
BOGOF?
I was going to suggest BOGOF but they're already ahead with 60% discount, what about 3 for 2 offer? :-)
The Financial Conduct Authority (FCA) has slapped a £16.4m fine on Tesco Bank for the security vulnerabilities that led to millions of pounds being pilfered from thousands of customers’ online accounts two years ago. As revealed by us at the time, Tesco called on the National Cyber Security Centre to probe the 5 November 2016 …
Ouch.
Id hate to be holding equity in a bank thats has mesed up after, say, 2016.
Just as well as all the UK banks are totally robust and haven't spent he last 6 months in various states of fuckup.
~32m, reduced to 16m for cooperating.
Id be putting those number int othe outsourcing cost saving spreadsheet.
TheRegister:
Feel free to hide this post until you have resolved the issues with your DNS records.
On the subject of SPF:
tescobank.com doesn't have SPF,
tescobank.com DOES have DMARC.(nothing about strictness of aspf or adkim...)
tescobank.com DOES NOT have PCI DSS compliant MX
- thought this was a requirement for a bank?...
theregister.co.uk DOES have SPF - but it's broken: "too many DNS lookups" and two a: mechanisms that point to FQDNs that don't have any A records....
theregister.co.uk DOES NOT have PCI DSS compliant MX
theregister.co.uk DOES NOT have DMARC
forums.theregister.co.uk DOES NOT have DMARC or SPF
openspf.org has a good guide about the 10 dns lookup limit
- near the bit about reducing the risk of DOS attacks.
To fix TheRegister's SPF record, remove the following:
mx
(you don't need this! - your mx are google and you include:_spf.google.com .......)
a:news.theregister.co.uk
(no a record published in DNS)
a:post.theregister.co.uk
(no a record published in DNS)
You could simply use "a" if you wanted to allow future domains without having to publish each individual one, but please remember:
EACH SUBDOMAIN REQUIRES IT'S OWN SPF RECORD.
KEEP -all on the end, it's a good bit.
Have you considered DMARC, DKIM, DNSSEC and DANE?
Would you like a quote?....
- one of my favourites is "lobbest thou thy Holy Hand Grenade"
p.s.
TheRegister's password reset page allows the enumeration of registered email addresses (different message given if email address is not registered....)
- you might want to take a closer look at this too, I think it was a DPA issue, and I'm pretty sure GDPR could say similar.
In my imagination... Loved this part: "Tesco Bank’s *Financial-Crime-Operations-Team* emailed the fraud strategy inbox rather than phoning the on-call *Fraud-Strategy-Team* - as internal regs required". WTF? Is this the Judean People's Front vs People's Front of Judea - Splitters!
Reading from different sources about this subject, I find it "strange" (to say the least) about how UK-based financial organization understand the concept of IT Security. It reminds me of several scenes from Fawlty Towers. In one article, it is stated that "One of these involved the PAN numbers - the 16 digit card number sequence used to identify all debit cards. Tesco Bank inadvertently issued debit cards with sequential PAN numbers."
"squential numbers". Oh, this is not just "stupid". This is just "asking for it" and is very much like building a house but without a roof or door.
I do hope that the person who thought of this got a promotion.
they said they employ robust, world-leading technologies to ENSURE the safety of the deposits, right?! And then, when I called their customer support, they said, quote, "we provide robust, world-leading technologies to ENSURE the safety of your deposits". And when I was still unsure, they said, "AS I WAS SAYIN, WE. EMPLOY. ROBUST. WORLD-LEADING. TECHNOLOGIES. TO ENSURE. THE SAFETY. OF. YOUR. DEPOSITS!"
And they call themselves a "Bank", right? So, like, how come they got hacked, eh?!