Following the news that Tesco Bank has been the latest target of a hacking attack, with the bank temporarily suspending all online transactions after thousands of customers were affected. It has been reported that one in three customers of the bank were affected, with several customers tweeting that hundreds of pounds were missing from their bank accounts. IT security experts from Digital Guardian, ACI Worldwide, AlienVault, Synopsys and Prevoty commented below.
Thomas Fischer, Threat Researcher and Security Advocate at Digital Guardian:
“The incident serves as a reminder to all organisations to have a good understanding of critical assets (in this case credit card numbers and personal information) and how this information is used across all business units and operations. One way to ensure this is to put in place one consistent data protection policy across all parties that come into contact with these critical assets. This includes auditing third parties to ensure they have equivalent levels of protection.
“It was interesting that the malicious party chose to conduct the fraudulent transactions during the weekend. Traditionally, organisations are under-staffed and are therefore slower to respond during these hours. Businesses should make sure they have the proper detection mechanisms and incident responses processes in place. If the business has a 24×7 operational remit, security processes should be applied systematically at all times of the day, every day of the week.”
Jay Floyd, Head of Fraud Strategy and Solutions EMEA at ACI Worldwide:
“Compromising 40,000 customer accounts and being able to steal money from half of those accounts suggests that there are serious flaws on the side of the bank and its fraud prevention processes.”
“There are several potential explanations for this attack. It could be a case of internal fraud, where someone with access to the relevant databases has leaked data, or internal team breach, whereby employees working for fraudsters or fraudsters themselves work within call centres and harvest the data over a specific time period. The breach could have also originated via internal offshore operations, in countries with lower fraud prevention processes and employee checks, or it could simply be due to external fraud conducted by hackers.
“An attack like this needs to kick-start a complete review of the bank’s internal fraud prevention strategy. Examining the timing of the fraud will also be key; the fact that the attack happened over the weekend when fraud departments can be thin on the ground, is an important factor which needs to be looked at.”
Javvad Malik, Security Advocate at AlienVault:
“Online banking is generally safe enough and fit for purpose. There are improvements being made, with many banks deploying card-reader or one-time-password tokens to customers which are needed to logon or to pay a new account. I say safe enough, because there is compensation, insurance, and other coverage in place. So as long as customers are refunded their money, and the losses remain within the banking fraud appetite, it remains a viable business model.
“One of the biggest challenges banks in the UK have are around legacy software and systems. Many core banking applications run on old architecture build around mainframes. While these are robust systems and do well in crunching the numbers, the added functionality of online banking, faster payments, etc. all has to be ‘bolted on’ – with many systems resembling a Frankenstein architecture. Years of mergers, acquisitions, and divestments have all compounded the issue.”
Mike Ahmadi, Global Director – Critical Systems Security at Synopsys:
Kunal Anand, CTO and Co-Founder at Prevoty:
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.