back to article What went wrong at Tesco Bank?

Tesco Bank has enlisted the help of the National Cyber Security Centre (NCSC) following the most serious cyber-attack launched against a UK bank. The attack against the supermarket giant's banking arm involved the theft of £2.5m from 9,000 customers' accounts, funds that the bank quickly reimbursed. Initially theft against 20, …

  1. Anonymous Coward
    Anonymous Coward

    With cloud computing, hackers have so many more points of entry

    yeah, it's an all-embracing technology :D

    1. Anonymous Coward
      WTF?

      Re: With cloud computing, hackers have so many more points of entry

      As opposed to online backing located in each branch????

      1. Mage Silver badge
        Big Brother

        Re: With cloud computing, hackers have so many more points of entry

        Your own servers you manage yourself, even if CoLo != "Cloud Computing", which is outsource to someone else's servers.

        1. Anonymous Coward
          Anonymous Coward

          Re: With cloud computing, hackers have so many more points of entry

          The Tesco Bank servers are not in the cloud, they are hosted in dedicated datacenters that are under Tesco control (not simply co-lo) for the most part. One of the sites is shared but the kit is in locked cages etc.

          1. GortonSM

            Re: With cloud computing, hackers have so many more points of entry

            "Shared" (even locked cage) is co-lo.

            Not too smart for a bank but secure enough for a local Pet Shop, perhaps.

            1. Calleb III

              Re: With cloud computing, hackers have so many more points of entry

              You (nor me) don't know what is running on the co-lo kit and how it's secured to make an informed statement whether this is smart or not. there is plenty of insensitive data and applications in a bank that are perfectly suited for co-lo/cloud.

            2. Sir Runcible Spoon Silver badge

              Re: With cloud computing, hackers have so many more points of entry

              ""Shared" (even locked cage) is co-lo."

              Yes, that's technically true, but it does mean random passers by cannot just get physical access to the kit, it also means no-one else is using that kit either.

              How many banks are you aware of that actually *own* their own data centers? I'll give you a clue - none.

              Why don't you look up who the customers are at the L3 DC on Leman street.

    2. low_resolution_foxxes

      Re: With cloud computing, hackers have so many more points of entry

      Cloud banking 'entry points' depends.

      Some of the clouds (I believe IBM's can be configured so) are essentially private fibre connections between bank HQ and dedicated servers for the really top secret data. So can really be thought of as an 'external branch network'.

      Although I believe there are a range of players and options available in this field.

      If the data can be anonymised and crunched offline, then returned and the data de-anonymised, cloud computing can work very well.

      1. Anonymous Coward
        Anonymous Coward

        Re: With cloud computing, hackers have so many more points of entry

        "If the data can be anonymised and crunched offline, then returned and the data de-anonymised, cloud computing can work very well."

        One of the reasons the cloud has got where it is today is that it offers many of the long-forgotten benefits of 1960s-style timesharing - e.g. timesharing/cloud customers don't own (or control) their own resources, resources are shared with other customers and the person paying the bill has to either accept that or pay extra. Sometimes lots extra.

        The approach you suggest loses the flexibility of uncontrolled sharing, and the price will doubtless reflect that. It may still make commercial sense in some circumstances.

        Still, cloud == hip/trendy, What could possibly

  2. Graham Anderson

    Santander must also not be hashing passwords

    Santander online banking has a password and a PIN that you need to enter selected character/digits from - so they can't be hashing passwords either. At least they don't use email as the account identifier though.

    My first direct account uses an app based 'code generator' - which doesn't seem to be TOTP/OATH. I wonder if its an established and reviewed method, or if they rolled their own solution?

    1. Greg 24

      Re: Santander must also not be hashing passwords

      I use Santander online and mobile app. Both request 8 digit customer ID (which you can persist for convenience) and full PIN, not selected characters from it. The mobile app won't allow you to set up new payments either and the online version sends a code via SMS you need to enter to create a new payment.

      Not saying any of this is vastly secure but it sounds like Tesco have really let the security aspect slip, probably because it's difficult and a bit more expensive to deploy properly.

      1. A K Stiles

        Re: Santander must also not be hashing passwords

        My Santander online access is a userid (can be customised) and password, which then presents you with a screen giving you a piece of information you have previously supplied to them so you can be more sure they're not a fraud site (unless it's doing some passthrough stuff) and then asks for a full 5 digit pin number.

        I presume (faint hope) the banks that ask for individual character combinations from passwords / keywords have a slightly restricted list of combinations which are hashed? If my password is 10 characters long, then there are 120 different ways to choose 3 characters - it doesn't seem unrealistic to think they might have that many hashes stored for me...

