Tesco Bank - Security Breach!

[Slarti]

If you use Tesco Bank, please check your account ASAP as they have had some sort of security breach at a 3rd party.

My own account seems to be involved, so I am waiting to talk to a human, at the moment

[Slarti]

An update. Chip & Pin Dr Card transactions, Direct Debits & Standing Orders are still happening, but it is not currently possible to log into the online banking and electronic payments are not being allowed.

I seemed to have an EP in limbo yesterday as my available balance was less than my balance, and I haven't done any transactions on that account for a couple of weeks.

Interesting times.

[Linfiter]

[quote="Slarti"

I seemed to have an EP in limbo yesterday as my available balance was less than my balance, and I haven't done any transactions on that account for a couple of weeks.

Interesting times.[/quote]


What is an EP? I have the same discrepancy between balance and available balance.

Regards

Linfiter

[Slarti]

EP=Electronic Payment usually made through browser or mobile app.

[Breelander]

[quote="Slarti"...

Be careful when you edit quotes, you lost the trailing ']' from the [quote= ... ] bit - that's why it didn't work.

[Slarti]

Well it all seems to be back to normal and Tesco have posted this on their website as well as texting it to account holders, Mrs S and I


Full service has resumed for our customers

We can confirm that normal service has resumed at Tesco Bank following the temporary suspension of online transactions from current accounts.

Our first priority throughout this incident has been protecting and looking after our customers.

We’ve now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal. We’re also keen to reassure our customers that none of their personal data has been compromised.

Around 9,000 customers were affected by these fraudulent transactions and all customers affected have been fully reimbursed. We are continuing to work closely with the authorities and regulators in their criminal investigation of this incident.

I’d like to thank our customers for their patience during this time, and to apologise for the worry and inconvenience this issue has caused.


Sounds as if it was someone else who was breached.

[swill453]

Tesco Bank must be thanking their lucky stars this happened in US election week. For the most serious ever breach of banking technology to pretty much drop off the news is remarkable.

There will be regulatory consequences of course.

Scott.

[surreycanary]

I have a current account with Tesco Bank that was not affected by the "hack". It doesn't have much money in it.
I would love to know how the breach was carried out but I expect customers will not be told (for security reasons). Please post here if you have any idea of how it was done, (inside job, etc??),
cheers,
Martin

[swill453]

Given that they don't appear to be making changes to the online system, or mandating wholesale password resets, I suspect the security of Tesco Bank's own banking system wasn't breached.

There's been lots of use of the word "online" in the deliberately vague official statements, but I think the only restriction they put in place was online payments to retailers using debit cards.

So I suspect that the baddies somehow got hold of a whole load of Debit Card details (number, expiry and CVV) and starting making thousands of purchases, possibly to compliant "merchants".

So either:
- an inside job at their 3rd party card supplier
- a security breach at the above
- "discovery" of the algorithm to create new numbers/CVVs

Disclaimer - pure speculation, though I used to work at Tesco Bank.

Scott.

[Slarti]

Given that they don't appear to be making changes to the online system, or mandating wholesale password resets, I suspect the security of Tesco Bank's own banking system wasn't breached.

There's been lots of use of the word "online" in the deliberately vague official statements, but I think the only restriction they put in place was online payments to retailers using debit cards.

So I suspect that the baddies somehow got hold of a whole load of Debit Card details (number, expiry and CVV) and starting making thousands of purchases, possibly to compliant "merchants".

So either:
- an inside job at their 3rd party card supplier
- a security breach at the above
- "discovery" of the algorithm to create new numbers/CVVs

Disclaimer - pure speculation, though I used to work at Tesco Bank.

Scott.

Online debit card payments to retailers was one thing that they blocked, together with contactless payments and electronic payments, through the website, to the extent that for a couple of days I couldn't even login.

Cheers
Slarti

[swill453]

Online debit card payments to retailers was one thing that they blocked, together with contactless payments and electronic payments, through the website, to the extent that for a couple of days I couldn't even login.

They may have been ultra cautious and temporarily blocked vectors which weren't actually attacked.

My hunch stands, until shown otherwise

Scott.

