back to article Analysts apply Occam's razor to Tesco Bank breach

Security analysts have narrowed down the range of possible explanations for the Tesco Bank breach. Earlier this month Tesco Bank admitted that an estimated £2.5m had been looted from 9,000 accounts. Initially it was feared that money had been taken from 20,000 accounts, but this figure was revised a few days after the breach …

  1. Pen-y-gors

    Sounds horribly complicated

    "Some of these reported small fraudulent transactions of around £20 before larger transactions of £500 or more were attempted. Another report talked about cash had been fraudulently withdrawn from a customer’s account from an ATM in Rio de Janeiro, Brazil."

    That could be a sign of someone testing out the process, but it sounds more like a bog-standard attack using cloned card, or knowledge of the pin, csv etc. All horribly complicated and very very embarassing for Tesco, although I suspect there are a lot of people in a lot of banks muttering "There but for the grace of $deity..."

    <topical remoaner joke>Of course after Brexit, rip-offs like this will be impossible, as we'll be back in the Good Old Days, using leaves as currency. We'll just have to worry about highwaymen with pistols stopping the Mail Coach</rant>

    1. magickmark
      Thumb Up

      Re: Sounds horribly complicated

      "...using leaves as currency. We'll just have to worry about highwaymen with pistols stopping the Mail Coach"

      And also we need to worry about people burning down deciduous forests and not being able to afford peanuts.

    2. MyffyW Silver badge

      Re: Sounds horribly complicated

      There but for the grace of $deity

      ... indeed

      1. Anonymous Coward
        Anonymous Coward

        Re: Sounds horribly complicated

        ${DEITY:-magic_pixie_in_the_sky} surely?

        1. Hollerithevo

          Re: Sounds horribly complicated

          I think $DEITY covers magic pixie, Zeus, Crom, the Great Spirit, the Blue Dragon, whatever.

    3. Ralph the Wonder Llama

      Re: Sounds horribly complicated

      And, with apologies to the late DNA, we could solve the problem of the devaluation of our newly-adopted, but widely available, currency by simply burning down all the forests, instantly making us all very rich indeed.

      1. Locky

        Re: Sounds horribly complicated

        Burn them down? Pah, what a waste

        What we should do is build a train track through them, so they don't grow back

    4. macjules

      Re: Sounds horribly complicated

      Worrying about highwaymen and mail coaches is rather apt, Think Russia vs Democrat Party's mail servers.

      I go with the 'payment system compromise' option as being the Occam's Razor argument for the most likely explanation with the least number of factors affecting that explanation. Security companies must have been warning Tesco for a good 9 years now that they were heading for a total meltdown in every single one of their online portals. Here's a few examples that I can recall off the top of my head:

      • In 2012 they were warned that using IIS6 with .Net1 for the online shopping payments system was not good for security
      • Likewise, sending customers plaintext emails with their password on 'I have forgotten my password' requests was bad.

      • Storing customers' credit card details in a plaintext cookie was wrong.

      • Redirecting customers back to an insecure (non SSL) page for payment conformation, despite showing the confirmation code from the payment portal, was wrong.

      Sorry Tesco, but it looks like the vultures (excuse the ElReg pun) may have come home to roost.

  2. Frank Bitterlich

    Not sure how the trojan theory would work out...

    ... unless we're talking about malware on ATMs. Otherwise it should not be possible to create a cloned card from the information that a trojan on the victim's machine could grab. Much less to get the PIN.

    Ordinary card cloning (from manipulated ATMs or POS terminals) is unlikely as well - that wouldn't explain the large number of cases on this one bank.

    Occam says: Smells like insider job (possibly at a service provider.)

    1. Cuddles

      Re: Not sure how the trojan theory would work out...

      "Ordinary card cloning (from manipulated ATMs or POS terminals) is unlikely as well - that wouldn't explain the large number of cases on this one bank."

      This was my thought as well. Given that the attack appears to have targeted only Tesco, any customer-based attack such as cloning cards or phone and/or PC malware seems pretty unlikely, since these would almost always catch customers of multiple banks. It almost has to have been either an inside job or some vulnerability specific to Tesco's systems (I guess the former is technically a subset of the latter).