        Clinging to hope here!

        1. TechnicalBen Silver badge
          Trollface

          Re: Santander must also not be hashing passwords

          Why not just hash each character...

          But more seriously, I assume the "first third and fifth" version of pin checking if for *view* only options to statements and already assured bills and payments. When ever I need to add a new bill or account to pay into, or set a new DD, I need a new pin pad check (which is hashed etc AFAIK).

      2. Commswonk Silver badge

        Re: Santander must also not be hashing passwords

        @ Greg 24: Both request 8 digit customer ID...

        In one sense that must be "common knowledge" but you have just informed those who didn't know how long the customer ID is. In a small way you have just weakened your own security along with that of countless others.

        I wouldn't tell anyone how many characters I use for any User ID and (more particularly) my passwords. Make hackers find that information out the hard way.

      3. Cuddles Silver badge

        Re: Santander must also not be hashing passwords

        "I use Santander online and mobile app. Both request 8 digit customer ID (which you can persist for convenience) and full PIN, not selected characters from it. "

        No they don't. I don't know about the mobile app, but to log in to Santander from a real computer requires the customer ID, 3 characters from your password (which actually allows strong passwords without stupid restrictive rules), and 3 digits from your 5 digit numeric PIN.

        As for the main topic, this is actually an interesting problem that doesn't really have an easy solution. Only asking for a few random characters from a password is done for a very good reason - keyloggers can't steal your password if you never actually type the whole thing. But, as this incident apparently shows, this makes accounts more vulnerable to other types of attack. So the question is not so much whether it's a bad idea to do it like this, but whether it's worse than the alternatives.

        1. Cynical Shopper

          Re: Santander must also not be hashing passwords

          Santander's login differs depending on which bank they took over that you used to be with. I locked myself out once due to their telephone banking system asking me for a field I don't have on my account.

          The customer ID length being "unknown" would be very weak security by obscurity.

          Storing hashes of each 3-character combination of your password (along with the necessary indexes of the characters) is pointless - it vastly reduces the attack space to brute force your password. Once you've got the first three characters, attacking another hash that re-uses 2 of your now-known characters is simple, and so on.

        2. inmypjs Silver badge

          Re: Santander must also not be hashing passwords

          "but to log in to Santander from a real computer requires the customer ID, 3 characters from your password (which actually allows strong passwords without stupid restrictive rules), and 3 digits from your 5 digit numeric PIN."

          My current account from a 'real' computer requires me to decline installing the trusteer crap (every time because I don't keep cookies), enter a numeric customer ID, and a full numeric PIN on a page which shows a personalised icon and phrase. I seem to have a password which I am never asked and setting up a payment recipient requires more authentication.

        3. Anonymous Coward
          Anonymous Coward

          Re: Santander must also not be hashing passwords

          Actually Santander use both methods, i.e. the full length PIN or select digits depending on the legacy of your account. Newer accounts use the selected digit method.

        4. ZillaOfManilla

          Re: Santander must also not be hashing passwords

          "(which actually allows strong passwords without stupid restrictive rules)" This is the single most annoying thing I find when creating a password on a site.

          Why is that some sites will not allow the full use of different types of characters?

        5. Vince

          Re: Santander must also not be hashing passwords

          Just a shame that they're so lax on the phone. Having had them transfer several thousand pound between my accounts without any security info at all on the phone, and having had them add extra security of which the extra has never in 10 years been asked for, if you were going to do something to them, you'd just phone.

          But the rest is true, they use 3 inputs from me plus a visual validation of picture and phrase I set online (edit: although it appears this isn't always the case depending on account type and vintage)

        6. Adrian 4 Silver badge

          Re: Santander must also not be hashing passwords

          I have a cahoot account - also a Santander company. It requests 4 characters from my password and 3 of the (fixed) 5 digits of a numeric code (my choice of code).

    2. Warm Braw Silver badge

      Re: Santander must also not be hashing passwords

      >they can't be hashing

      Well, the PIN you use for your credit/debit card payment isn't hashed either - the PIN you enter at the ATM or PoS terminal is encrypted and sent to your card-issuer where a Hardware Security Module (HSM - designed for the secure, tamper-proof storage of security credentials) checks whether it matches the PIN it contains for your account. The HSM is also used in the originating of the PIN and mailing you its value. And, indeed. there would be limited benefit in hashing a small number of characters known to be numeric.

      There is no reason in principle why HSMs could not do a "masked" match for a subset of a PIN (or indeed a password), though I don't know if they're used by online banking systems in that way.

