back to article 'Tesco Bank's major vulnerability is its ownership by Tesco,' claims ex-employee

A former techie at the UK's Tesco Bank reckons the recent high-profile breach may be down to security shortcomings at the bank's parent supermarket. Earlier this month Tesco Bank admitted that an estimated £2.5m had been stolen from 9,000 customer accounts in the biggest cyber-heist of its kind to affect a UK bank. The …

  1. Anonymous Coward
    Anonymous Coward

    "I strongly suspect that the (Tesco) Clubcard system has been breached"

    That's a pretty big claim to just throw in there. Is there any more information on that?

    1. Anonymous Coward
      Anonymous Coward

      That's a pretty big claim to just throw in there. Is there any more information on that?

      This is unrelated, but Tesco have a well-established record of poor security practices: https://www.troyhunt.com/the-tesco-hack-heres-how-it-probably/

    2. JimmyPage
      Stop

      Why ?

      If your starting point is systems are inherently insecure, then unless you can prove otherwise (think about it) it's a valid assertion.

      So the focus should be on ensuring data breaches can't be of use to hackers. Encryption at rest seems a good start.

      Otherwise you are just aping the moronic HMG "can't happen here" stance. Which is scary.

      1. mwnci

        Re: Why ?

        A pertinent thing to consider is that most large retailers / manufacturers need to maintain a competitive price and a margin, so they have adopted / bastardised the old "Minimum Viable Product" from developers to their own ends.

        We see this with "Internet of Things". Want an internet enabled Kettle? Ok, no problem, should we put security on it? Well yeah of course it will be more expensive...Ok then to keep the price point down, we won't do anything on security!

        Businesses are under extreme pressure to keep costs down, and a re-architecture of your systems when you are Size of TESCO is Hundreds of Millions if not Billions. So yeah, they aren't gonna do it solely for "Security", it has have all the other priorities like reducing costs, efficiency etc.

        It is absolutely no secret that major retailers have massive issues with Legacy systems and just keeping the "lights on" is a major challenge, and they haven't got the Will or desire to change. So if we have a "Minimum Viable Product" keep it going, and minimise the investment to maintain margin.

        1. Anonymous Coward
          Anonymous Coward

          Re: "massive issues with Legacy systems"

          I don't suppose it's possible at all, let alone probable, that any of these "Legacy" systems are pretty much fit for purpose and working just fine, except they're maybe written in (say) COBOL, sometimes might even use a CODASYL-style database, and worse stilll might not even run on Windows/x86? And that what they need isn't a complete rewrite but a bit of intelligence and a lot of glue code to integrate them into this week's fashionable "modern" stuff?

          1. Destroy All Monsters Silver badge

            Re: "massive issues with Legacy systems"

            > CODASYL-style database

            All 64KByte of it, maintained by immortal gnomes!

    3. Anonymous Coward
      Anonymous Coward

      Better light

      Sure is a good thing that Tesco's bank app won't run on phones with Tor installed. That certainly stopped the bad guys. Kind of like the old joke about looking for one's lost wallet under a street light because the light is better, rather than looking for it over where one lost it.

    4. SharkNose

      Fail to see how this would be relevant to the Tesco Bank fraud. Likelihood is that somehow the Tesco Bank card database (for their debit cards, as it was only current account affected) was compromised, and all of the Card PAN and CVV data taken, then used to effect card not present fraud.

  2. Korev Silver badge
    Stop

    Securing the systems?

    "We refunded each customer account in full and have taken steps to help reassure our customers that they can bank safely and securely at Tesco Bank."

    No mention of securing their systems and/or processes :(

    1. m00head

      Re: Securing the systems?

      "We refunded each customer account in full and have taken steps to help reassure our customers that they can bank safely and securely at Tesco Bank."

      http://www.ibtimes.co.uk/tesco-bank-under-investigation-possibly-ignoring-warning-potential-cyberattack-1593709

      "Three unspecified sources told The Times that while most banks updated their systems; Tesco Bank allegedly ignored the warning, leaving its systems vulnerable to cyberattacks. In the event that the probe finds any evidence of the bank having ignored warnings, Tesco Bank could face penalties as well as potential backlash from its customers."

    2. Anonymous Coward
      Anonymous Coward

      Re: Securing the systems?

