      So why block logons to online banking? That suggests that they have been totally hacked...

      1. Doctor Syntax Silver badge

        Re: As I understand the situation

        "So why block logons to online banking? That suggests that they have been totally hacked..."

        Probably a reasonable precaution until they determine what the problem actually was. Yes, it prevents customers getting on to check but if this was the route so it would stop any further fraud so they had little option.

  27. This post has been deleted by its author

  28. Sir Runcible Spoon Silver badge

    You could always just mute your phone, couldn't you?

  29. m00head
    Holmes

    https://yourcommunity.tescobank.com/t5/News/Message-for-Current-Account-customers/td-p/6599

    "this refers to online payments to retailers. You should be able to make a Faster Payment as normal from your account by logging into online banking."

    Given that they have now frozen online payments to retailers from current account debit cards but not cash withdrawals, Chip & PIN transactions, nor online banking transfers, it is most likely 'Card not present' (CNP) fraud:

    https://en.wikipedia.org/wiki/Card_not_present_transaction

    https://en.wikipedia.org/wiki/Credit_card_fraud#Card_not_present_transaction

    1. m00head

      Looks like 'Verfied by Visa' may be a red herring because not all online retailers are required to implement this feature. Contactless payments have also been frozen which implies that all the information on the front of the card has been compromised.

      The question now is, has the CVV (3-digit security code) on the back of the card also been compromised? This is another feature which was supposed to reduce 'Card not Present' (CNP) fraud, because online retailers are not supposed to save this number.

      If the CVV has also been compromised then this means that the hackers have obtained a database of Tesco Bank debit card numbers which includes the CVV, or the online retailer(s) targeted in this CNP fraud do not require the CVV (e.g. Amazon).

      Either way, it is obvious that Tesco Bank fraud prevention systems are not working as well as they could be if they failed to block a number of relatively high value online purchases from Brazil being made at the same time by 20,000 UK customers.

  30. Mutton Jeff

    Ghost of RBS?

    I wonder, if they still use RBS tech, ok it was a long time ago and all.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ghost of RBS?

      No, they don't. They bought it off the shelf from a large American "Bank in a Box" vendor.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ghost of RBS?

        Agreed, but that particular bank in a box, does not always include a website in a box...

  31. Gerry 3
    Flame

    These idiots woke me up TWICE !

    I was rudely awoken at 0426 this morning by a text message. Fearing that it was some absolutely terrible news, a life changing ‘Death or Disaster’ message, I was infuriated beyond belief to find that that it was merely a TescoBank press release about online banking that had been widely publicised the previous day. TescoBank had also sent me a very similar text late Sunday afternoon and I had already checked that all my accounts were in order.

    Unbelievably, I was then woken up again at 0448 by a third very similar text message from these idiots...

    1. Anonymous Coward
      Anonymous Coward

      Re: These idiots woke me up TWICE !

      Unbelievably, I was then woken up again at 0448 by a third very similar text message from these idiots...

      I will apologise in advance if you have a relative at death's door, or you're being paid to be on call. But if neither of those apply, wouldn't turning the phone off, or setting to silent be an idea when you wish to sleep?

      1. Gerry 3
        Facepalm

        Re: These idiots woke me up TWICE !

        @AC

        No, it would certainly NOT be a good idea to be forced to turn my phone off and be uncontactable, just in case a stupid wunch of bankers think it's a really bright idea to keep sending me spam texts in the wee small hours. None of my accounts had been hacked, and even if they had, what could I do about it at 0428 anyway?

        If they do it again I'll track down their CEO and call him or ring the doorbell to complain at a similar time and see how he likes it.

    2. I_am_Chris

      Re: These idiots woke me up TWICE !

      Then set up the do not disturb feature on your phone. It's built-in on iOS and I used to have it on Android, although I can't remember if it was an app or not.

      The SOP is that it won't notify you when someone calls or texts you, but will if they do it repeatedly within a short time window.

      1. Androgynous Cupboard Silver badge

        Re: These idiots woke me up TWICE !

        I don't know why the downvotes. Nothing fucks me off more than a bulk SMS, and sending two or three in the wee hours of the morning for something which could have undeniably waited a few hours would have me ringing CEOs doorbells too. The original poster pointed out that he received several in a short space of time, which would have got through the do-not-disturb feature you describe.

    3. Dexter

      Re: These idiots woke me up TWICE !

      Surely the best way not to be woken by your phone is to switch it off when you are asleep?

      Or any other time you don't want to be disturbed.

      Not sure why this seems to be impossible for many people.

  32. Hans 1 Silver badge
    Paris Hilton

    Tesco bank?

    Who in their right mind uses Tesco bank ?

    No, seriously ?

    They cut costs left right and center, what could possibly go wrong ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Tesco bank?

      "Who in their right mind uses Tesco bank ?"

      Come on, it keeps the riffraff out of Natwest and Waitrose...

    2. CustardGannet
      Facepalm

      Re: Tesco bank?

      Surely no-one with two brain cells to rub together would get their banking services from a supermarket. Personally, I bank with the Co-Op.

      Oh, wait...

