How was Tesco Bank hacked?
Bank robbers no longer need to stick stockings over their heads it seems
Inthis digital age you’d be forgiven for thinking that all bank robberies are cyberhacks. In fact, criminals are still more likely to use old-fashioned methods. Recent heists in Berlin, Milan and India were all carried out by robbers digging tunnels under the bank, opting for the brute force of pneumatic drills over the virtual power of computers. But the Tesco Bank hack, unprecedented in the UK, could be a turning point – a sign that criminals are learning how to breach cyber defences.
On 5 November, Tesco Bank admitted that hackers had stolen money from thousands of accounts. The number was first estimated at 20,000, but Tesco later said that 9,000 customers had lost money totalling £2.5m (an average of £278 per account). Tesco Bank insisted that it had promptly refunded victims.
Intriguingly, the bank said it knew “exactly” how the “systemic and sophisticated” attack happened, but wouldn’t elaborate because it was helping the National Cyber Security Centre investigate. That restriction doesn’t apply to security bloggers, who have been explaining their theories online.
Perhaps the most persuasive came from an “information security manager” who calls himself 1337Mark on the website Peerlyst ( www. peerlyst.com), a community for security professionals. He thinks that the hackers, not keen on the sweat and toil of tunnelling, chose funnelling instead. His analysis is based partly on what the robbers didn’t do. They didn’t target credit or debit cards, nor did they hack into cash machines. Instead they identified Tesco accounts that had permission to move – or funnel – money to other banks in the UK. From there they shifted the money abroad into their own accounts.
Mark says that the robbers probably built malware that could read the amount of money in an account, then transfer it automatically. He speculates that they avoided detection by robbing the bank over several hours, raising fewer alarms than had they grabbed the cash in one go.
According to Mark, it’s “highly likely bordering on certain” that the hackers spotted a flaw in Tesco Bank’s website ( www.tescobank. com). It let the robbers sneak into the bank’s systems undetected, giving them time to identify vulnerable accounts.
We’ll see in the coming months whether Mark is right. Whatever happens, scammers are certain to exploit this hack to bombard customers with phone calls and emails.
Get Safe Online, the Government-supported online safety website, has said that customers should be wary of phone calls and emails from anyone purporting to be from Tesco Bank. Scammers are likely to say that as a result of the hack they need to confirm your login details, or move your money to a safer account.
Tesco Bank says it never asks customers for their full PIN over the phone, and never emails or texts links that take them to their account login page (read more on its website: www.snipca. com/22529).
Customers of other banks should also be vigilant. Fraudsters know how much news coverage the hack received, and will exploit public insecurities about online banking. To sound more credible they’ll refer to the hack – so beware emails that say something like “as a result of the Tesco Bank attack, we are updating our security procedures”.
Scammers are opportunists. They don’t care how the hack was carried out. They just want to know what’s in it for them.
Customers of all banks will now be bombarded by scam phone calls and emails