TESCO BANK - AS THINGS ARE DIVULGED

The articles on this page are produced national publications. As the information is from an external sources all information on the origins of the article will appear under the title.

Links annotated [Option 1] will direct you to a website that will possibly download a 3rd party cookie to your computer. Your Browser or security software may be set up to prevent this download from taking place.


TESCO BANK CUSTOMERS LOSE MONEY TO "FRAUDSTERS"

(BBC News, dated 6th November 2016)

Full article : www.bbc.co.uk/news/business-37888327

Thousands of Tesco Bank current account customers appear to have been targeted by fraudsters, with some saying they have lost hundreds of pounds.

Customers have complained about money being withdrawn without permission, cards being blocked and long delays to get through to the bank on the phone.

The bank said its anti-fraud systems had identified "suspicious activity" on a number of customer accounts".

It said some cards were immediately blocked as a precautionary measure.

Those cardholders would still be able to use online banking, the company said.

Tesco Bank said the customers affected numbered "in the thousands but less than 10,000" and that they had all been sent alerts to notify them. It said they should contact the bank if they had any concerns.

Alan Baxter from Berwick-upon-Tweed said he had lost £600, leaving him with just £21.88 in the bank.

He said: "Tesco said they couldn't offer me emergency funds but would offer £25 as a goodwill gesture.

"I've got food and petrol to pay for. I have a delivery of coal coming tomorrow for our coal-fired heater and I won't be able to pay."

Kevin Smith, from Blackpool, said he had lost £500 from one account and £20 from another.

He said: "I was just about to go to bed last night when I received a text message from Tesco saying there had been fraud on my account. So of course you panic."

'Vanished'

Other customers complained on Tesco Bank's website and on social media about long delays when calling the company's customer service line to find out if their account was affected.

"Appalling service here. Woken at 4am to say contact urgently. Spent over three hours on hold. No answer," one wrote.

Another wrote: "Been waiting 40 mins to get through to @TescoBankNews. I hope my money is safe..."

A third said: "My weekend is not going very well, thanks to Tesco Bank. Money has vanished from my account and you don't even answer the phone."

The Financial Conduct Authority says banks must refund unauthorised payments immediately, unless they have evidence that the customer was at fault or the payment was more than 13 months ago.

Banks are also required to refund any charges or interest added to your account as a result of the fraudulent payments.

Tesco Bank has been wholly owned by Tesco plc since 2008, after starting life as a joint venture with Royal Bank of Scotland.

It offers a range of personal banking products, including credit cards, personal loans, savings, mortgages and general insurance.

The bank has more than seven million customer accounts and 4,000 staff, based in Edinburgh, Glasgow and Newcastle.

See also (uaware)

www.theguardian.com/money/2016/nov/06/tesco-bank-blocks-some-customers-cards-suspicious-activity-detected

www.thesun.co.uk/news/2126881/tesco-bank-customers-have-been-targeted-by-fraudsters/

www.itv.com/news/2016-11-06/customers-cards-blocked-after-mass-tesco-bank-fraud/



TESCO BANK - 20,000 CUSTOMERS LOSE MONEY (Extract)
(BBC News, dated 7th November 2016)


Full article : www.bbc.co.uk/news/business-37891742

Tesco Bank has halted online payments for current account customers after money was taken from 20,000 accounts.

The bank's chief executive Benny Higgins told the BBC he was "very hopeful" customers would be refunded within 24 hours.

About 40,000 accounts saw suspicious transactions over the weekend, of which half had money taken, he said.

Customers will still be able to use their cards for cash withdrawals, chip and pin payments, and bill payments.

They can also use online banking, but cannot make online transactions until the situation is back under control, Mr Higgins told the BBC's Today programme.

Earlier, the bank confirmed some accounts "have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently".

Mr Higgins also apologised for the "worry and inconvenience" that customers have faced.

One cybersecurity expert said this could be an unprecedented breach at a British bank.

"I've not heard of an attack of this nature and scale on a UK bank where it appears that the bank's central system is the target," said Prof Alan Woodward of the University of Surrey.