      "No mention of securing their systems and/or processes :("

      should we start a rumour that they've hired Dido Harding as their new Head of Security? After all, she knows an awful lot about data breaches ;-)

    3. SharkNose

      Re: Securing the systems?

      Arguably it's a much wider problem than just Tesco. If it was card not present fraud as I suspect, then it's really showing how insecure it is to use your card online. Many merchants / acquirers / issuers are not enforcing validation of anything beyond the card PAN and CVV, you don't even need the name of the cardholder in many cases to use the card fraudulently online. EMV has sorted out much of the card present fraud by making card skimming very hard/impossible, and even the 'Merkins have seen the light and moved to EMV. But that has made card not present the chink in the armour, with the only suggested means of defence being the awful secure 3D (e.g. Verified by VISA, etc) which merchants dislike due to the amount of checkout abandonment. The Tesco Bank situation just appears to be about someone getting en-masse access to their complete list of debit card PAN and CVV data, but the actual exploitation of that data could just as easily affect any card issuer.

  3. Anonymous Coward
    Anonymous Coward

    Speculation and Rumour

    An awful lot of speculation and the true cause will probably never reach the public.

    In particular of note is the linked National Cyber Security Centre memo from 7th November.

    Given the investigation thus far and the evidence at hand, the National Cyber Security Centre is unaware of any wider threat to the UK banking sector connected with this incident.

    You may find that the position regarding other banks may have changed since 7th November and while not directly a security failing there is an underlying weakness in the convenience of the way the world now banks.

    1. Lotaresco

      Re: Speculation and Rumour

      Most of it is there in the article.

      Tesco Bank was originally run by RBS for Tesco. Therefore if the vulnerability was in the banking system it's likely that RBS would also be affected because the most likely transfer of operations from RBS to Tesco would be reproduction of the RBS systems at Tesco. The fact that some ex-RBS people are involved suggests that this is probably true.

      The NCSC says it doesn't affect wider UK banking i.e. there's a low chance that the problem is common to Tesco and RBS. Therefore it is something that Tesco has done that has introduced the problem. Connecting a banking system to any other system is risky, the staffer says it was connected to Clubcard. That would be a stupid thing to do. We don't know which other Tesco systems are connected but it's reasonable to suggest that retail systems will not be secured to the same standard as banking systems.

      The staffer also says there's no protective monitoring for the Tesco systems. That's downright irresponsible but typical of low-margin retail which would not like to pay the high day rates for SOC analysts who know their stuff.

      This is back to "I told you so" territory because any halfway decent Security Architect could have told them that connections to non-banking systems are a bad idea and that skimping on monitoring is a *really* bad idea.

      1. m00head

        Re: Speculation and Rumour

        "Therefore it is something that Tesco has done that has introduced the problem."

        * Tesco Bank ignored a warning about a security flaw from Visa a year ago regarding POS entry code 91 fraud (Contactless, using magnetic-stripe data rules). Europol repeated this warning in September.

        * Tesco Bank allows contactless transactions in foreign currencies which do not have the £30 UK limit (other major banks do not allow contactless transactions in foreign currencies).

        * Tesco Bank fraud prevention system did not detect a brute-force attack against debit card numbers, expiry dates, and dCVV (Dynamic Card Verification Value) of the contactless interface.

        1. Aladdin Sane Silver badge

          Re: Speculation and Rumour

          I've used my contactless card in USA and Australia in the local currencies.

        2. Chz

          Re: Speculation and Rumour

          "(other major banks do not allow contactless transactions in foreign currencies)"

          Blatantly untrue. In fact, Halifax (at least, quite probably others) are beholden to the contactless payment limit of whatever country they're being used in. In my case, I was regularly using contactless without issue up to the Canadian limit of $100 (~£60).

          Unless you mean contactless foreign currency transactions *inside* the UK. Even Eurostar doesn't take euros at St. Pancras (annoyingly), and buying forex still counts as a GBP transaction.

          1. m00head

            Re: Speculation and Rumour

            "Blatantly untrue. In fact, Halifax (at least, quite probably others) are beholden to the contactless payment limit of whatever country they're being used in."

