Tesco Bank cyber attack could have been avoided, say experts

By Madhvi Mavadiya | 15 November 2016

Internet security experts are now claiming that Tesco Bank missed or ignored warning signs that cyber hackers were present in the software many months before cash was actually stolen, forcing the supermarket to pay back £2.5m ($3.1m) of losses to 9,000 customers. According to the Financial Times, the hack has been described as unprecedented by regulators and is being investigated by the National Crime Agency, as well as other authorities.

Weaknesses in mobile applications in the time leading up to the attacks have been pinpointed as the reason behind the attack, the FT reported. Israeli firm CyberInt found evidence that current account, savings account and credit card details were being traded in an unsearchable part of the internet, referred to as the dark web.

Codified Security, a mobile app testing firm, has claimed that their attempts to inform Tesco Bank about vulnerabilities they found within the system were rebuffed. “[It] speaks volumes as to how seriously they take the security of their company,” Codified Security CEO Martin Alderson said.

On the other hand, according to the FT, a Tesco Bank spokesperson said that it had “a first class team working around the clock. No customer data was lost. None of our systems were breached. This was a highly sophisticated attack on our systems and we responded very quickly”.

The Sunday Times found that the attack was made after criminals bought low-cost goods using contactless mobile phone payments in the US and Brazil at retailers including Best Buy.

Elad Ben-Meir, vice-president of CyberInt, said that the company had identified an increase in this type of attack on Tesco Bank months ago but on a smaller scale, according to the FT. “A sinister figure going under the dark web alias of Cyberstalker was orchestrating an attack on Tesco customer bank accounts as early as September 7,” he said.

The FT recalls seeing a chatroom conversation in which the hacker Tunnel referred to Tesco Bank as a “money machine” and said that he used to “cash them out. I was easily making £1,000 a week. Cyber security experts said that criminals were sharing Tesco Bank card and account details online and were defrauding a small number of accounts.

The paper continued that this activity is commonplace, but these smaller attacks may not have been linked to the larger attacks. Alderson from Codified Security has called on Tesco to replicate what other technology groups do and set up something to receive third party cyber security notifications, like a web page or email address.

This reiterates what many fintech companies have been saying for a few years now, that financial institutions need to act like the technology giants, as today, security is increasingly becoming increasingly important. What last week’s events also show is if precaution is not taken, more large corporations will be hacked, which could be detrimental to the future of particular companies. 

By Madhvi Mavadiya

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development