How Cyber Attackers Stole £2.26m From Tesco Bank Customers

Poor debit card security and a "series of errors" in reporting exacerbated an incident that could have been easily avoided.

The inner workings of a cyber-attack against Tesco Bank which saw £2.26m stolen from 9,000 customers, and resulted in the bank being fined over £16.4m for the failings that allowed it to happen, have been revealed.

The Financial Conduct Authority (FCA) has hit the bank with a £16.4m fine and said Tesco Bank failed to "exercise due skill, care and diligence" in protecting current account holders against a cyber-attack.

Almost two years on from the incident, the exact identity of the cyber criminals is still unknown, but the FCA's newly published report into the Tesco Bank attack details how hackers were able to make off with over £2m over the course of 48 hours in November 2016.

The attack started at 02:00 on Saturday, 5 November 2016; by 04:00, Tesco Bank's fraud analysis and detection system started sending automatic text messages to the bank's personal current account holders asking them to call about "suspicious activity" on their accounts, which is how the bank itself first became aware of the attack. 

As the fraud attempts increased, the calls quickly overwhelmed Tesco Bank's fraud prevention line.

Although Tesco Bank's controls stopped almost 80 percent of the unauthorised transactions, the attack affected 8,261 out of 131,000 Tesco Bank personal current account

The attackers most likely used an algorithm which generated authentic Tesco Bank debit card numbers and, using those virtual cards, they attempted to make thousands of unauthorised debit card transactions.

The FCA said Tesco Bank's failures include the way in which the bank distributed debit card numbers and mistakes made in the reaction to the attack which meant that no action was taken for almost a day after the incident was first uncovered.

A number of deficiencies in the way Tesco Bank handled security left customers vulnerable to cyber attackers in an incident that was "largely avoidable", said the FCA analysis of the incident which Tesco Bank had to this point been tight-lipped about - to the frustration of other financial institutions. 

Poor design of Tesco Bank debit cards played a significant role in creating security vulnerabilities that led to thousands of customers having their accounts emptied. One of these involved the PAN numbers - the 16-digit card number sequence used to identify all debit cards.

Tesco Bank inadvertently issued debit cards with sequential PAN numbers. This increased the likelihood that the attackers would find the next PAN number in the sequence.

It took 21 hours after the attack began before Tesco Bank's Fraud Strategy Team was informed about the incident.

Only after what the FCA describes as a "series of errors" - including Tesco Bank's Financial Crime Operations Team sending an email to the wrong address, instead of making a phone call as procedure requires - was the fraud team made aware of the attack.

In all that time, nothing had been done to stop the attacks, with fraudulent transactions continuing to siphon money from accounts as the bank received more and more calls from worried customers.

It was only once the Fraud Strategy Team had finally been alerted that some headway was made into countering the attack. It was found that the vast majority of transactions were coming from Brazil and were using a payment method known as 'PoS 91' - making transactions based on magnetic stripes that carry identifying information about the debit card. 

This payment method is widely used outside of Europe and crucially doesn't limit the value or number of transactions - and the number of successful attacks showed that the attackers had acquired the relevant PAN numbers.

Once PoS 91 was identified as the most frequently used channel for fraudulent transactions and Brazil as the location they were occurring, Tesco Bank's Fraud Strategy Team put a rule in place to block those transactions from 1:48am on Sunday 6th November - almost a full 24 hours after the attack began.

But the trouble didn't end there: errors were made in the implementation of this rule which made it ineffective - they used the Euro currency code instead of Brazil's country code - and nobody noticed this until later. 

As a result, the number of attempted transactions continued to rise, reaching 80,000 by Monday 7 November, with Tesco Bank blocking 90 percent of these.

In an effort to counter this, Tesco Bank brought in external experts to uncover the problem in fraud detection systems that allowed these transactions to go through, it turned out to be a coding error by Tesco Bank's Financial Crime Operations Team which had been made when it originally programmed the fraud detection system. 