            Maybe this has changed recently in response to the Tesco Bank hack...

            https://www.halifax.co.uk/bankaccounts/debit-cards/contactless/Default.asp#Can-I-use-my-contactless-card-overseas

            "[+] Common Enquiries

            12. Can I use my contactless card overseas?

            Although you can use your Halifax Visa debit card abroad, you can only use contactless for purchases in the UK at the moment."

        3. SharkNose

          Re: Speculation and Rumour

          Card scheme (e.g. VISA, Mastercard) rules mandate online authorisation of contactless transactions I believe. So your contactless transaction in the US for example, made with a Tesco Bank issued debit card, will get referred back to the issuer for online authorisation. It should be they who decide if the contactless limit of £30 is applied, not the terminal at the merchant in the US.

          1. m00head

            Re: Speculation and Rumour

            "Card scheme (e.g. VISA, Mastercard) rules mandate online authorisation of contactless transactions I believe. So your contactless transaction in the US for example, made with a Tesco Bank issued debit card, will get referred back to the issuer for online authorisation. It should be they who decide if the contactless limit of £30 is applied, not the terminal at the merchant in the US."

            This is not correct.

            http://blog.imaginecurve.com/curve-explains-the-difference-between-online-and-offline-transactions/

            "When you make a Contactless payment, because the cap is at £30, the merchant doesn’t have to be ‘online’ to process it there and then. They can choose to do it later that day, or even the following day in a big batch - which is what Transport for London does. They even go one step further and process next working day, so you could see a payment made on Saturday appear in your transaction list on Monday. In contrast, Chip & Pin payments are always online, and are processed there and then."

            https://en.wikipedia.org/wiki/Contactless_payment

            "The UK (and the rest of the world) version of the contactless applications differ from the U.S. one. The UK version has the capability of transacting offline, based on the limit stored in the application."

            Which leads to a situation where contactless fraud can can continue for months, even after the card has been reported as stolen:

            http://www.moneysavingexpert.com/news/cards/2016/09/card-lost-or-stolen-beware---you-could-be-the-victim-of-contactless-fraud-months-after-youve-cancelled-it

            https://www.theguardian.com/money/2015/dec/19/contactless-payments-card-fraud-after-cancellation-bank-account

          2. m00head

            Re: Speculation and Rumour

            "Card scheme (e.g. VISA, Mastercard) rules mandate online authorisation of contactless transactions I believe. So your contactless transaction in the US for example, made with a Tesco Bank issued debit card, will get referred back to the issuer for online authorisation. It should be they who decide if the contactless limit of £30 is applied, not the terminal at the merchant in the US."

            Contactless cards fail to recognise foreign currency - 1 November 2014

            http://www.ncl.ac.uk/press/news/legacy/2014/11/contactlesscardsfailtorecogniseforeigncurrency.html

            "A flaw in Visa’s contactless credit cards means they will approve unlimited cash transactions without a PIN when the amount is requested in a foreign currency.

            New research by experts at Newcastle University, UK, has highlighted a ‘glitch’ in the Visa system which means their contactless cards will approve foreign currency transactions of up to 999,999.99 in any foreign currency.

            Side-stepping the £20 contactless limit, transactions can be carried out while the card is still in the victim’s pocket or bag. Transactions are carried out offline, avoiding any additional security checks by the bank, and although the current system requires the credit card to authenticate itself, there is currently no requirement for the POS (point of sale) terminal to do the same."

      2. Anonymous Coward
        Anonymous Coward

        Re: Speculation and Rumour

        The Tesco Bank systems were started from scratch, there's no RBS legacy systems there.

        1. Lotaresco

          Re: Speculation and Rumour

          "The Tesco Bank systems were started from scratch, there's no RBS legacy systems there."

          There's no RBS tin there, for sure.

          You get where this is going?

      3. William 3 Bronze badge

        Re: Speculation and Rumour

        Ah well, it's in the article from an unknown "ex employee" who could have been the "refuse technician" for all we know.

        And if it's in an article, it must be true and how dare any question it.

        Fools everywhere

      4. Anonymous Coward
        Anonymous Coward

        Re: Speculation and Rumour

        Tesco Bank use very different core banking and card issuing systems to RBS.

  4. 1Rafayal

    RBS

    Says it all really.

  5. Andrew Moore

    Unfortunate...

    Do they really refer to themselves as 'TB'? Every time I read it, I thought 'tuberculosis'...