Over the weekend, customers complained about money being withdrawn without permission, cards being blocked and long delays to get through to the bank on the phone.

"Any financial loss that results from this fraudulent activity will be borne by the bank," Mr Higgins said. "Customers are not at financial risk."

"We continue to work with the authorities and regulators to address the fraud and will keep our customers informed through regular updates on our website, Twitter, and direct communication," he added.

Tesco has yet to use the word "hacking" to describe the breach.

Robert Schifreen, editor of the computer safety website Security Smart, said Tesco Bank must tell people what happened and how fraudsters obtained customers' bank details.

"It could be, for example, that people have been attaching skimming devices, card readers and cameras specifically to Tesco's cash point machines, so that they've been capturing people's accounts there," he told the BBC.

"It could be somebody who works at Tesco Bank who's had access to the database. It could be somebody else, who Tesco have passed information to, and that information has been hacked."

Last year the National Crime Agency warned internet users to protect themselves against a strain of malicious software, which had enabled criminals to steal an estimated £20m from UK bank accounts.



TESCO BANK CYBER RAID "UNPRECEDENTED" SAYS FINANCIAL REGULATOR
(The Guardian, dated 8th November 2016 author Jill Treanor)

Full article [Option 1]:

www.theguardian.com/business/2016/nov/08/tesco-bank-cyber-raid-unprecedented-financial-regulator-fca

The cyber heist at Tesco Bank been described by the chief executive of the City regulator as an "unprecedented" incident in the UK.

Andrew Bailey, chief executive of the Financial Conduct Authority, told MPs on the Treasury select committee that "there are elements of this that look unprecedented and it is serious, clearly".

Tesco Bank stopped all online transactions for 140,000 current account customers on Monday after it discovered 40,000 customers had been targeted by the online attack. Half of the customers had money taken from their accounts, which are operated through an app or online. Customers have reported that sums have been transferred to Spain and Brazil.

The National Crime Agency (NCA) is one of a number of organisations scrutinising what has taken place at the supermarket chain's banking arm, which has more than 7 million customers.

A new division of the surveillance agency GCHQ - the National Cyber Security Centre - confirmed it was working with the NCA which has launched a criminal inquiry. The NCSC, created only last month as the UK's authority on cybersecurity, said it was "providing direct assistance to the company at their request, including on-site assistance".

"In the case of cyber-related incidents, it can, on certain occasions, take a significant period of time to understand the incident given the technical complexities involved. So the story will emerge over time. During this period it is vital that nothing is said publicly that could interfere with the criminal investigation," the NCSC said.

"Given the investigation thus far and the evidence at hand, the National Cyber Security Centre is unaware of any wider threat to the UK banking sector connected with this incident."

Bailey told the MPs that the FCA was in close contact with Tesco and that the bank had reassured the regulator that customers whose money had been stolen would be reimbursed by the end of Tuesday.

He said it was too early to know the exact cause but said it appeared to be related to debit cards and that computer hackers were looking for weaknesses and "points of entry" into banks.

"It looks like its [in] on-line banking, clearly appears to be on debit card side of online banking as far as we can tell. But it requires further urgent analysis ," said Bailey.

He said he was confident that Tesco knew which customers were affected by the incident which began to unfold on Saturday night when the bank began texting customers about unusual activity from their accounts.

But Tesco provided no update on the status of its customers on Tuesday after suspending online banking transactions for current accounts in the wake of the incident.

Bailey indicated that Tesco would not be able turn those facilities back on until it was confident it knew the service was safe for customers.

A number of theories have circulated about the cause of the problem, including that it was caused by an internal security breach. Conservative MP Chris Philp, a member of the Treasury select committee, has raised the idea it could have been the work of a foreign power. "I think we can't rule out the possibility, at all, that this is state-sponsored," he told the BBC earlier this week.

As the crisis was unfolding, Benny Higgins, chief executive of Tesco Bank, had said the decision to suspend some banking activities was an attempt to protect customers from "online criminal activity".

Higgins, who has apologised to customers, has described the raid as "a systematic, sophisticated attack".

The NCSC said its role was to provide support to the investigation, work with the company concerned to manage the incident, investigate the root causes and use any lessons learned to provide future guidance and policy on cyber security.