      I have seem some references to the Tesco problem involving overseas debit card payments, so whether it's directly related to use of the banking website remains to be seen.

      1. CrazyOldCatMan Silver badge

        Re: Santander must also not be hashing passwords

        the PIN you enter at the ATM or PoS terminal is encrypted

        Which is pretty pointless, given that it's included (in the clear) on the mag strip on the card..

        1. patrickstar

          Re: Santander must also not be hashing passwords

          The PIN is never stored on the mag stripe. You are confusing it with either the PAN (card number) or CVV.

          The classic way of validating the PIN at the bank is having a HSM encrypt the PAN and then turning the first bytes of the result into digits. However, nowadays many are using a database with per-card data instead.

          What is, however, occasionally stored on the mag stripe when doing it the classic way is a PIN offset to let you choose the PIN yourself - this is simply added (modulo 10 raised to the number of digits in the PIN, duh) to the encryption result to get the expected PIN. As should be pretty obvious, this value does not reveal anything about what the actual PIN is.

    3. jfdidave

      Re: Santander must also not be hashing passwords

      Really? So my bank password is 15 characters. Thats 210 combinations of 'pick 2 characters'. Which is 4200 bytes of storage for the SHA-1 hashes of all of those combinations. Doesn't sound impossible to me at all.

      1. Brewster's Angle Grinder Silver badge

        @jfdidave

        The number of combinations can be halved, if the pair are sorted by index (i.e. if you always ask for the second and fourth characters, and never for fourth and second).

        But what's the maximum allowed length of password? You have to provision for that.

        And what about Natwest, who ask for four characters?

        Edit: And, as some points out below, the net protection from all these hashes is far less than decent encryption.

        1. Brewster's Angle Grinder Silver badge

          Re: @jfdidave

          I've just realised how trivial cracking a password stored as hashed pairs would be:

          Cracking any pair by brute force is a search for a two character password.(64*64 iterations?)

          Once you have at least one letter, cracking every other pair is reduced to a brute force search for a single missing character.

          And if you didn't salt each pair separately, and the password contains a duplicated character, then cracking is reduced to a brute force search for a single character.

          Storing hashed pairs of characters offers NO security.

      2. TheInternetsFullOfNumbers

        Re: Santander must also not be hashing passwords

        Calculating and storing the hashes is not impossible at all, but if the hashed values are leaked, it's also very easy to brute-force the original password.

        For each 2-character hash, you need to try less than 10,000 possible combinations of 2 characters, and you only need to brute-force 8 hashes to retrieve your 15-character password. Ouch!

    4. Anonymous Coward
      Anonymous Coward

      Re: Santander must also not be hashing passwords

      Allied Irish Bank too...

      1. Anonymous Coward
        Anonymous Coward

        Re: Santander must also not be hashing passwords

        NS&I asked me to give a new password over the phone the other day. (I politely declined)

        This is in spite of the fact that their own website states they would never ask for one.

        I currently have a complaint open on the matter - not that they seem to care.

        I will be soon removing what little money I do have with them!

        1. Anguilla
          Thumb Down

          Gormless National Savings & investments

          @ Mr ChriZ

          ""NS&I asked me to give a new password over the phone the other day. (I politely declined)

          This is in spite of the fact that their own website states they would never ask for one.

          I currently have a complaint open on the matter - not that they seem to care.

          I will be soon removing what little money I do have with them!""

          ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

          Me, I **HAVE** to stick with those gormless bastards - it's the only place to put my UK Pension each month - who wants devalued Quids in a former B.C.C.

          At least I might become a Millionaire before I "Snuff it".

          1. Glenturret Single Malt

            Re: Gormless National Savings & investments

            The only time I was ever a millionaire was in Vietnam where (at the time) there were about 30000 of the local currency to £1.

        2. anonymous boring coward Silver badge

          Re: Santander must also not be hashing passwords

          "NS&I asked me to give a new password over the phone the other day"

          I'm always amused at the idiocy of the banks!

          I keep getting emails from my bank, inluding a "click on the link" to get to their web site.

          It's like they are trying to condition their customers to become easy fishing targets!

          No thanks!

          I will enter the web address myself!

    5. David Gosnell

      Re: Santander must also not be hashing passwords

      Must depend on which bank's accounts Santander historically acquired.

      Our historically Alliance & Leicester login needs a numeric user ID then a five-digit PIN in full.

      My business login (based on Abbey National systems) needs a numeric user ID, then a password and PIN, both in full.

      Both also use the picture verification thingy, but that's pretty much entirely placebo. The user IDs are not guessable, but nor are considered secure information.

