Insider job?
If it is an insider job, it'll be easy to find out who - just see who turns up in a Ferrari next week...
Tesco Bank has enlisted the help of the National Cyber Security Centre (NCSC) following the most serious cyber-attack launched against a UK bank. The attack against the supermarket giant's banking arm involved the theft of £2.5m from 9,000 customers' accounts, funds that the bank quickly reimbursed. Initially theft against 20, …
begin transaction;
$b4 = select sum(balance) from allaccounts;
update allaccounts set balance = balance*0.9 where balance > 0;
$afta = select sum(balance) from allaccounts;
$myac = '0123456...';
update allaccounts set balance = balance +$b4-$afta where acno = $myac;
end transaction;
commit;
Bit of a tangent (but banking related)
One of my pet hates verified by visa (SD secure) in addition to encourage just the sort of "move off site to some random url" behaviour you would see in cross site scripting attacks, asks for selected characters of your password, implying some form of plain text storage
Annoyingly VbV is very hard to avoid, way too many online shopping places use it, I'm left with few shopping options online.
A password that lets you get at someones money should not be stored plaintext, at least a bit of security applied even simple individual "slow" (computationally expensive, so brute forcing attacks are slow) hash & encryption approach is better than nothing (obv pick protocols where existing huge rainbow tables do not make a mockery of your efforts).
asks for selected characters of your password, implying some form of plain text storage
No it doesn't - you could store a hash for each individual character; though this does mean that if someone steals the hashes, they won't need a very big rainbow table :). A strongly encrypted password can be quite secure, but it probably depends on a secret key, which will need to be kept 'secret'.
Yes it does. It depends on the card issuer. One of my cards Verified by Visa asks for the full password the other asks for random characters.
My biggest gripe with it is that it responds "no that is not your password", you shout at it "yes it is". Select change password; Answer some staggeringly easy questions (you know, like mother's maiden name and postcode) and set your new password and it says "you've used that one before you can't have it" - at which point you punch the screen shouting "that's the bloody one I was entering before". You just end up in a loop resetting your password every single time you're forced to use it.
Verified by Visa is just the banks attempting to offload their fraud liabilities on to the retailer.
Banking (and some shop) sites for whatever reason are a pain in the arse. I run Firefox with No-script and adblock.
I use 2 or 3 different banking sites and they all have issues with that setup. I end up having to fire up Edge without the extra security in order to get through the security on the banking website.
VbV always triggers a XSS warning in no-script whenever it appears so that I have to backtrack any purchases and return with no-script disabled.
> Annoyingly VbV is very hard to avoid, way too many online shopping places use it, I'm left with few shopping options online.
You can ask your card issuer to remove it.
Most of the sites that I use work just fine without - I've only encountered one where it refused and that was one where it was trying to establish identity rater than take money.
My problem with VbV is that is is not at all secure, to reset the password all you need is the victims account details and date of birth - which will be on the driving license of the wallet you've just stolen. I've given up trying to remember my password for it and just reset it every time as it is quicker and easier.
Not sure if it's different now but last time I used VbV ages ago I had forgotten my password - and the only things I had to provide to do that were already included in the transaction I was trying to verify!
So, no actual verification was being performed over and above that at all.
As in the title: I don't understand why this isn't getting more (and more vigorous) news coverage.
Admittedly it is early days, but this is a hack of Tesco's systems, not info harvested from phishing creds from individuals. The nature and scale of the attack is worrying.
I have suspected it is easier from inside out and that either getting an insider or at least tricking an insider to install your backdoor is probably going to give you a better ROI than trying to break through the front door.
So my guess is dumb employee installing xyz without permission or some other form of social engineering letting the bad guys in a side door.
Santandar were hit a few years back when a 'cleaner fitted a KVM hooked to a 3G router into the network.
"Santandar were hit a few years back when a 'cleaner fitted a KVM hooked to a 3G router into the network."
Interesting, didn't know the KVM exploit had happened to Santander as well as to Barclays (2013):
http://www.telegraph.co.uk/news/uknews/crime/10322536/Barclays-hacking-attack-gang-stole-1.3-million-police-say.html
Actually they request a username, pin and a password. And do device recognition supplemented by one-time passwords. So storing the pin in reversible format is perfectly acceptable as long as the password isn't. It might not be the strongest authentication available for online banking, but it's a huge stretch to call it weak.
Your rent-an-expert doesn't have a clue.
Thank you for asking the question that has been worrying me too.
The money can't have gone into a sack behind a hedge somewhere, so is the destination bank account subject to a digital stakeout? Alternatively, was this just a prank in which someone zeroed 9,000 accounts without actually stealing any money?
"it likely either Tesco's internal systems, or their mobile application, have been hacked. "
For weeks now I've been getting emails to my Hotmail account purporting to be from Tesco Bank with the usual "Your account has had an unusual transaction." type crap (I don't have a Tesco Account), it's equally likely they are just exploiting a spear phishing haul
I work for a company that sells medical instruments internationally - the biggest driver for being secure, and having a strict quality process isn't the threat of fines, it's the threat of losing their certification - and therefore unable to sell instruments in various regions. To keep these certifications we have regular audits.
So rather than just giving these banks big fines when a breach happens - set up audits, make banks stick to minimum (but high) levels by setting data protection standards for user information and secure systems. Those standards should lay out minimum levels of protection (2fa, salted hash encryption for passwords etc) for accessing accounts through apps and storage of user data internally. If companies are audited and their mobile/websites/internal systems don't live up to these user protection standards then take away their ability to do business within the UK/EU.