    2. bish

      Re: Not sure how the trojan theory would work out...

      Yep. No idea how they reached the conclusion that cloning was even remotely likely, unless they already know of an employee in the Tesco Bank mailing room who recently brought a card cloner to work.

  3. Anonymous Coward
    Anonymous Coward

    As a Tesco Bank customer a couple of things to note.

    Since the breach cash deposits made in store do not appear on the mobile app or web until the following day, they were previously immediately shown.

    Likewise some payments now don't show till the following day.

    I haven't had chance to confirm if the the available balance is still accurate though it previously was.

    I would hazard a guess that they have changed a procedure with regards to processing so they can stop payments or withdrawals. It could also highlight that they were doing something other banks were not as my previous two bank accounts didn't have this ability but I can't comment on other banks.

    1. wolfetone Silver badge

      I am fairly bad at checking my bank account, but I think The Co-Operative (who I bank with) don't update their transactions as quickly as you describe. Which has caused me issues in the past but that's neither here nor there. I will say though that the Co-Op were about to do some maintenance but postponed it after the Tesco hack.

      That said, my significant other checks her bank account all the time (she's with Lloyds) and they seem to update the transactions instantly. Maybe they have a different implementation to Tesco? I will say though that she does have a credit card with Tesco which was hacked/stolen, so I don't think Tesco's problems are restricted to current accounts at all.

      1. Anonymous Coward
        Anonymous Coward

        Co-op concerns

        I'm slightly concerned about the way the Co-op handle some of their accounts. Don't know if the procedures make them open to hacking, but they're worrying.

        I'm involved with a business that banks with the Co-op. Traditionally one would want cheques to need two signatories. That works fine. But one would also want online banking transactions to need two people to authorise them (I believe other banks do have that facility) - not the Co-op. Any one of the authorised signatories can make a payment online.

        Even more worrying - we set up a separate account for a particular project, and deliberately used different signatories. Set them up for online banking, and discovered they also had access to the main account as well.

        This does not bode well...

        1. Anonymous Coward
          Anonymous Coward

          Re: Co-op concerns

          I do security. I have done security at a very large bank. You'd be surprised.

          For instance, do you know what customer-side SWIFT terminal used to look like until very recently? It looks like a general purpose PC, and in many firms, it IS -- general purpose, that is -- not hardened, used for mail, web browsing, office docs and, er, seven/eight/nine figure transactions. I'm only surprised it took this long for the crooks to catch on.

          When theory discover how many hedge funds with enormous AUM have one-person IT departments,. oyyy.

          1. macjules

            Re: Co-op concerns

            But isn't SWIFT on a dedicated line with no access to the internet at all? Mind you, it would just not surprise me to learn that someone set up a dodgy bank just to get the SWIFT facilities. Oh wait, Tesco did that :)

            1. Anonymous Coward
              Anonymous Coward

              Re: Co-op concerns

              SWIFTNet yes uses a private IP network (SIPN). And typically the underlying servers that communicate via SWIFT are heavily secured and firewalled away. At the same time, the client software that manages and controls those servers sits on standard desktop PCs, and very often those PCs are also used for regular office use, email and web etc. I know at least one bank that recently stopped those PCs from having any kind of external internet access.

              But, getting access to the SWIFT network is a million miles away from having the ability to exploit it for fraudulent payment purposes. All SWIFT participants use the SWIFT RMA facility to manage public/private key setup which restricts which other SWIFT participants you'll accept messages from. And then of course, you need correspondent banking relationships with banks in other countries in order to have them act upon the SWIFT messages you send. Contrary to popular belief, SWIFT is not a payment network and does not support clearing or settlement of payments, just the passing of instructions between banks who hold account relationships in order to instruct your correspondent to make payments for you. Those payments are then of course transacted in the appropriate local payment system, e.g. A foreign bank might ask their UK SWIFT correspondent to make a payment for them, which the UK bank will then action through BACS/CHAPS/Faster Payments as appropriate.