      Both are now Santander branded but show their provenance in a few places. In both instances though, the password and/or PIN could be (and hopefully are) hashed.

      1. Mark Morgan

        Re: Santander must also not be hashing passwords

        Santander 'upgraded' (NOT!) their security. Old Santander accounts require customer ID, full passcode and full registration number. Accounts opened in the last couple of years required customer ID and three random characters from the passcode and three random characters from the registration number.

        So they must be storing them using reversible encryption. and to make it look like they beefed up security they just changed the front end. No changes have gone into the way the data is stored.

        What do customers do when presented with three random character shite? They chose simpler passwords don't they? No point in trying to use a 20-character random generated one when they pull this crap on you.

        I don't use the Santander mobile app so can't speak for that one.

        The Tesco's one is worse. The three random characters required by Santander are in fields named in the HTML as x1, x2, x3 and the three characters random are annoyingly not in order either. The Tesco's site asks for the username (not email address), full password (good) but the three random characters of the security number are presented and named as x1, x2, x3, x4, x5, x6 with the three you don't have to enter greyed out.

      2. PC Paul

        Re: Santander must also not be hashing passwords

        My ex-Abbey National account also needs a full (alphanumeric and customisable) user ID along with a password and a PIN, so that firs your theory.

        I do also have it tied to a moneydashboard account too but ISTR that was set up with a one-off security exchange to prove to Santander that I wanted Moneydashboard to have read-only access to my accounts.

    6. katrinab Silver badge

      Re: Santander must also not be hashing passwords

      Santander UK, both business and personal versions, require a username, password, and 5 digit pin, all of which I chose. I can access my personal accounts from my business login, but not the other way round.

    7. Callum

      Re: Santander must also not be hashing passwords

      I wrote about 1/3 of the code for the original online banking system... expires tag (of old) was my birthday.

  3. A Non e-mouse Silver badge
    Mushroom

    While the details are still patchy, there's no doubt that this was a hugely sophisticated, coordinated and advanced attack

    Utter tosh. Right now, we know nothing about the form the attack took. Any comment without facts to back them up is pure speculation.

    1. Nick Kew Silver badge

      That quote is attributed to Sir Humphrey (well, maybe once removed). You need to interpret it in that context.

      (And who knows what he may know that we don't?)

    2. anonymous boring coward Silver badge

      "Any comment without facts to back them up is pure speculation."

      Sherlock, is that you?

  4. Anonymous Coward
    Anonymous Coward

    "With cloud computing, hackers have so many more points of entry"

    "With cloud computing, hackers have so many more points of entry" - Sod off, absolute crock of s**t... People and Organisational culture make more of a difference to security than the platform it sits on. Odds are if you're a Project based org - i.e. get it in, once it's working, ignore it, you'll succumb to this type of attack, and in some cases, quite often. If you're more on the ball and there is a focus on operational performance (i.e. looking at what data is going out), paying for time/people to continually remediate, you'll stand a better chance of not having these instances.

    Public Cloud, just like an on-premise/hosted solution will normally have it's biggest weakness in those configuring it not knowing how to configure it. That'll always leave ways in, even when done properly, they'll still be zero days. Building an architecture that is more tolerant of people mistakes, making it harder and harder for an attacker to exploit, or once exploited, get to anything meaningful is the way forward.

    It's nice to see NSCS being involved here, that was only very recently setup, I'd seen their head speak at Microsoft Future Decoded, it actually looks like an organisation with the right tools/mentality for helping firms work to prevent this kind of thing happening.

    1. Dabooka Silver badge
      FAIL

      Re: "With cloud computing, hackers have so many more points of entry"

      Generally speaking I agree with the above; meatsacks, in one way or another, offer the easiest way in.

      Look at that large attack on Sage recently. Although not sure how that ended up (or even if it has been announced) that smacked of an inside job with the arrest at Heathrow etc. With the Tesco bank (also based in Newcastle?) I speculated that an insider had been conned into doing something small and not realised the scale of the impact it could have. That was based on absolutely no knowledge whatsoever of banking security other than the POV of a consumer.

      Then I read this article and thought what a piss weak login system for a brand new bank with no legacy code to accommodate.

  5. wolfetone Silver badge

    I had an email from The Co-Operative Bank a few weeks ago saying they were having to do maintenance on their banking system (long overdue!), and when I went on to my online banking I noticed now they ask for a username. If you don't have your username (which I don't) they ask you to provide your sort code and account number or the long card number. You then provide two digits from your personal pin number which I set up, then answer the question to one of 4 questions.

    They then emailed roughly around the time of the Tesco hack to say their maintenance was on hold. I thought it was coincidence, but now that you mention the pin number for Tesco works the same as the Co-Op, I wonder if the underlying systems are related?