The Information Commissioner's Office is also scrutinising the situation.



TESCO BANK CYBER-THIEVES STOLE £2.5m FROM 9,000 PEOPLE [Extract]
(The Guardian, dated 8th November 2016 author Jill Treanor)

Full article [Option 1]:

www.theguardian.com/business/2016/nov/08/tesco-bank-cyber-thieves-25m

Tesco Bank has revealed that the "unprecedented" attack on its online accounts at the weekend resulted in the loss of £2.5m. The banking arm of the supermarket chain also revised down the number of accounts from which money was removed from 20,000 to 9,000 and announced that banking services had been restored for all its customers.

Tesco bank issued its update hours after Andrew Bailey, the chief executive of the Financial Conduct Authority, told MPs that the incident was unprecedented in the UK and regarded as serious. Bailey told the Treasury select committee that "there are elements of this that look unprecedented and it is serious, clearly".

Andrew Tyrie, the Conservative MP who chairs the Treasury select committee, said after the hearing that "the attack on Tesco's retail accounts is deeply troubling. Banks have a long way to go to improve the resilience and security of their IT systems". Another member of the committee, Steve Baker, said: "the vulnerability of Tesco Bank highlights the crucial importance of technical security to the financial system."

"In the case of cyber-related incidents, it can, on certain occasions, take a significant period of time to understand the incident given the technical complexities involved. So the story will emerge over time. During this period it is vital that nothing is said publicly that could interfere with the criminal investigation," the NCSC said.

uaware comment :

National Cyber Security Centre "or National Caught Sleeping Centre"

NCSC doesn't work on weekends, perhaps ?

Or, the attack happened during NCSC lunchtime ?

Or, Banks are not considered a target by NCSC because their security is so good !

Or, "BS" baffles brains ! (sorry about the language).




WHAT WENT WRONG AT TESCO BANK
(The Register, dated 10th November 2016 author John Leyden)

Full article [Option 1]:

www.theregister.co.uk/2016/11/10/tesco_bank_breach_analysis/

Tesco Bank has enlisted the help of recently established National Cyber Security Centre (NCSC) following the most serious cyber-attack ever launched against a UK bank.

The attack against the supermarket giant's banking arm involved the theft of £2.5m from 9,000 customers' accounts, funds that the bank quickly reimbursed. Initially theft against 20,000 accounts was feared but this figure was revised downwards late on Tuesday night. At the same time Tesco announced that it was restoring normal service following the suspension of online and contactless transactions from current accounts applied in the immediate wake of the breach last weekend.

NCSC is working alongside the National Crime Agency to look into the cyber-attack, which is believed to be the biggest of its kind in the history of British banking.

Ian Mann, chief exec of cyber-security service ECSC, said the size of the breach indicates that is it likely either Tesco's internal systems, or their mobile application, have been hacked. Tesco Bank's method of access for customers is "weak for this type of system", according to Mann. "Username is your email by default, and you only need digits from a numeric PIN. By requiring limited digits from the PIN on login, they make it virtually impossible to hash (encrypt) the PINs they have stored. This means a compromise of their customer database will reveal all logins and passwords to the attacker."

Tesco Bank manages around 136,000 current accounts. Security pundits have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach.

Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, said: "While the details are still patchy, there's no doubt that this was a hugely sophisticated, coordinated and advanced attack - and as recent months have proven, no organisation is immune from similar attacks going forward. With cloud computing, hackers have so many more points of entry, and organisations need to put security in place to guarantee the safety of data, even if it falls into the wrong hands. In practice, this means putting multiple layers of control around their most sensitive data and closely monitoring access to stop theft on the way out rather than betting on the 'hard shell' approach with a sealed perimeter."

Tesco might face a huge fine under the recently revamped EU data protection rules over the breach, according to Hawthorn.

"When it comes to data security, the silent spectre of EU General Data Protection Regulation is slowly kicking organisations into action, and incidents such as this will only accelerate this trend," Hawthorn said. "One estimate is that Tesco Bank could be fined nearly £2bn under GDPR rules for this incident. The bottom line is that data security is no longer simply an issue for the IT department to tackle, and organisations can no longer sit back and ignore it. The stakes are higher than they have ever been, so when it comes to reviewing your security position, tomorrow may just be too late."



