Following the news that 20,000 Tesco Bank customers lost money as a result of “online criminal activity” on their accounts over the weekend, IT security experts from ZoneFox, Huntsman Security and ESET commented below.
Jamie Graves, CEO at ZoneFox:
While details are still emerging around the Tesco Bank attack, many suggestions are pointing towards the fact a third-party retail partner was compromised. What is worrying for Tesco is that the now infamous Target breach in 2013 followed a similar trend and of course resulted in record amounts of customer information being compromised.
What is clear here is that the issue of supply chain or partner security is very real and very serious, given these partners can have a great deal of access to an organisation like Tesco’s network. This effectively makes them an ‘insider’ or ‘trusted party’ within the walls of that company. As with any insider or trusted partner – if proper monitoring is not put in place, then security incidents like the one that happened over the weekend can occur quickly and without warning.
In order to identify and remedy the situation as fast as possible, businesses like Tesco must ensure they have some form of behavioural monitoring solution in place at all times, to identify and combat any breaches and suspicious activity from staff and partners alike immediately.
Piers Wilson, Head of Product Management at Huntsman Security:
“It’s unclear yet exactly what happened, but there are a number of potential sources behind the attack on Tesco Bank. It could be a case of insider activity, where an employee has misused their access privileges to take cash from customer accounts. It could equally be a result of an outside hack, targeting a database of Tesco Bank account holders, either within the bank itself, or within a third-party that the bank has shared that data with. However, it is very unlikely to have been a result of card-skimming at Tesco Bank ATM machines as others have suggested, as the impact wouldn’t have been limited to just Tesco Bank customers; we’d have seen others hit too.
“What is important to recognise is that it looks like this is a recent attack and Tesco Bank has been quick to respond to the breach, taking immediate measures to minimise the damage. However, even so, we’ve seen reports that thousands of customers have had cash stolen from their accounts; leaving some in very difficult financial circumstances. This really underlines the importance of being able to detect any suspicious or anomalous behaviour within milliseconds of cybercriminals launching their attacks. The only way businesses can achieve that level of speed is by integrating machine learning techniques with their cybersecurity measures, so the tools become capable of responding to an attack faster than their human operators ever could.”
Mark James, Security Specialist at ESET:
“Banks are a very desirable target, scamming individuals has relatively small rewards but if you can target the bank at the source the rewards could be massive. This is not the first time we have seen direct hacking attempts for major banks in the UK and with more and more people embracing online or mobile banking we will see these types of hacking attacks becoming more successful. Banks, like law enforcement, will suffer thousands of failed attempts on a regular basis, but it only takes one successful hit to cause so much inconvenience for hundreds or thousands of users. As cash seems to be used less and less our lives are becoming more digital, even small payments these days are often covered by cards or mobile payments, if you increase the footprint you increase the risk.”
Keeping your financial details as safe as possible depends on a number of factors, online banking often has many features to keep your money safe and you should utilise as many as possible. Of course not writing down any of your details, being mindful of who you give information too and making sure you verify anyone who says they are from your bank should be done in all cases. If your bank offer 2 Factor or 2 Step verification then you should utilise it, whilst most banks will do all they can to return any monies lost, this often will depend on their perception of your own security in using their services. If they can prove you were negligent in protecting your account then you may find it harder, or in some cases impossible, to get your money back.
Tesco will need to keep the public informed if they want to come out of this on top. Whilst no system is 100% safe, keeping the victims well informed of your current operations, cause and future defences are what’s needed.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.