* Posts by m00head

16 posts • joined 7 Nov 2016

Android beats Windows as most popular OS for interwebz – by 0.02%


The quoted figures are an overall worldwide aggregate.

The country-by-country breakdown tells a different story:


'Tesco Bank's major vulnerability is its ownership by Tesco,' claims ex-employee


Re: Speculation and Rumour

"Card scheme (e.g. VISA, Mastercard) rules mandate online authorisation of contactless transactions I believe. So your contactless transaction in the US for example, made with a Tesco Bank issued debit card, will get referred back to the issuer for online authorisation. It should be they who decide if the contactless limit of £30 is applied, not the terminal at the merchant in the US."

Contactless cards fail to recognise foreign currency - 1 November 2014


"A flaw in Visa’s contactless credit cards means they will approve unlimited cash transactions without a PIN when the amount is requested in a foreign currency.

New research by experts at Newcastle University, UK, has highlighted a ‘glitch’ in the Visa system which means their contactless cards will approve foreign currency transactions of up to 999,999.99 in any foreign currency.

Side-stepping the £20 contactless limit, transactions can be carried out while the card is still in the victim’s pocket or bag. Transactions are carried out offline, avoiding any additional security checks by the bank, and although the current system requires the credit card to authenticate itself, there is currently no requirement for the POS (point of sale) terminal to do the same."


Re: Speculation and Rumour

"Card scheme (e.g. VISA, Mastercard) rules mandate online authorisation of contactless transactions I believe. So your contactless transaction in the US for example, made with a Tesco Bank issued debit card, will get referred back to the issuer for online authorisation. It should be they who decide if the contactless limit of £30 is applied, not the terminal at the merchant in the US."

This is not correct.


"When you make a Contactless payment, because the cap is at £30, the merchant doesn’t have to be ‘online’ to process it there and then. They can choose to do it later that day, or even the following day in a big batch - which is what Transport for London does. They even go one step further and process next working day, so you could see a payment made on Saturday appear in your transaction list on Monday. In contrast, Chip & Pin payments are always online, and are processed there and then."


"The UK (and the rest of the world) version of the contactless applications differ from the U.S. one. The UK version has the capability of transacting offline, based on the limit stored in the application."

Which leads to a situation where contactless fraud can can continue for months, even after the card has been reported as stolen:




Re: Speculation and Rumour

"Blatantly untrue. In fact, Halifax (at least, quite probably others) are beholden to the contactless payment limit of whatever country they're being used in."

Maybe this has changed recently in response to the Tesco Bank hack...


"[+] Common Enquiries

12. Can I use my contactless card overseas?

Although you can use your Halifax Visa debit card abroad, you can only use contactless for purchases in the UK at the moment."


Re: Securing the systems?

"We refunded each customer account in full and have taken steps to help reassure our customers that they can bank safely and securely at Tesco Bank."


"Three unspecified sources told The Times that while most banks updated their systems; Tesco Bank allegedly ignored the warning, leaving its systems vulnerable to cyberattacks. In the event that the probe finds any evidence of the bank having ignored warnings, Tesco Bank could face penalties as well as potential backlash from its customers."


Re: Speculation and Rumour

"Therefore it is something that Tesco has done that has introduced the problem."

* Tesco Bank ignored a warning about a security flaw from Visa a year ago regarding POS entry code 91 fraud (Contactless, using magnetic-stripe data rules). Europol repeated this warning in September.

* Tesco Bank allows contactless transactions in foreign currencies which do not have the £30 UK limit (other major banks do not allow contactless transactions in foreign currencies).

* Tesco Bank fraud prevention system did not detect a brute-force attack against debit card numbers, expiry dates, and dCVV (Dynamic Card Verification Value) of the contactless interface.

What went wrong at Tesco Bank?


Tesco Bank ‘failed to heed warning on cyberattack’ - The Times


"Security flaw enabled fraudsters to steal millions

Investigators are looking into whether Tesco Bank ignored a warning about a security flaw in its payment system that allowed fraudsters to steal millions of pounds from the accounts of thousands of its customers.

Officials at the Financial Conduct Authority and the National Crime Agency believe that Tesco might have failed to act on an industry-wide warning from Visa a year ago. They believe that hackers using specially designed computers were able to take advantage of a so-called Code 91 glitch to access the debit card details.

The glitch meant that criminals were able to repeatedly “ping” payment sites with random debit card numbers until they found a match with a customer’s card number, expiry date and three-digit security code."