    1. Dabooka Silver badge

      I'm with them too

      And thought the same; very coincidental.

      Didn't we use to have 2FA with the Co-Op or was that just for new payments? With the card reading pin generator?

      1. Neill Mitchell

        Re: I'm with them too

        There's only 2FA with the card reader when you set up a new payment method. Payments to existing payees can be made without any further checks.

        1. wolfetone Silver badge

          Re: I'm with them too

          Those card readers for me have been a massive waste of time. They never work, I have a collection of 8 of them in my drawer.

      2. Doctor Syntax Silver badge

        Re: I'm with them too

        "Didn't we use to have 2FA with the Co-Op or was that just for new payments?"

        Tried that. Didn't work. And as the branch in the local store (convenience of which was main reason for using them) has closed it meant an unwelcome trip into town to sort out.

  6. Anonymous Coward
    Anonymous Coward

    Intersting....

    The One account, Tesco Credit card and RBS also ask for random numbers and character.

    All have RBS involved.

    OneAccount - Originally Virgin, now owned by RBS

    Tesco bank / Credit cards - Jointly set up by RBS (now run by Tesco).

    Coincidence?

    1. Halfmad

      Re: Intersting....

      My RBS account requires the person know my STUPID account name, then a handful of password characters and part of a PIN. But to transfer any money out, add a new payee etc they'd need access to my debit card and a card reader for a challenge/response.

  7. Anonymous Coward
    Joke

    Insider job?

    If it is an insider job, it'll be easy to find out who - just see who turns up in a Ferrari next week...

    1. Elmer Phud Silver badge

      Re: Insider job?

      Or does 'click and collect' at their nearest Tesco

    2. Chris King Silver badge

      Re: Insider job?

      Or more likely - who sends you a postcard from their new island retreat, saying "So long, suckers !"

    3. You aint sin me, roit
      Trollface

      Re: Insider job?

      Most likely an insider job, but I really hope it's a bunch of OAPs getting together every Friday lunchtime at a cybercafe to plan their latest heist.

      Can't be drilling through more concrete at their age!

      1. AndyD 8-)₹

        Re: Insider job?

        begin transaction;

        $b4 = select sum(balance) from allaccounts;

        update allaccounts set balance = balance*0.9 where balance > 0;

        $afta = select sum(balance) from allaccounts;

        $myac = '0123456...';

        update allaccounts set balance = balance +$b4-$afta where acno = $myac;

        end transaction;

        commit;

  8. tiggity Silver badge

    VbV

    Bit of a tangent (but banking related)

    One of my pet hates verified by visa (SD secure) in addition to encourage just the sort of "move off site to some random url" behaviour you would see in cross site scripting attacks, asks for selected characters of your password, implying some form of plain text storage

    Annoyingly VbV is very hard to avoid, way too many online shopping places use it, I'm left with few shopping options online.

    A password that lets you get at someones money should not be stored plaintext, at least a bit of security applied even simple individual "slow" (computationally expensive, so brute forcing attacks are slow) hash & encryption approach is better than nothing (obv pick protocols where existing huge rainbow tables do not make a mockery of your efforts).

    1. Chris Miller

      Re: VbV

      asks for selected characters of your password, implying some form of plain text storage

      No it doesn't - you could store a hash for each individual character; though this does mean that if someone steals the hashes, they won't need a very big rainbow table :). A strongly encrypted password can be quite secure, but it probably depends on a secret key, which will need to be kept 'secret'.

      1. Mark Morgan

        Re: VbV

        Yes it does. It depends on the card issuer. One of my cards Verified by Visa asks for the full password the other asks for random characters.

        My biggest gripe with it is that it responds "no that is not your password", you shout at it "yes it is". Select change password; Answer some staggeringly easy questions (you know, like mother's maiden name and postcode) and set your new password and it says "you've used that one before you can't have it" - at which point you punch the screen shouting "that's the bloody one I was entering before". You just end up in a loop resetting your password every single time you're forced to use it.

        Verified by Visa is just the banks attempting to offload their fraud liabilities on to the retailer.

    2. 0laf Silver badge

      Re: VbV

      Banking (and some shop) sites for whatever reason are a pain in the arse. I run Firefox with No-script and adblock.

      I use 2 or 3 different banking sites and they all have issues with that setup. I end up having to fire up Edge without the extra security in order to get through the security on the banking website.

      VbV always triggers a XSS warning in no-script whenever it appears so that I have to backtrack any purchases and return with no-script disabled.