If a company screws up, then it's not just a fine that'll be passed on to the victims of said bread (the customers) - it's the companies ability to make money that's put on the line.
I'm not in the finance industry - so no idea if they already do this... seems like they don't, since barclaycard also do the "first, third letter of your password" style of login. Not to mention the laughable verified by visa system.
http://www.tescobank.com/help/current-account-fraud-update/
Under the FAQ section:
"Tesco Bank has not been subject to a security compromise and it is not necessary for customers to change their login or password details"
Are they implying that it was a security compromise in the Visa debit card or contactless system?
Peter Yapp, the deputy director for the incident management directorate, explained how his role worked: “If something [regarding a cyber incident and your company] breaks in the press, I'll get a call from someone in government,” he said, and he would be expected to explain what the incident meant.
“If you haven't phoned me and told me about it, I will phone you,” stated Yapp.
“It is worth telling me about the most serious incidents,” he told his audience, acknowledging that these were difficult to define, before comforting them: “We do not tell the ICO what you tell us.”
http://www.theregister.co.uk/2016/10/13/
new_gchq_unit_says_it_wont_rat_your_breached_business_out_to_the_ico/
The article and many comments seem to be focussing on online banking; but the news item on this have repeatedly said online banking was not stopped, online payments were.
Noting all the banks seem to have their own Verified By Visa and Mastercard Secure implementations, I'm wondering if the criminals have got into or behind that, sending payment instructions into a "back door" at the point they only need basic details; just a card number and maybe card expiry?
That doesn't necessarily need a hack inside Tesco's firewall, nor does it invalidate card details etc, it would basically be a coding c***up that had been discovered (or deliberatly set) and exploited?
It it were a problem with online banking security then surely that would have been switched off instead?
Ten years ago, it was bleeding obvious that security was insufficient at almost all UK banks. That whole "Enter the first, third and fifth number of your PIN" nonsense that would be much more secure if they had enough brain cells to not ask for them in order each and every time. Halifax - for one - still does this, though they've at least moved to selecting from a drop-down list to frustrate the very simplest of keyloggers. HSBC moved to one-time codes and then inexplicably re-introduced the in-order random bits of PIN in their mobile application. Because Android is more secure than a desktop or something.
You can only conclude that they don't actually care.
Having designed a few online banking solutions for uk retail banks; I reckon that this looks like a debit card key compromise. The fraudulent transactions seemed to originate abroad having been used for various online purchases which to me sounds like the actual ebanking system was not compromised. AFAIK Tesco didn't shut down their branch or online systems after the breach.
If a key has been compromised and someone is minting new cards; then that's bloody interesting. I've not heard of a type 4 issuer having a key compromise before.
in 2008 I captured the Tesco tech support page because I was shocked at it being 2 years out of date.
The drivers on the site are obsolete version 1s, and intended for XP SP1 or earlier.
http://wayback.archive.org/web/20080116201557/http://direct.tesco.com/content/specials/technika.aspx
They were obsolete when they were posted, as upon investigation I found the chipsets to be EOL by their own manufacturers, but they had driver updates for newer OSs.
https://vivaldi.net/userblogs/entry/technika-webcam
In 2013 they finally updated the site !
....and still had the same drivers.
It is now almost 2017 and guess what ?
Yes 10 years down the line Tesco are still only offering drivers for products they no longer sell, and almost nobody can use.
http://ttselectrical.custhelp.com/app/answers/detail/a_id/2791/~/technika-drivers
Tesco do the bare minimum they can get away with to tick a legal box.
Customers shrug and put up with it.
Customer and technical support have no idea who made the Technika products, or if they contain any vulnerabilities, so if they did, no way to offer any solutions.
Heaven forbid any mug buys a Technika brand IoT device.
http://www.thetimes.co.uk/article/tesco-hackers-used-mobiles-to-launder-haul-92tjftd57
"Raiders used contactless accounts to spend stolen £2.5m in US and Brazil
The criminals behind the Tesco Bank cyber-heist went on a spending spree in shops in the US and Brazil to launder their ill-gotten gains, The Sunday Times can reveal.
The thieves used data stolen from the British lender to set up contactless payment accounts on smartphones, sources said.
In a co-ordinated raid last weekend, they bought thousands of low-priced goods from stores, swiping their mobile phones at the tills. Many of the fraudulent transactions are understood to have been made in American electricals retailer Best Buy.
The gang took £2.5m from 9,000 Tesco Bank customers before the lender detected suspicious activity and froze all online payments."
http://www.thetimes.co.uk/article/tesco-bank-failed-to-heed-warning-on-cyberattack-rpgvhrh8j
"Security flaw enabled fraudsters to steal millions
Investigators are looking into whether Tesco Bank ignored a warning about a security flaw in its payment system that allowed fraudsters to steal millions of pounds from the accounts of thousands of its customers.
Officials at the Financial Conduct Authority and the National Crime Agency believe that Tesco might have failed to act on an industry-wide warning from Visa a year ago. They believe that hackers using specially designed computers were able to take advantage of a so-called Code 91 glitch to access the debit card details.
The glitch meant that criminals were able to repeatedly “ping” payment sites with random debit card numbers until they found a match with a customer’s card number, expiry date and three-digit security code."
More here:
http://www.ibtimes.co.uk/tesco-bank-under-investigation-possibly-ignoring-warning-potential-cyberattack-1593709
https://www.icba.org/files/Bancard/PDFs/MitigatingFraudRiskThroughCardDataVerification.pdf