Looks like 'Verfied by Visa' may be a red herring because not all online retailers are required to implement this feature. Contactless payments have also been frozen which implies that all the information on the front of the card has been compromised.
The question now is, has the CVV (3-digit security code) on the back of the card also been compromised? This is another feature which was supposed to reduce 'Card not Present' (CNP) fraud, because online retailers are not supposed to save this number.
If the CVV has also been compromised then this means that the hackers have obtained a database of Tesco Bank debit card numbers which includes the CVV, or the online retailer(s) targeted in this CNP fraud do not require the CVV (e.g. Amazon).
Either way, it is obvious that Tesco Bank fraud prevention systems are not working as well as they could be if they failed to block a number of relatively high value online purchases from Brazil being made at the same time by 20,000 UK customers.
Biting the hand that feeds IT