    3. 2+2=5 Silver badge

      Re: VbV

      > Annoyingly VbV is very hard to avoid, way too many online shopping places use it, I'm left with few shopping options online.

      You can ask your card issuer to remove it.

      Most of the sites that I use work just fine without - I've only encountered one where it refused and that was one where it was trying to establish identity rater than take money.

    4. Anonymous Coward
      Anonymous Coward

      Re: VbV

      ... asks for selected characters of your password, implying some form of plain text storage

      It doesn't have to be this way. My non-UK based VbV doesn't do that.

    5. The Mole

      Re: VbV

      My problem with VbV is that is is not at all secure, to reset the password all you need is the victims account details and date of birth - which will be on the driving license of the wallet you've just stolen. I've given up trying to remember my password for it and just reset it every time as it is quicker and easier.

    6. PC Paul

      Re: VbV

      Not sure if it's different now but last time I used VbV ages ago I had forgotten my password - and the only things I had to provide to do that were already included in the transaction I was trying to verify!

      So, no actual verification was being performed over and above that at all.

  9. Anonymous Coward
    Thumb Down

    Given current reporting

    The blame must be (in order): Trump, Brexit, misogynist white men, Windows 10, off-shoring.

    1. 's water music Silver badge

      Re: Given current reporting

      The blame must be (in order): Trump, Brexit, misogynist white men, Windows 10, off-shoring.

      Wait what? Are Apple off the hook now?

      1. Elmer Phud Silver badge

        Re: Given current reporting

        They are while there is a possibility of Trump going ahead with a 45% levy on Chinese kit.

        Double Trumped

  10. mdava

    Why isn't this bigger news?

    As in the title: I don't understand why this isn't getting more (and more vigorous) news coverage.

    Admittedly it is early days, but this is a hack of Tesco's systems, not info harvested from phishing creds from individuals. The nature and scale of the attack is worrying.

    1. Velv Silver badge
      Coat

      Re: Why isn't this bigger news?

      I think something else in the news this week may have Trump'd it

  11. Mike Shepherd
    Meh

    On second thoughts, could you hurry that along, Mrs May?

    "...EU General Data Protection Regulation...Tesco...could be fined nearly £2bn"

    Tesco were neutral on BrExit.

    1. RealBigAl

      Re: On second thoughts, could you hurry that along, Mrs May?

      The EU GDPR applies to any organisation wanting to do business with the Euro block irrespective of whither they're in Europe or not.

  12. 0laf Silver badge

    If you were hitting a bank....

    I have suspected it is easier from inside out and that either getting an insider or at least tricking an insider to install your backdoor is probably going to give you a better ROI than trying to break through the front door.

    So my guess is dumb employee installing xyz without permission or some other form of social engineering letting the bad guys in a side door.

    Santandar were hit a few years back when a 'cleaner fitted a KVM hooked to a 3G router into the network.

    1. Anonymous Coward
      Anonymous Coward

      Re: unauthorised KVM with external connectivity

      "Santandar were hit a few years back when a 'cleaner fitted a KVM hooked to a 3G router into the network."

      Interesting, didn't know the KVM exploit had happened to Santander as well as to Barclays (2013):

      http://www.telegraph.co.uk/news/uknews/crime/10322536/Barclays-hacking-attack-gang-stole-1.3-million-police-say.html

  13. Anonymous Coward
    Anonymous Coward

    Actually they request a username, pin and a password. And do device recognition supplemented by one-time passwords. So storing the pin in reversible format is perfectly acceptable as long as the password isn't. It might not be the strongest authentication available for online banking, but it's a huge stretch to call it weak.

    Your rent-an-expert doesn't have a clue.

  14. cantankerous swineherd Silver badge

    "hugely sophisticated, coordinated and advanced attack"

    the usual bull, meaning a couple of moderately talented skiddies got in through an open window.

  15. Anonymous Coward
    Anonymous Coward

    Interesting but <<<Hype or Fact>>>

    "One estimate is that Tesco Bank could be fined nearly £2bn under GDPR rules for this incident. "

    1. Anonymous Coward
      Anonymous Coward

      Re: Interesting but <<<Hype or Fact>>>

      Well it could be Fact - if the GDPR Regulation was in effect. But since it won't in effect be until 25 May 2018, it's actually Hype.

      1. FOMOsec

        Re: Interesting but <<<Hype or Fact>>>

        GDP max fines are 20 mill euro...£2bn is way off.

  16. Anonymous Coward
    Anonymous Coward

    If someone had access to logins and passwords then why have Tesco not reset customers pins and passwords?

  17. Neil Barnes Silver badge

    The question I have seen neither asked nor answered:

    Where did the money *go*? Surely there is a transfer record?

