Tesco Bank Fraud Attack Suggests Serious Flaws In Bank’s Fraud Prevention Strategy

Following the news that Tesco Bank has been the latest target of a hacking attack, with the bank temporarily suspending all online transactions after thousands of customers were affected. It has been reported that one in three customers of the bank were affected, with several customers tweeting that hundreds of pounds were missing from their bank accounts. IT security experts from Digital Guardian, ACI Worldwide, AlienVault, Synopsys and Prevoty commented below.

Thomas Fischer, Threat Researcher and Security Advocate at Digital Guardian:

Thomas Fischer“The fact that 40,000 cards seem to be affected points less to card fraud executed via skimmers (or similar) and more to a large-scale data leak of the bank’s customers’ card information. Typically, large data leaks are caused by malicious internal parties or malicious external parties that have compromised someone on the inside. In both cases, the insider could also be at a third party supplier. It is therefore important for companies to focus data protection programmes not only on their own infrastructure, but also on third party suppliers.

“The incident serves as a reminder to all organisations to have a good understanding of critical assets (in this case credit card numbers and personal information) and how this information is used across all business units and operations. One way to ensure this is to put in place one consistent data protection policy across all parties that come into contact with these critical assets. This includes auditing third parties to ensure they have equivalent levels of protection.

“It was interesting that the malicious party chose to conduct the fraudulent transactions during the weekend. Traditionally, organisations are under-staffed and are therefore slower to respond during these hours. Businesses should make sure they have the proper detection mechanisms and incident responses processes in place. If the business has a 24×7 operational remit, security processes should be applied systematically at all times of the day, every day of the week.”

Jay Floyd, Head of Fraud Strategy and Solutions EMEA at ACI Worldwide:

Jay Floyd“The fact that Tesco’s fraud prevention systems identified suspicious activity but failed to decline many fraudulent transactions raises serious questions about the bank’s IT systems and fraud prevention capabilities.”

“Compromising 40,000 customer accounts and being able to steal money from half of those accounts suggests that there are serious flaws on the side of the bank and its fraud prevention processes.”

“There are several potential explanations for this attack. It could be a case of internal fraud, where someone with access to the relevant databases has leaked data, or internal team breach, whereby employees working for fraudsters or fraudsters themselves work within call centres and harvest the data over a specific time period. The breach could have also originated via internal offshore operations, in countries with lower fraud prevention processes and employee checks, or it could simply be due to external fraud conducted by hackers.

“An attack like this needs to kick-start a complete review of the bank’s internal fraud prevention strategy. Examining the timing of the fraud will also be key; the fact that the attack happened over the weekend when fraud departments can be thin on the ground, is an important factor which needs to be looked at.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“Judging by the vast scale of this attack it is likely that a main banking system that was compromised. I wouldn’t be surprised if it turns out to be linked to either a compromised third party or an insider.

“Online banking is generally safe enough and fit for purpose. There are improvements being made, with many banks deploying card-reader or one-time-password tokens to customers which are needed to logon or to pay a new account. I say safe enough, because there is compensation, insurance, and other coverage in place. So as long as customers are refunded their money, and the losses remain within the banking fraud appetite, it remains a viable business model.

“One of the biggest challenges banks in the UK have are around legacy software and systems. Many core banking applications run on old architecture build around mainframes. While these are robust systems and do well in crunching the numbers, the added functionality of online banking, faster payments, etc. all has to be ‘bolted on’ – with many systems resembling a Frankenstein architecture. Years of mergers, acquisitions, and divestments have all compounded the issue.”

Mike Ahmadi, Global Director – Critical Systems Security at Synopsys:

mike-ahmadi“Banks are where the money is and remain a prime target.  The financial industry has been dealing with the pallor of fraudulent activities for a long time, and has implemented what is arguably the most organised and effective means of identifying compromise, and disseminating the information to the financial industry and customers.  In this highly technical and digital age the most mature approach is always to assume compromises will happen, and have an effective cybersecurity management plan in place in order to address challenges as they arise.  Despite being a cybersecurity professional, I use online banking and mobile technologies almost exclusively.”

Kunal Anand, CTO and Co-Founder at Prevoty:

kunal-anand“It’s one thing to steal your identity, it’s another thing to steal your money. There is even more pressure on financial services organizations like Tesco to have more controls within their networks, endpoints and applications, including RASP, to monitor and protect against fraud. The raw data from these controls, combined with anomaly detection, could allow organizations to react faster and help reduce overall fraud. Tesco must acknowledge and address the security gap that allowed this attack in the first place.”

Information Security Buzz