ANALYSTS APPLY OCCAM'S RAZOR TO TESCO BANK BREACH (Extract)
(The Register, dated 16th November 2016 author John Leyden)

Full article [Option 1]:

www.theregister.co.uk/2016/11/16/tesco_bank_breach_competing_theories_analysis/

Analysis Security analysts have narrowed down the range of possible explanations for the Tesco Bank breach.

Digital Shadows, a security intelligence firm, claims it has identified "multiple instances" of Tesco Bank customers who say that fraudulent online transactions had been made from their accounts. Some of these reported small fraudulent transactions of around £20 before larger transactions of £500 or more were attempted. Another report talked about cash which had been fraudulently withdrawn from a customer's account from an ATM in Rio de Janeiro, Brazil.

Tesco Bank login pages were included as a target in the config files of three major banking trojans: Vawtrak, Dridex and Retefe. In addition, Digital Shadows has identified a user on the forum linked to the cybercrime bazaar AlphaBay, who claimed in September 2016 that he was able to cash out Tesco Bank accounts with the assistance of an insider at the bank. The claim is unverified but nonetheless deserves to be taken seriously in the light of subsequent events.

Several competing theories about what might have happened have sprung up in the wake of the incident. Security pundits have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach.

Digital Shadows has applied the technique of the Analysis of Competing Hypothesis (ACH) on the available data in an attempt to narrow down the possibilities between four competition theories.

The security intelligence firm concludes that the heist was run by an organised criminal group, which is likely to present an ongoing threat.

"In the immediate future, it's likely Tesco Bank customers will be targeted with phishing emails imitating law enforcement or Tesco Bank customer support. Tesco Bank customers are advised to exercise caution when receiving calls or opening emails or SMS messages purporting to relate to this incident and to report any suspected phishing attempts to Tesco Bank via phishing@tescobank.com," it adds.



TESCO BANK UNDER INVESTIGATION FOR POSSIBLY IGNORING WARNING OF POTENTIAL CYBERATTACK
(International Business Times, dated 28th November 2016 author India Ashok)

Full article [Option 1]:

www.ibtimes.co.uk/tesco-bank-under-investigation-possibly-ignoring-warning-potential-cyberattack-1593709

A probe has been reportedly launched into Tesco Bank, in efforts to determine whether the bank failed to heed warnings of a security flaw in its payment systems, which may have allowed hackers to make away with millions of pounds. Authorities believe that the bank may have failed to act on a warning from Visa, issued out a year ago, according to reports.

Investigators at the National Crime Agency (NCA) and the Financial Conduct Authority (FCA) believe that the hackers used customised computers to leverage an alleged Code 91 glitch, which allowed them access to customers' card data.

Andrew Tyrie, chairman of the Treasury select committee has reportedly said that he and his committee are closely following the investigation. He allegedly indicated that regulatory action against the bank may be taken, if any evidence of wrongdoing is uncovered.

"The recent lapse in security at Tesco Bank, which enabled criminals to directly access the money of thousands of customers, was unprecedented in its seriousness," Mr Tyrie said, The Times reported.

Visa had reportedly warned banks about low-value transactions in particular. The firm had allegedly cautioned that cybercriminals could attempt to siphon off relatively small amounts from victims' accounts, as a way to verify the validity of credentials, before launching a large-scale attack.

Three unspecified sources told The Times that while most banks updated their systems; Tesco Bank allegedly ignored the warning, leaving its systems vulnerable to cyberattacks. In the event that the probe finds any evidence of the bank having ignored warnings, Tesco Bank could face penalties as well as potential backlash from its customers.

"We can confirm that earlier this month the FCA alongside other authorities and agencies communicated with banks to highlight certain concerns regarding debit card payments. We do this as part of our business practices when needed. Due to the ongoing criminal investigation, we can't comment any further," FCA spokesperson said, according to The Times.