    1. Jan 0

      Re: The question I have seen neither asked nor answered:

      Thank you for asking the question that has been worrying me too.

      The money can't have gone into a sack behind a hedge somewhere, so is the destination bank account subject to a digital stakeout? Alternatively, was this just a prank in which someone zeroed 9,000 accounts without actually stealing any money?

  18. Anonymous Coward
    Anonymous Coward

    Not necessarily a hack of their systems

    "it likely either Tesco's internal systems, or their mobile application, have been hacked. "

    For weeks now I've been getting emails to my Hotmail account purporting to be from Tesco Bank with the usual "Your account has had an unusual transaction." type crap (I don't have a Tesco Account), it's equally likely they are just exploiting a spear phishing haul

  19. Law

    I work for a company that sells medical instruments internationally - the biggest driver for being secure, and having a strict quality process isn't the threat of fines, it's the threat of losing their certification - and therefore unable to sell instruments in various regions. To keep these certifications we have regular audits.

    So rather than just giving these banks big fines when a breach happens - set up audits, make banks stick to minimum (but high) levels by setting data protection standards for user information and secure systems. Those standards should lay out minimum levels of protection (2fa, salted hash encryption for passwords etc) for accessing accounts through apps and storage of user data internally. If companies are audited and their mobile/websites/internal systems don't live up to these user protection standards then take away their ability to do business within the UK/EU.

    If a company screws up, then it's not just a fine that'll be passed on to the victims of said bread (the customers) - it's the companies ability to make money that's put on the line.

    I'm not in the finance industry - so no idea if they already do this... seems like they don't, since barclaycard also do the "first, third letter of your password" style of login. Not to mention the laughable verified by visa system.

  20. js6898

    You can't logon to a Tesco account without device recognition - if you try to logon from another PC they text you a PIN so that adds another layer of security

    1. Anonymous Coward
      Anonymous Coward

      What identifies the device? A cookie of something else? I never ask it to remember the device as I like to know when I log in that a text message was sent. I wish you could disable the feature.

  21. m00head

    http://www.tescobank.com/help/current-account-fraud-update/

    Under the FAQ section:

    "Tesco Bank has not been subject to a security compromise and it is not necessary for customers to change their login or password details"

    Are they implying that it was a security compromise in the Visa debit card or contactless system?

  22. Adam Jarvis

    Dave Lewis, Tesco CEO, just got that call...

    Peter Yapp, the deputy director for the incident management directorate, explained how his role worked: “If something [regarding a cyber incident and your company] breaks in the press, I'll get a call from someone in government,” he said, and he would be expected to explain what the incident meant.

    “If you haven't phoned me and told me about it, I will phone you,” stated Yapp.

    “It is worth telling me about the most serious incidents,” he told his audience, acknowledging that these were difficult to define, before comforting them: “We do not tell the ICO what you tell us.”

    http://www.theregister.co.uk/2016/10/13/

    new_gchq_unit_says_it_wont_rat_your_breached_business_out_to_the_ico/

  23. David Gale

    TADAG.com

    This is not just Tesco's weakness. Multi-point, layered authentication is the answer: TADAG

  24. deadfamous

    Crap app or man in the middle...

    Only online and wireless transactions affected... so (assuming that wireless uses web technology?) not chip/pin or account access.

    I simply Do Not Use banking apps.... That leaves MIM attacks, possibly an outside job...

  25. Anonymous Coward
    Anonymous Coward

    How?

    The article and many comments seem to be focussing on online banking; but the news item on this have repeatedly said online banking was not stopped, online payments were.

    Noting all the banks seem to have their own Verified By Visa and Mastercard Secure implementations, I'm wondering if the criminals have got into or behind that, sending payment instructions into a "back door" at the point they only need basic details; just a card number and maybe card expiry?

    That doesn't necessarily need a hack inside Tesco's firewall, nor does it invalidate card details etc, it would basically be a coding c***up that had been discovered (or deliberatly set) and exploited?

    It it were a problem with online banking security then surely that would have been switched off instead?

  26. Chz

    Banks don't seem to care about customer security

    Ten years ago, it was bleeding obvious that security was insufficient at almost all UK banks. That whole "Enter the first, third and fifth number of your PIN" nonsense that would be much more secure if they had enough brain cells to not ask for them in order each and every time. Halifax - for one - still does this, though they've at least moved to selecting from a drop-down list to frustrate the very simplest of keyloggers. HSBC moved to one-time codes and then inexplicably re-introduced the in-order random bits of PIN in their mobile application. Because Android is more secure than a desktop or something.