          2. wolfetone Silver badge

            Re: Co-op concerns

            "I do security. I have done security at a very large bank. You'd be surprised."

            I remembered another instance of Co-Op security going wrong last night.

            About 12 months ago I went to do online banking, put in my details and I'm told to register for online banking. I've been with them for nearly 10 years, so I was confused thinking why do I have to register for online banking when I have always had it?

            So I'm on the phone to their customer service team who are always very helpful, and I get told that I have to register. Not re-register, not unlock my account, I have to register. So I tell the lad that I'm already registered, and I can hear him click and type and he says "No sir you've never registered for online banking". I refute this, telling him I've been registered for 8 years without a problem. So he goes through security (obviously trying to make sure it's actually me he's looking at) and he again said that I've never been registered.

            I get registered/re-registered, and the problem hasn't happened to me since. But when you say what you've said about the security in banks and there being one generic general computer, no I'm not surprised at all.

            If only I could do bank transfers from the money under my matress!

          3. Wensleydale Cheese

            Re: Co-op concerns

            "For instance, do you know what customer-side SWIFT terminal used to look like until very recently? ... not hardened, used for mail, web browsing, office docs and, er, seven/eight/nine figure transactions."

            It gets worse.

            Last week's El Reg article $10m of Bangladeshi SWIFT heist ended up in Filipino Casino

            takes us back to April's Meet the malware that screwed a Bangladeshi bank out of $81m,

            which in turn leads to BAE Systems Threat Research Blog: Two bytes to $951m,

            where we see that all the data files are in the Administrator directory tree.

            Oops. Right there in public view, and the BAE report didn't even highlight that as a problem.

            Apparently the Bangladeshi systems merited their own secure room, so perhaps weren't subject to malware from general surfing / mail / Office nasties, but really, running something like SWIFT from the Admin account?

    2. Doctor Syntax Silver badge

      "I would hazard a guess that they have changed a procedure with regards to processing so they can stop payments or withdrawals."

      Why would they stop payments? Maybe they had a means of making transfers from one Tesco A/C to another so they were routing payments through one they controlled to an external bank.

    3. Anonymous Coward
      Anonymous Coward

      Other banking shenanigans

      My bank, an RBS subsidiary/brand, arbitrarily reduced the single transaction limit for payments from £10k to £1k. Want to pay someone more than £1k? Make multiple £1k payments.

      Allegedly this is to protect customers and keep their money secure. It was changed on 26th October (predates Tesco shenanigans?) and they are unable to confirm this is a permanent change nor, if temporary, cannot say until when, nor can they offer any other reason why this needed to happen, apart from "to protect ...". Strong impression given that it may have been across RBS (not just the brand I bank with), but if so I'd be surprised it had not hit the headlines.

      No customers were informed about this in advance. RBS says they made and executed the decision too fast to give advance warning. But have pointedly not issued any after-the-fact notice of changes - the only way you discover your account facilities have changed detrimentally is when you try to make a payment over £1k and get told it is over the limit. Otherwise you'd be in blissful ignorance assuming you could still send £10k in a single transaction.

      All sounds very dodgy to me, like they knew someone was trying something and this was one of no doubt several steps taken to minimise risk/exposure. I got the impression not giving advance warning may have been part of the strategy too.

      Tin foil hat or rational suspicion in the face of an information vacuum? Now, if only a journalist were to ring them up and ask a few questions...

  4. cfbrown73


    What I really want to know is did they get Tesco Club card points with the 2.5 million.

    1. Anna Logg

      Re: Points

      After their 'devaluation' a while back that'll buy a set of 'X factor' coffee mugs or some such.

    2. Wensleydale Cheese

      Re: Points

      "What I really want to know is did they get Tesco Club card points with the 2.5 million."

      Isn't that the bit where they get caught? :-)

  5. Chris Evans

    Brilliant sub heading!

    "Unexpected items in the banking area" :-)

    1. Captain Badmouth

      Re: Brilliant sub heading!