"In general, the FCA requires banks to have systems and controls to counter the risk that they are misused for the purposes of financial crime risk of all types, including fraud, money laundering and data security breaches.

"A bank is required to refund all unauthorised transactions within 24 hours, providing that the transaction was not compromised by a customer or made over 13 months ago," the spokesperson added.

A spokesman for Tesco Bank said: "We identified the fraud quickly and communicated immediately with our customers, the Financial Conduct Authority and National Crime Agency. This remains a criminal investigation. We refunded each customer account in full and have taken steps to help to reassure our customers that they can bank safely and securely at Tesco Bank. We have also confirmed directly with every customer affected that none of their customer data was lost or stolen.

"This incident has highlighted that all banks need to work together in the interests of all customers and the financial system," the spokesperson told The Times.

Tesco Bank earlier confirmed that the cyberattack saw £2.5m ($3.09m) stolen from 9,000 customer accounts.



"TESCO BANK'S MAJOR VULNERABILITY IS ITS OWNERSHIP BY TESCO", CLAIMS EX-EMPLOYEE

(The Register, dated 30th November 2016 author John Leyden)

Full article [Option 1]:

www.theregister.co.uk/2016/11/30/tesco_bank_breach_former_insider_breach_theory/

A former techie at the UK's Tesco Bank reckons the recent high-profile breach may be down to security shortcomings at the bank's parent supermarket.

Earlier this month Tesco Bank admitted that an estimated £2.5m had been stolen from 9,000 customer accounts in the biggest cyber-heist of its kind to affect a UK bank. The National Crime Agency (NCA), with technical support from the newly established UK National Cyber Security Centre (NCSC), is leading a criminal investigation into the breach. NCSC issued a statement saying it was "unaware" of any threat to the wider UK banking sector.

Tesco Bank's security procedures were solid but the bank was exposed because of Tesco's "not-very-secure-at-all systems" - a weakness hackers might well have exploited, our informed source (who requested anonymity) speculates.

TB [Tesco Bank] use all the standard security processes, and have significant numbers of ex-RBS staff. Security architecture is sound, and vulnerabilities are patched in a timely manner. Fraud monitoring systems are industry standard. A full breach is very unlikely, and there are much bigger and better targets if a gang has access to relevant zero-days.
All staff are vetted as per standard processes - TB is no more vulnerable to an internal breach than anyone else. Again, bigger and better targets are available. TB does have a problem with retaining experienced staff, and hoping that junior staff will step up when they leave, but that's not uncommon.

TB had one breach when they first opened Current Accounts - someone in the card printers got a list of card numbers and sold them. It was caught in time, and cards were destroyed. Presumably security at the printers has been improved, but I'd consider that to be a continuing possible vulnerability.

However, TB's major vulnerability is its ownership by Tesco, and the links between its secure systems and Tesco's not-very-secure-at-all systems. There was no evidence of patching and monitoring occurring in Tesco systems that we linked to at all. I strongly suspect that the Clubcard system has been breached and a list of TB account numbers farmed from there. I also suspect that nothing will be done to trace that possible route - TB has no influence over Tesco at all, due to relative scale, and the apparent bad relations between the chief executives.

In a follow-up email the former Tesco Bank worker, who worked in IT for the bank and at one time on its anti-fraud system, offered more details on security failings at the parent retailer.

I worked on a TB project that had to verify certain customer information on Tesco systems. The Tesco system would fall over on a regular basis, and we would have to tell Tesco it was down - they wouldn't monitor it. It later became clear that it was an app server running on a very outdated piece of middleware, completely unpatched. This was standard for Tesco systems. [The] only exception was the credit card payment system, which was secure because it was regulated. Separately I was aware of an effort to tie some TB systems more closely to Clubcard. However, it had to be abandoned once the architects discovered how insecure Clubcard itself was.

Various theories about what might have caused the breach at Tesco Bank have already been suggested. Security watchers have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach.

Around 136,000 customers hold current accounts with Tesco Bank. Holders of other accounts were not affected by the breach.