More here:




Tesco hackers used mobiles to launder haul - The Sunday Times


"Raiders used contactless accounts to spend stolen £2.5m in US and Brazil

The criminals behind the Tesco Bank cyber-heist went on a spending spree in shops in the US and Brazil to launder their ill-gotten gains, The Sunday Times can reveal.

The thieves used data stolen from the British lender to set up contactless payment accounts on smartphones, sources said.

In a co-ordinated raid last weekend, they bought thousands of low-priced goods from stores, swiping their mobile phones at the tills. Many of the fraudulent transactions are understood to have been made in American electricals retailer Best Buy.

The gang took £2.5m from 9,000 Tesco Bank customers before the lender detected suspicious activity and froze all online payments."



Under the FAQ section:

"Tesco Bank has not been subject to a security compromise and it is not necessary for customers to change their login or password details"

Are they implying that it was a security compromise in the Visa debit card or contactless system?

Analysts apply Occam's razor to Tesco Bank breach


Dark web hackers boast of Tesco Bank thefts - BBC News


The Sunday Times says the attack was carried out by thieves using mobile phones that used stolen Tesco Bank data to set up contactless payment accounts.

It says fraudulent purchases of thousands of low-priced goods were made at Best Buy electronics stores in the US as well as other American and Brazilian retailers.

The paper does not credit a source for this information.

However, it might tie in to an alert from Europol two months ago that criminals had begun using Android phones to trigger fraudulent tap-and-go payments.

"The possibility of compromising NFC [near field communication] transactions was explored by academia years ago, and it appears that fraudsters have finally made progress in the area," the organisation's Internet Organised Crime Threat Assessment said.

"Several vendors in the dark net offer software that uploads compromised card data on to Android phones in order to make payments at any stores accepting NFC payments."

A spokesman for Tesco Bank said that "none of our systems were breached" and no personal data had been lost, but would not comment further.

Europol warns of Android tap-and-go thefts


Tesco Bank limits online transactions after fraud hits thousands


Naturally, El Reg covered this story at the time:



"According to researchers at Newcastle University in the UK, the contactless function in the card system developed by VISA for use in the United Kingdom fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99."



It doesn't really matter where the fraud appears to have be committed - it could have originated from anywhere. Some news agencies are now reporting that it could have been a Russian state-sponsored attack.

The key quote was the method the fraudsters used, i.e. "card-holder present and it was a swipe of the magnetic strip-type of transaction". If accurate, this means it was not 'Card Not Present' (CNP) fraud as previously thought, and also suggests that the algorithm used by Tesco Bank to generate debit card numbers and/or expiry dates may have been cracked, or a big list of them was stolen.

This also explains why contactless payments were also blocked - because the contactless RFID chip on the card contains the same information as the magnetic strip (also shown on the front of the card), but it does not contain the CVV (3-digit security code) on the back of the card.


'Police hunt fraudsters from Brazil and Spain who stole millions in attack on Tesco Bank'


"One said somebody tried to pay for goods in Rio de Janeiro at 9am on Sunday with his card, despite the fact he never used it himself. He said: 'It appears to the bank that someone has worked out the algorithm to create card numbers and start/end dates.

'They told us that the specific transaction was a card-holder present and it was a swipe of the magnetic strip-type of transaction.'"


Looks like 'Verfied by Visa' may be a red herring because not all online retailers are required to implement this feature. Contactless payments have also been frozen which implies that all the information on the front of the card has been compromised.

The question now is, has the CVV (3-digit security code) on the back of the card also been compromised? This is another feature which was supposed to reduce 'Card not Present' (CNP) fraud, because online retailers are not supposed to save this number.

If the CVV has also been compromised then this means that the hackers have obtained a database of Tesco Bank debit card numbers which includes the CVV, or the online retailer(s) targeted in this CNP fraud do not require the CVV (e.g. Amazon).

Either way, it is obvious that Tesco Bank fraud prevention systems are not working as well as they could be if they failed to block a number of relatively high value online purchases from Brazil being made at the same time by 20,000 UK customers.



"this refers to online payments to retailers. You should be able to make a Faster Payment as normal from your account by logging into online banking."

Given that they have now frozen online payments to retailers from current account debit cards but not cash withdrawals, Chip & PIN transactions, nor online banking transfers, it is most likely 'Card not present' (CNP) fraud:




Biting the hand that feeds IT © 1998–2021