It’s been a rough weekend for 20,000 customers of British retail Tesco Bank: they’ve witnessed their bank accounts being plundered and have been phoning the bank to report the theft, but most of them couldn’t get through.
The attack started on Friday. The bank identified suspicious activity in a subset of their customer’s current accounts, and made sure that online payments and payments that could be effected without entering the PIN can’t be made from the affected accounts.
They begun notifying affected account holders by text message, explaining that they could still use the card to withdraw money from the ATM and make chip and PIN transactions, that they won’t be losing money as a result of these attacks, and that they will be receiving a new card within 7 to 10 days.
Affected customers have flooded the bank’s phone lines with calls, asking for more information and complaining that their cards are not working at ATMs.
Several of the customers commented online that they had never used the card they received for their affected account, so it seems that the cards were never skimmed at an ATM or a retailer’s PoS system.
Piers Wilson, head of product management at Huntsman Security, said that it’s very unlikely that card-skimming at Tesco Bank ATM machines was to blame for this, as customers of other banks would have also been affected.
“It’s unclear yet exactly what happened, but there are a number of potential sources behind the attack on Tesco Bank,” he noted. “It could be a case of insider activity, where an employee has misused their access privileges to take cash from customer accounts. It could equally be a result of an outside hack, targeting a database of Tesco Bank account holders, either within the bank itself, or within a third-party that the bank has shared that data with.”
The bank has still not explained how the attacks happened, but its chief executive Benny Higgins has said that they are taking every step to protect customers’ accounts.
“That is why, as a precautionary measure, we have taken the decision today to temporarily stop online transactions from current accounts. This will only affect current account customers. While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal,” he stated.
He also promised, once again, that “any financial loss as a result of this activity will be resolved fully by Tesco Bank,” and that further information will be provided soon.
All in all, 40,000 accounts were hacked and 20,000 emptied of cash.
The UK National Crime Agency is coordinating the law enforcement response to the breach. All Tesco Bank customers are advised to be wary of potential phishing emails and/or calls impersonating the bank, asking for their personal info, password or bank details.
The Daily Mail says that there is a possibility that hackers may have found a way to create cards for Tesco Bank accounts.
“One customer told MailOnline today that he had never been given a debit card because he has an online savings account, but then someone using a new card linked to his account tried to pay for goods in Rio de Janeiro at 9am yesterday,” the publication said.
“After talking to the bank, who blocked the transaction, he said: ‘It appears to the bank the someone has worked out the algorithm to create card numbers and start/end dates. They told us that the specific transaction was a card holder present and it was a swipe of the magnetic strip type of transaction’.”
The attacker(s) chose to conduct the fraudulent transactions during the weekend, a period during which most organizations are under-staffed and slower to respond to any emergency.
“Businesses should make sure they have the proper detection mechanisms and incident responses processes in place. If the business has a 24×7 operational remit, security processes should be applied systematically at all times of the day, every day of the week,” Thomas Fischer, threat researcher and security advocate at Digital Guardian, commented for Help Net Security.
Tesco Bank has been relatively quick to respond to the breach, but was not able to prevent the exfiltration of funds from (too) many accounts.
“This really underlines the importance of being able to detect any suspicious or anomalous behaviour within milliseconds of cybercriminals launching their attacks,” Wilson noted.
“The only way businesses can achieve that level of speed is by integrating machine learning techniques with their cybersecurity measures, so the tools become capable of responding to an attack faster than their human operators ever could.”
UPDATE (November 9, 2016):
Tesco Bank has resumed normal service, and has reimbursed affected customers (9,000 of them) with a total of £2.5 million that has been stolen during the attack. No personal data has been compromised.
“We are continuing to work closely with the authorities and regulators in their criminal investigation of this incident,” Higgins added, declining to offer more info about the investigation.