Security intelligence firm Digital Shadows recently applied techniques for the Analysis of Competing Hypothesis (ACH) to assess the likelihood of the various competing explanations on offer. It concluded that either payment system compromise or the cash-out of cloned cards were the two theories that best matched the available facts. Cash-out of cloned cards would likely have been simpler to execute than payment system compromise, according to Digital Shadows, prompting the firm to lean towards this theory while not ruling out other possibilities.

El Reg ran insights from the former Tesco Bank techie past Digital Shadows. In response, Digital Shadows said that it had seen nothing so far which would suggest security problems at Tesco supermarket was behind the breach before conceding that it was still investigating the breach.

Ken Munro, a director at security consultancy Pen Test Partners, described the former Tesco staffer's theory as all too plausible, based on his years of experience in the IT biz rather than any direct knowledge of the supermarket's systems.

"So often it's the incidental systems that cause issues," Munro told El Reg. "One builds a secure app, but then has to hook it up to an existing access/authorisation system, or something similar. I remember a pen test a few years back of a network that was pretty much bulletproof - up to date, pretty well configured, reasonable passwords etc.

"Then we found an old fax server that was on the same domain. It didn't take long to compromise that flaky fax box and from there the domain controller. All the good work was undone by some failed oversight of one box.

"You're probably only as secure as your least secure system," Munro concluded.

Tesco Bank provided this statement: "On 5 and 6 November, Tesco Bank was targeted by fraud, which affected 9000 of our customers and cost us £2.5m.

"We identified the fraud quickly and communicated immediately with our customers, the Financial Conduct Authority and National Crime Agency. This remains a criminal investigation.

"We refunded each customer account in full and have taken steps to help reassure our customers that they can bank safely and securely at Tesco Bank."


(1st December 2016)


HACKED IN JUST SIX SECONDS
(The Telegraph, dated 2nd December 2016 author Telegraph Reporters)

Full article [Option 1]:

www.telegraph.co.uk/news/2016/12/02/hacked-just-six-seconds-criminals-need-moments-guess-card-number/

Criminals can work out the card number, expiry date and security code for a Visa debit or credit card in as little as six seconds using guesswork, researchers have found.

Experts from Newcastle University said it was "frighteningly easy" to do with a laptop and an internet connection.

Fraudsters use a so-called Distributed Guessing Attack to get around security features put in place to stop online fraud, and this may have been the method used in the recent Tesco Bank hack.

Researchers found that the system did not detect cyber criminals making multiple invalid attempts on websites in order to get payment card data.

According to a study published in the academic journal IEEE Security & Privacy, that meant fraudsters could use computers to systematically fire different variations of security data at hundreds of websites
simultaneously.

Within seconds, by a process of elimination, the criminals could verify the correct card number, expiry date and the three-digit security number on the back of the card.

Mohammed Ali, a PhD student at the university's School of Computing Science, said: "This sort of attack exploits two weaknesses that on their own are not too severe but, when used together, present a serious risk to the whole payment system.

"Firstly, the current online payment system does not detect multiple invalid payment requests from different websites.

"This allows unlimited guesses on each card data field, using up to the allowed number of attempts - typically 10 or 20 guesses - on each website.

"Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw.

"The unlimited guesses, when combined with the variations in the payment data fields, make it frighteningly easy for attackers to generate all the card details one field at a time.

"Each generated card field can be used in succession to generate the next field and so on. If the hits are spread across enough websites then a positive response to each question can be received within two seconds - just like any online payment.

"So even starting with no details at all other than the first six digits - which tell you the bank and card type and so are the same for every card from a single provider - a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds."

Visa said: "The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.

"Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally.

"We provide issuers with the necessary data to make informed decisions on the risk of transactions. There are also steps that merchants and issuers can take to thwart brute force attempts.

"For consumers, the most important thing to remember is that if their card number is used fraudulently, the cardholder is protected from liability."

It said it also has the Verified by Visa system, which offers improved security for online transactions.

Tesco Bank said the fraud last month affected 9,000 customers and cost £2.5m.

A spokesman said: "We identified the fraud quickly and communicated immediately with our customers, the Financial Conduct Authority and National Crime Agency. This remains a criminal investigation."

(20th December 2016)