      That sub-heading was a comment in a previous article on this fiasco, El Reg have just re-used it.

      Take a bow monty75.

  6. CustardGannet

    Credit where credit's due

    So, not only do law enforcement not know *who* did it, they don't even know *how* they did it.

    Those crims must be as cunning as a fox that used to be Professor of Cunning at Oxford University, but has moved on and is now working for the U.N., at the High Commission of International Cunning Planning.

    1. Cynical Observer

      Re: Credit where credit's due

      I do hope that if he's working at the High Commission of International Cunning Planning, his language skills are proficient.

      We wouldn't want an ignorant linguist.

      Checking for passport..... >>

      1. Captain Badmouth
        Paris Hilton

        Re: Credit where credit's due

        A cunning linguist? Have an upvote.

    2. Doctor Syntax Silver badge

      Re: Credit where credit's due

      "So, not only do law enforcement not know *who* did it, they don't even know *how* they did it."

      That doesn't follow. They're just not telling outsiders what they know which is reasonable. This is some external analyst trying to work it out/guessing on the basis of what is public knowledge. Just like the rest of us.

  7. Anonymous Coward

    " ustomers are advised to exercise caution when receiving calls or opening emails or SMS messages"

    Or just change bank.

  8. Aristotles slow and dimwitted horse

    It's a good read...

    Thankfully I'm not a Tesco customer, and I liked the added warnings as to what ongoing problems their customers should watch out for followong this... but I got halfway through and thought I was actually reading an advertising puff piece for a particular security intelligence firm.

    1. Doctor Syntax Silver badge

      Re: It's a good read...

      " I got halfway through and thought I was actually reading an advertising puff piece for a particular security intelligence firm."

      Telepathy! So did I.

  9. Anonymous Coward
    Anonymous Coward

    It's an inside job

    I don't buy the cloned card answer.

    Tesco offers 3% interest on credit balances. So, like many customers, I opened an account (two actually), paid in the £3K maximum qualifying balance and sat back to watch the pennies roll in.

    I did actually use my cards - once. To save having the PIN letters lying around I went to a local ATM, changed the PINs and parked them in a drawer. I've never made any withdrawals, used them in a shop or bought anything online. I was, however, hit by a £20 test transaction.

    So unless all 20,000 Tesco customers have been using that particular ATM (a pretty obvious geographical bias would show, and other customers say they have never used their cards at all), it can't be cloned cards. If it's a card issue it must be an inside job on the card network. If it's an online breach it must be a website compromise or an inside job somehow.

    I should add that previously Tesco did their online banking login verification in Flash, so they have form in needing attention from the cluebat. Unless someone managed to compromise the Flash and hoard the details for about 5 years?

    (anon because... you can't be too careful these days)

    1. Anonymous Coward
      Anonymous Coward

      Re: It's an inside job

      I think I might remove the entry my CV where I worked on building Tesco Bank ;)

  10. Anonymous Coward
    Anonymous Coward

    Stupid idea

    I wonder if there is a refund/cancel electronic transaction mechanism that does not check the payment was correctly made or redunds before the transaction is recorded?

    Ghost £20 payment to account, refund / error transaction system triggered via mobile connection and funds return to ghost account.

    I told you it was stupid.

  11. Bob Rocket

    Can we get rid of this myth

    'The bank reimbursed funds to defrauded customers'

    The £2.5 million was stolen from Tesco Bank, no customer money was stolen at any point, 'the bank corrected the numbers in some accounts' is what they actually did.

    When you deposit money in a bank it is an unsecured loan from you to the bank, the bank is free to do anything it wants with that money (including lending it to someone else). Normally you have the ability to call in this loan on demand however if the bank broke then you have to claim off the insurance (bank guarantee) or get in line behind the guy who waters the HO plants.

    If I lend you £20 and at sometime later someone steals £5 from you that theft is from you not me, you still owe me £20.

    1. Velv

      Re: Can we get rid of this myth

      While I agree with you at the high level concept as an end result, the reality and legality is also different.