  33. Anonymous Coward
    Anonymous Coward

    CV2 - tip

    just seeing it mentioned upthread reminded me of the tip - from an El Reg commentard - to obliterate the CV2 on your new debit/credit card.

    After memorising it of course.

    The logic being that it reduces one vector of attack: the "helpful" assistant who kindly puts your card in the card reader for you (have you ever been to a shop where the card reader is somehow not accessible to the customer ?) whilst skimming the CV2 by eyeball.

  34. Anonymous Coward
    Anonymous Coward

    Computerworld article

    I've just noticed this:

    http://www.computerworlduk.com/cloud-computing/how-tesco-bank-has-adopted-aws-cloud-as-business-as-usual-in-eight-months-3629767/

    1. Locky Silver badge

      Re: Computerworld article

      "Tesco Bank: Accelerating cloud adoption"

      You might want to slow down a bit now

  35. Oor Nonny-Muss

    I see it is now being reported as a "sophisticated attack"...

    Now where have I heard that before? Can someone TalkTalk to me?

  36. Nifty

    Big data angle?

    30% of accounts hacked apparently. I wonder if that stat is faithfully replicated among to-be-restructured Tesco employees who happen to have a Tesco Bank account.

    1. Dan 55 Silver badge

      Re: Big data angle?

      I notice people are talking about state actors now instead of barn-door security that lets any minimally competent hacking group waltz in and take what they want.

      1. PrivateCitizen

        Re: Big data angle?

        Always the way - first rule of crisis management is to blame [north korea|china|russia], call in the NCA and then use that to cover for the complete lack of security funding over the last decade.

        Whatever the outcome, no matter how many 15 year olds end up getting arrested, this is still perceived as more cost effective than actually implementing half decent security processes.

    2. Anonymous Coward
      Anonymous Coward

      Re: Big data angle?

      "30% of accounts hacked apparently"

      All those with money in maybe?

  37. m00head

    'Police hunt fraudsters from Brazil and Spain who stole millions in attack on Tesco Bank'

    http://www.dailymail.co.uk/news/article-3915110/Police-hunt-fraudsters-Brazil-Spain-stole-millions-attack-Tesco-Bank-customers-fell-victim-explain-lost-thousands.htm

    "One said somebody tried to pay for goods in Rio de Janeiro at 9am on Sunday with his card, despite the fact he never used it himself. He said: 'It appears to the bank that someone has worked out the algorithm to create card numbers and start/end dates.

    'They told us that the specific transaction was a card-holder present and it was a swipe of the magnetic strip-type of transaction.'"

    1. Androgynous Cupboard Silver badge

      Typical Daily mail, blaming foreigners again.

    2. m00head

      It doesn't really matter where the fraud appears to have be committed - it could have originated from anywhere. Some news agencies are now reporting that it could have been a Russian state-sponsored attack.

      The key quote was the method the fraudsters used, i.e. "card-holder present and it was a swipe of the magnetic strip-type of transaction". If accurate, this means it was not 'Card Not Present' (CNP) fraud as previously thought, and also suggests that the algorithm used by Tesco Bank to generate debit card numbers and/or expiry dates may have been cracked, or a big list of them was stolen.

      This also explains why contactless payments were also blocked - because the contactless RFID chip on the card contains the same information as the magnetic strip (also shown on the front of the card), but it does not contain the CVV (3-digit security code) on the back of the card.

  38. fattybacon

    They're on top of it

    Saw this on their forums

    "Please send us a private message to the CET user account with your name, DOB, postcode and contact number. When you send the details, please leave extra spaces between DOB, postcode and phone number, like 0 8 1 1 2 0 1 6."

    https://yourcommunity.tescobank.com/t5/News/Message-for-Current-Account-customers/m-p/6770/highlight/true#M370

    1. Dan 55 Silver badge

      Re: They're on top of it

      Ye gods. Incredible.

      Wouldn't be a laugh if their forum got owned. Obviously impossible, of course.

    2. Anonymous Coward
      Anonymous Coward

      Re: They're on top of it

      "Good evening madam, I am calling from your bank. Errr, but before we continue, I'm afraid I have to ask you a couple of security questions in order for you to confirm that is it, in fact you, you are speaking with (to me)"

      https://www.youtube.com/watch?v=R9biM_ZfIdo

  39. low_resolution_foxxes

    Interesting if it is card holder present fraud.

    Last year it was reported that a man-in-the-middle attack had learnt how to fake the chip-n-pin auth response at the terminals. Wonder if it's an industrial automated version of this hack?

    http://arstechnica.co.uk/tech-policy/2015/10/how-a-criminal-ring-defeated-the-secure-chip-and-pin-credit-cards/

  40. m00head

    "According to researchers at Newcastle University in the UK, the contactless function in the card system developed by VISA for use in the United Kingdom fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99."

    http://www.ncl.ac.uk/press/news/legacy/2014/11/contactlesscardsfailtorecogniseforeigncurrency.html

    1. m00head

      Naturally, El Reg covered this story at the time:

      http://www.theregister.co.uk/2014/11/04/paybybonk_glitch_means_cards_can_go_kachingforcrims/

  41. Wilseus

    Nationwide

    Parts of Nationwide's Internet banking website have been down since at least yesterday, I wonder if there's a connection?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019