  6. Anonymous Coward
    Anonymous Coward

    Your "insider" speculates that a Clubcard breach is involved? So just how does s/he explain how the Clubcard systems would have debit card numbers from TB current accounts stored on them?

    Answer - they wouldn't.

    1. analyzer

      AC Consider

      Link your TESCO Bank Debit card to your TESCO Club Card and receive 500 points!!!!!!!!!!

      No need to scan your TESCO Club Card when you pay with your TESCO Bank Debit Card.

      So much more convenient for you, our precious customer and FREE POINTS into the bargain.

      Go on, you know it makes sense

      TESCO Every little helps.

      Sorry AC what was that you were saying?

      1. William 3 Bronze badge

        Re: AC Consider

        Ha ha ha ha.

        What the fuck does any of that prove other than you expect people to believe you because you wrote a few words on a forum on the arse end of the Internet.

        It's true because you says it's true.

        Ha ha ha.

        You should get out of technology and into religion or politics.

        It's more suited to your skillset.

    2. P. Lee

      >Your "insider" speculates that a Clubcard breach is involved?

      <massive speculation alert>

      Maybe using the same purchase tracking system so they can "understand their customers better"?

      It doesn't even need to be that system which was compromised, as soon as you start linking lots of IT systems between companies or company divisions, someone's bound to have some communication system with a flaw in it.

      You've used a vpn? That's nice, now my attack is encrypted...

  7. Stevie

    Bah!

    " ... and there are much bigger and better targets if a gang has access to relevant zero-days."

    Odd how this argument is vehemently rejected by one and all as a contributing factor as to the relatively low rates of infection of Apple and Linux-based kit vs the hated MS, yet is floated as a Keep Calm and Carry On edict when it comes to a bank.

  8. William 3 Bronze badge

    Fake News this you know.

    Former Tesco Employee Blames Tesco for the Breach at Tesco bank.

    No Proof of any kind. Just their speculation why.

    Apparently we have to take it as fact, because, and get this, because they say so.

    It's fucking parody at this point.

    The whole MSM are so full of shit it's absolute untrue.

    If they're going to ban Fake News from Facebook, then might as well ban every single Mainstream Newspaper, and every single website going.

  9. Anonymous Coward
    Anonymous Coward

    On the first day of Christmas the nefarious side of me...

    Put a a rogue hotspot in the cafe

    ....

    Five payload modules!!!,

    four bash scripts, three redirects,

    two wifi cards

    and a rogue access point in the cafe

  10. MT Field
    FAIL

    Tesco

    The epitome of cheap and nasty. What do you expect of their bank?

    I pity the fools who shop there.

  11. Anonymous Coward
    Anonymous Coward

    How to crash Clubcard

    Register a Tesco account with an email address containing a plus sign. All other Tesco sites work, but the Clubcard one will burn in flames - unless you find your way to "Beta" through Tesco Direct.

    I spent way too much time with Clubcard customer support to convince them to at least tell the development team (in Bangladesh most likely) to have a look. At one point they decided to delete my account altogether. But they didn't tick the box for "also delete clubcard account" so upon re-registration the system insisted that my card was already registered, while, at the same time, told me it didn't know anything about it. It was Schrodinger's Clubcard account for real.

    Emails with plus addresses seem to be the benchmark of code quality when you don't know anything about the code. If they don't URLencode that correctly then it's likely they have other problems in their codebase too.

  12. Anonymous Coward
    Anonymous Coward

    Having worked in IT for a major UK retailer nothing in this article surprises me at all. With margins paper thin and a bevvy of programme managers ready to throw architects to the wolves for 'over-engineering' if they even mention doing some design things can be in a pretty bad state.

    That's before you even get into the issues caused by the IT department not even having anything to do with some of the major systems and being seen by the commercial departments as just the guys who keep the networks and tills running. E-commerce, customer, back-end and logistics systems being run by completely different departments, all of them making their own independent purchasing decisions with no integrations beyond some batch files flying around or manual data movement via Excel? Business as usual.

    You'll also find a heady mix of senior IT staff who've 'come up through the business' literally from the shop floor and have never worked anywhere else. They've never seen IT done right and have no technical or design training. It's Dunning-Kruger in full (in)effect.

    Never trust your sensitive data with a major high-street retailer.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022