Cyber criminals boast on dark web about Tesco Bank breach

Hackers knew about data thefts months before Tesco Bank reported the attack

Tesco store

Hackers called Tesco Bank a "cash milking cow" and "easy to cash out" in posts on dark web forums months before this week's attack, according to cybersecurity firm Cyberint.

The Financial Times was the first to break the news of Cyberint carrying out its probe of hidden web pages, where it said it had found conversations about a tool that tested thousands of login and password combinations, to allow access to Tesco accounts.

Although the bank had tried to prevent these attacks, this tool eventually led them to success.

In an interview with the BBC, Elad Ben-Meir, Cyberint's marketing vice-president, said: "It was a cat and mouse game, but we saw indicators starting from September - so two months before the actual attack - of quite a few threat actors saying, 'We've been successfully getting into accounts and cashing out through various means.'"

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

According to Ben-Meir, these discussions took place in several forums, including AlphaBay, Hacking Forum, and other less known spaces.

"One of the guys said, 'I used to cash out 1,000 every week without anyone ever noticing'," said Ben-Meir.

These claims made on the dark web could potentially be linked to the money stolen by Tesco Bank about a week ago, although this is still unclear.

The Sunday Times suggested that the theft was made possible by contactless payments through smartphones.

Cyberint and a mobile app specialist, Codified Security, both tried to tell Tesco Bank about their findings, with the hopes of securing business.

Martin Alderson, chief executive of Codified Security, told the BBC his company had tried to reach out to Tesco Bank after finding issues with the bank's app.

Advertisement - Article continues below

Codified Security had done research into UK mobile apps and Alderson said Tesco Bank was not the only lender who was contacted with reports of issues.

Alderson did not say name of the other banks involved, but said: "The top tier banks are really good with their mobile security," referring to NatWest, Barclays, and other popular banks.

The Tesco Bank hack was initially said to have affected around 20,000 customers, who had their funds withdrawn on the 5 and 6 November.

In a statement, a Tesco Bank spokesperson said: "We'd like to reassure our customers that none of their personal data has been compromised."

Advertisement
Advertisement - Article continues below

Tesco Bank paid out 2.5 million to 9,000 of its customers, yet the company said suspicious activity was found for 40,000 out of its 136,000 current accounts. The company said that all customers affected by the hack have been refunded. 

Tesco Bank CEO, Benny Higgins, commented: "Our first priority throughout this incident has been protecting and looking after our customers and we'd again like to apologise for the worry and inconvenience this issue has caused."

Advertisement - Article continues below

Can you monitor your security risk profile accurately? Sign up to our live webinar on 24 November, sponsored by Tenable, to find out how your security budget can make the best impact on your business.

07/11/2016: 20,000 customers hit by Tesco Bank hack 

Tesco Bank has blocked online transactions using current accounts after 20,000 customers had money fraudulently withdrawn over the weekend.  

The bank, owned entirely by the shopping chain Tesco, revealed over 40,000 accounts had seen suspicious activity since Saturday, of which half had money stolen.

Online payments using current accounts have been temporarily stopped while the incident is investigated. Customers will still be able to use their cards in-store and at cash machines, according to a post on the Tesco Bank website.

"We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers' accounts," said Benny Higgins, chief executive of Tesco Bank.

Advertisement - Article continues below

"We are working hard to resume normal service on current accounts as soon as possible," added Higgins. "We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible."

After losing 600 over the weekend, one customer said Tesco Bank offered 25 as a gesture of goodwill, according to the BBC.

Advertisement
Advertisement - Article continues below

Another man complained his account balance had dropped by 700, while another claimed she could no longer afford to "feed my kids in school tomorrow."

The Financial Conduct Authority ensures that banks must refund money lost through fraudulent activity immediately, as well as any charges or interest incurred as a result.

The bank is currently working with regulators and relevant authorities to investigate the circumstances of the hack. A spokesperson for UK data privacy regulator ICO told IT Pro it was assessing the details of the incident, and will investigate if it finds that Tesco has failed to have "appropriate measures in place to keep people's personal data secure" and "enforce if necessary."

Higgins has so far failed to provide any information as to how the accounts were compromised.

Advertisement - Article continues below

"It's unclear yet exactly what happened, but there are a number of potential sources behind the attack," said Piers Wilson, head of product management at Huntsman Security. "It could be a case of insider activity, where an employee has misused their access privileges to take cash from customer accounts."

Wilson also suggests the hack could have come from an outside source, targeting either the bank itself or a company that Tesco shares data with. It is unlikely to have been the result of 'card-skimming' at cash machines, as other banks would have seen similar hacks, according to Wilson.

"Tesco Bank has been quick to respond to the breach, taking immediate measures to minimise the damage," added Wilson. "However we've seen reports that thousands of customers have had cash stolen from their accounts, leaving some in very difficult financial circumstances."

The Bank, which was bought by Tesco from RBS in 2008, now has almost 8 million customer accounts.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/data-insights/big-data/354311/google-reveals-uks-most-searched-for-terms-in-2019
big data

Google reveals UK’s most searched for terms in 2019

11 Dec 2019