By the time this was discovered, it was almost two days after the fraudulent transactions started and customers had lost a combined total of £2.26m to cyber criminals.

Overall, the FCA found that Tesco Bank failed to exercise due skill, care and diligence to the design and distribution of debit cards, configuring specific authentication and fraud detection rules or when taking appropriate action to prevent the foreseeable risk of fraud.

The FCA also criticised Tesco Bank for failing to react to the incident with "sufficient rigour, skill and urgency".

As part of efforts to prevent fraudulent transactions, all 136,000 Tesco Bank current account holders had their accounts temporarily frozen, which the FCA report says caused many "embarrassment and inconvenience" when payments weren't able to be made. Victims of the attack each had their accounts re-instated to the pre-attack balance and some even received compensation.

In the aftermath of the attack, Tesco Bank is now said to have put a "comprehensive programme and significant resources into the issues which made it vulnerable to attack". However, when pressed on what these improvements are, Tesco Bank wouldn't give details.

While Brazil has been described as the potential location of those behind the attack, two years on there's still no information on who was behind the attack, and no arrests have been made.

ZDNet:

You Might Also Read:

How Hackers Skipped Through BA’s Security

« The Weaponization Of Social Media
Massive Facebook Hack Exploited Critical Bugs »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cyber Defense Media Group (CDMG)

Cyber Defense Media Group (CDMG)

CDMG is the leading global media group for all things cyber defense.

CERT-In

CERT-In

CERT-In is a functional organisation of the Ministry of Information & Electronics Technology, Government of India, with the objective of securing Indian cyber space.

European Network for Cyber Security (ENCS)

European Network for Cyber Security (ENCS)

ENCS’s core focus is around educating and solving cyber security challenges in the development and operation of energy grids across Europe.

Silicom Denmark

Silicom Denmark

Silicom Denmark is a premier developer and supplier of FPGA-based interface cards for cyber-security, telecommss, financial trading and other sectors.

Muninn

Muninn

At Muninn (aka Wehowsky), we specialize in mitigating potential risks within your network, providing one of the leading network detection and response (NDR) solutions on the market.

RazorSecure

RazorSecure

RazorSecure offers products and services to enhance railway cyber security, by protecting and monitoring networks and key systems.

Clym

Clym

Clym is the data privacy platform that helps organisations meet their data protection obligations. Cookies, Consent, Requests, Policies and more are all managed in a secure and adaptive application.

Startup Wise Guys

Startup Wise Guys

Startup Wise Guys is a mentorship-driven accelerator program for early stage B2B SaaS, Fintech, Cybersecurity & Defense AI startups.

Vilnius Tech Park

Vilnius Tech Park

The region‘s most complex and integrated ICT hub, Vilnius Tech Park aims to attract and unite innovative talent from big data, cyber security, smart solutions, fintech and digital design.

Alpine Security

Alpine Security

Alpine Security provides penetration testing, security assessments and cybersecurity training services.

Redsquid

Redsquid

At Redsquid we are all about making a difference to our customers with the use of technology, as an innovative provider of solutions within IoT, Cyber security, ICT, Data Connectivity & Voice.

VCG Group

VCG Group

VCG provides everything you need for the design, implementation and management of data centres, cyber-secure enterprise networks, cloud and connectivity services.

NewAE Technology

NewAE Technology

NewAE Technology is revolutionizing the hardware security market by making every engineer and designer aware of side-channel power analysis and glitching as important attack vectors.

Memcyco

Memcyco

Memcyco is a provider of cutting-edge digital trust technologies to empower brands in combating online brand impersonation fraud, and preventing fraud damages to businesses and their clients.

Silent Circle

Silent Circle

Silent Circle is the leader in end-to-end enterprise solutions for secure mobile communications.

HTL Support

HTL Support

HTL Support, your trusted partner for comprehensive IT support in London. We specialize in delivering top-tier IT solutions tailored to both large enterprises and small businesses.