      Banks view transactions against accounts as legitimate customer activity until proven otherwise. So in this instance Tesco Bank considered the customer had withdrawn their loan and reduced the balance on the account as appropriate. The customer had effectively lost their money without the bank going broke and being able to claim from the Financial Services Compensation Scheme. The customer then potentially failed to meet other payment obligations they had. While it might all work out in the end, it certainly isn't as simple as your analogy.

      Not having a go at Tesco Bank on this one, this is how all banks in the UK work.

      1. Adam 52 Silver badge

        Re: Can we get rid of this myth

        "this is how all banks in the UK work."

        It might be how they all work, but that doesn't make it right and the more people that accept it and repeat it, especially newspapers, the greater chance they have of getting away with it.

  12. Anonymous Coward
    Anonymous Coward

    Occam's razor?

    I prefer something a little less subtle...

    *The mechanical yanking sounds of a gas chainsaw being tugged to life*

    <Shouting over the noise>MUH Hahahahahahahhhahhahaha!</shouting>


    I'll get my coat, it's the one with the fuel oil mix in the pocket.

  13. JimC

    Well I dunno

    Doesn't this read something like "people who have next to no information to work from make wild guesses in exchange for some exposure?". It feels like a stage beyond mere speculation... And yet I feel motivated to read it, even though intellectually I know it can have no or next to no useful content...

  14. Anonymous Coward
    Anonymous Coward

    Why don't they just 'Follow the money'?

    Where did it go?

  15. AbeSapian

    Hey, At Least Tesco Refunded The Money

    U.S. banks would have simply hoisted the jolly roger to their customers. (c.f. Wells Fargo)

    1. SharkNose

      Re: Hey, At Least Tesco Refunded The Money

      Actually not.

      If the transactions were card based ones, especially card not present which seems most likely, there are strict rules established by the card schemes (VISA, MasterCard) which govern liability and chargeback.

      Despite what the media are saying, it's possible that the £2.5M supposedly lost by Tesco Bank will actually get eaten by the merchants or their acquirers, not by Tesco Bank. This is why there is a push to move the EMV standards globally for card transactions to shift the liability away from the merchant. Using 3DSecure for Card Not Present transactions also shifts the liability, so it will be interesting to see what kind of transactions were actually used in the Tesco Bank breach.

  16. Anonymous Coward
    Anonymous Coward

    Tills in TESCO went down days before the hit!

    Why has no one looked at when the card & password are together @ the till.

    After the tills went down, guess what happened next?

    1. SharkNose

      Re: Tills in TESCO went down days before the hit!

      Tesco != Tesco Bank.

      Different systems, IT, etc...

      1. Anonymous Coward
        Anonymous Coward

        Re: Tills in TESCO went down days before the hit!

        You would think so, wouldn't you...

  17. m00head

    Dark web hackers boast of Tesco Bank thefts - BBC News

    The Sunday Times says the attack was carried out by thieves using mobile phones that used stolen Tesco Bank data to set up contactless payment accounts.

    It says fraudulent purchases of thousands of low-priced goods were made at Best Buy electronics stores in the US as well as other American and Brazilian retailers.

    The paper does not credit a source for this information.

    However, it might tie in to an alert from Europol two months ago that criminals had begun using Android phones to trigger fraudulent tap-and-go payments.

    "The possibility of compromising NFC [near field communication] transactions was explored by academia years ago, and it appears that fraudsters have finally made progress in the area," the organisation's Internet Organised Crime Threat Assessment said.

    "Several vendors in the dark net offer software that uploads compromised card data on to Android phones in order to make payments at any stores accepting NFC payments."

    A spokesman for Tesco Bank said that "none of our systems were breached" and no personal data had been lost, but would not comment further.

    Europol warns of Android tap-and-go thefts

    1. Truckle The Uncivil

      Re: Dark web hackers boast of Tesco Bank thefts - BBC News

      That puts an interesting slant on the Apple vs. Australian Banks saga. It would seem that Apple is right not wanting to permit direct access to its NFC systems. (Que the down votes)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like