    You can only conclude that they don't actually care.

  27. Paul Barnett

    Who's money?

    I'm sure the real answer is that the customers will have to pay for it anyway, but legally, was the money stolen from Tesco Bank, or Tesco Bank's customers? or is it not that simple/

    1. Captain Badmouth
      Headmaster

      Re: Who's money?

      "I am" said Mr. Trump.

      Or did you mean "whose money"?

      Oh dear. You are Ted Heath (deceased) and I claim my €5.

  28. Callum
    Unhappy

    debit card key compromise

    Having designed a few online banking solutions for uk retail banks; I reckon that this looks like a debit card key compromise. The fraudulent transactions seemed to originate abroad having been used for various online purchases which to me sounds like the actual ebanking system was not compromised. AFAIK Tesco didn't shut down their branch or online systems after the breach.

    If a key has been compromised and someone is minting new cards; then that's bloody interesting. I've not heard of a type 4 issuer having a key compromise before.

  29. Dr.Flay

    Tesco Tech support is stuck at XP SP1

    in 2008 I captured the Tesco tech support page because I was shocked at it being 2 years out of date.

    The drivers on the site are obsolete version 1s, and intended for XP SP1 or earlier.

    http://wayback.archive.org/web/20080116201557/http://direct.tesco.com/content/specials/technika.aspx

    They were obsolete when they were posted, as upon investigation I found the chipsets to be EOL by their own manufacturers, but they had driver updates for newer OSs.

    https://vivaldi.net/userblogs/entry/technika-webcam

    In 2013 they finally updated the site !

    ....and still had the same drivers.

    It is now almost 2017 and guess what ?

    Yes 10 years down the line Tesco are still only offering drivers for products they no longer sell, and almost nobody can use.

    http://ttselectrical.custhelp.com/app/answers/detail/a_id/2791/~/technika-drivers

    Tesco do the bare minimum they can get away with to tick a legal box.

    Customers shrug and put up with it.

    Customer and technical support have no idea who made the Technika products, or if they contain any vulnerabilities, so if they did, no way to offer any solutions.

    Heaven forbid any mug buys a Technika brand IoT device.

  30. domesticempire
    Holmes

    "Cyber-attack

    The new word for BANK ROBBERY.

    Calming words for an uncertain world."

  31. Ilmarinen

    Cui bono?

    "Tesco Bank could be fined nearly £2bn under GDPR rules for this incident."

    Nice little earner for someone - local gov? EU?

    All paid for by bank customers and shareholders who've already been scammed "for theft of £2.5m"...

    (just wondering)

  32. m00head
    Holmes

    Tesco hackers used mobiles to launder haul - The Sunday Times

    http://www.thetimes.co.uk/article/tesco-hackers-used-mobiles-to-launder-haul-92tjftd57

    "Raiders used contactless accounts to spend stolen £2.5m in US and Brazil

    The criminals behind the Tesco Bank cyber-heist went on a spending spree in shops in the US and Brazil to launder their ill-gotten gains, The Sunday Times can reveal.

    The thieves used data stolen from the British lender to set up contactless payment accounts on smartphones, sources said.

    In a co-ordinated raid last weekend, they bought thousands of low-priced goods from stores, swiping their mobile phones at the tills. Many of the fraudulent transactions are understood to have been made in American electricals retailer Best Buy.

    The gang took £2.5m from 9,000 Tesco Bank customers before the lender detected suspicious activity and froze all online payments."

  33. m00head
    Holmes

    Tesco Bank ‘failed to heed warning on cyberattack’ - The Times

    http://www.thetimes.co.uk/article/tesco-bank-failed-to-heed-warning-on-cyberattack-rpgvhrh8j

    "Security flaw enabled fraudsters to steal millions

    Investigators are looking into whether Tesco Bank ignored a warning about a security flaw in its payment system that allowed fraudsters to steal millions of pounds from the accounts of thousands of its customers.

    Officials at the Financial Conduct Authority and the National Crime Agency believe that Tesco might have failed to act on an industry-wide warning from Visa a year ago. They believe that hackers using specially designed computers were able to take advantage of a so-called Code 91 glitch to access the debit card details.

    The glitch meant that criminals were able to repeatedly “ping” payment sites with random debit card numbers until they found a match with a customer’s card number, expiry date and three-digit security code."

    More here:

    http://www.ibtimes.co.uk/tesco-bank-under-investigation-possibly-ignoring-warning-potential-cyberattack-1593709

    https://www.icba.org/files/Bancard/PDFs/MitigatingFraudRiskThroughCardDataVerification.pdf

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019