[swill453]

So either:
- an inside job at their 3rd party card supplier
- a security breach at the above
- "discovery" of the algorithm to create new numbers/CVVs

Still no info from any authoritative source on the nature of the breach.

However the Reg reports on an "Analysis of Competing Hypothesis (ACH)" using the available data, which said "cash-out of cloned cards is more likely than other possibilities it examined".

So maybe I'm kinda right. Remains to be confirmed though.

http://www.theregister.co.uk/2016/11/16/tesco_bank_breach_competing_theories_analysis/

Scott.

[Slarti]

So either:
- an inside job at their 3rd party card supplier
- a security breach at the above
- "discovery" of the algorithm to create new numbers/CVVs

Still no info from any authoritative source on the nature of the breach.

However the Reg reports on an "Analysis of Competing Hypothesis (ACH)" using the available data, which said "cash-out of cloned cards is more likely than other possibilities it examined".

So maybe I'm kinda right. Remains to be confirmed though.

http://www.theregister.co.uk/2016/11/16/tesco_bank_breach_competing_theories_analysis/

Scott.

Thing is, I've only ever done direct debits out of my Tesco account. The card has never been used.

I only do the monthly DD as I needed something to use up the £750 monthly payment in that was needed, so I set my Tesco credit card to be paid by DD from the account and then topped it back up to £3k for the interest.

So I don't see how my card could have been cloned.

[swill453]

So I don't see how my card could have been cloned.

It would depend on how the details were obtained (hypothetically at the moment of course).

Getting hold of your physical card, or intercepting its use, are only some of the possible ways, I suggested a few more in my post.

Scott.

[Slarti]

Latest update.

Tesco are sending out new debit cards to those who had fraudulent transactions attempted, according to their text to Mrs S.

I haven't had a text, so I wonder if that means it was her card that was the attack vector. We'll see when new card or cards come through.


Still very odd.

Slarti

[swill453]

I missed this story, which gives some more information, that mobile phones were used in contactless transactions for low amounts of money in the US and Brazil.

http://www.thetimes.co.uk/article/tesco-hackers-used-mobiles-to-launder-haul-92tjftd57

I don't have an account at The Times so I can't see the whole article though. As far as I can see there's still no indication of how the thieves managed to get hold of the debit card details.

Scott.

[Slarti]

Here's a non paywall similar story http://www.ibtimes.co.uk/tesco-bank-under-investigation-possibly-ignoring-warning-potential-cyberattack-1593709 which doesn't look good for Tesco.

On the replacement card front, Mrs S has had a replacement, I haven't.

Ah, just worked out why. Her card is contactless, mine isn't, which fits in with the Times story.



Interesting times
Slarti

[swill453]

Looks like the "glitch" mentioned is some "feature" of the card-handling system* that allowed the thieves to repeatedly hit it with random card number/expiry combinations, and get some indication as to whether it was actually a valid number or not. A different error code possibly.

Then once they had a bunch of valid numbers, they loaded them into mobile phones and went on a contactless spending spree.

* - not sure if this would be at Tesco Bank itself, or somewhere further down the line.

Scott.

[Slarti]

Looks like the "glitch" mentioned is some "feature" of the card-handling system* that allowed the thieves to repeatedly hit it with random card number/expiry combinations, and get some indication as to whether it was actually a valid number or not. A different error code possibly.

Then once they had a bunch of valid numbers, they loaded them into mobile phones and went on a contactless spending spree.

* - not sure if this would be at Tesco Bank itself, or somewhere further down the line.

Scott.

It appears that it is a fault with the Visa system, Tesco cards being Visa https://www.theguardian.com/technology/2016/dec/02/tesco-bank-cyber-attack-involved-simply-guessing-details-study-claims

But why only Tesco Bank?

Slarti

[simoan]

But why only Tesco Bank?

Slarti

This security weakness is specific to Visa payments and the same attack does not work against Mastercard. I have read elsewhere that the weakness was known by Visa and an advisory note to update systems was made some time ago, and so it may be that Tesco Bank did not update its Visa payment system.

All the best, Si