> Tesco Bank is stressing that relatively small amounts were taken from 20,000 accounts
If someone is living month to month, said £500 missing could be very serious complication of life and £25 "emergency fund" is a joke.
I personally doubt a wealthy person would use that bank and yet they seem to think their customers are pissing gold.
He'll get the money back. There's no doubt about that. The stress is more about not knowing how long it will take nor whatever complications may arise while this is all getting sorted. Also Tesco Bank's (understandably) busy customer services aren't helping peoples stress levels either.
In terms of your first $100k insured in US bank via FDIC (above that you have to have personal insurance which is very expensive), it might take even 15 years to recover your funds, depending on complexity of claims and number of different instruments that bank has offered to its clients.
For example, there are still open and active claims in case of NextBank that has been shut down in 2002, and had some updates on status done in early 2015, some 13 years later [1]
Personally I suggest keeping 70% of your financial assets in cash in safe at home, preferably split into 20% in low-volume silver coins (80% silver) and 20% in foreign currency (EUR) and the rest in USD.
Seriously? You'd suggest one keeps 70% of their liquid asset in _cash_ at home?
Yes, if you're living during the Great Depression perhaps but your suggest is ludicrous. Maybe a few percentage points in crypto and cash, but most of it should be in your bank/investment accounts.
Bank and investment accounts will yeld you single-digit points per year and in most cases - unless you have few MM, the cost of your bank account will be more than what you earn.
Meanwhile banks wage war on cash. Its harder and harder to withdraw your own money. Here, try and show up at your bank say you need $150,000. They tell you to come back in few days, and in some cases they will ask you to fill out the form and explain yourself why you want to withdraw your own money.
If you do not live in a reasonably safe neighborhood, plus do not owe an alarm system, plus do not owe a safe, plus do not awe a firearm, then yes the bank is your best friend. Other than that no reason to keep some federal paper at someone's else possession at their disposal for a mere 0.5% per year. You don't gain anything and in some cases, you might lose some or all of it (yes extreme scenarios but always)
ps. in all fairness I would say keep 70% in gold or silver, but over the years this commodity has been shifted between the countries in such huge quantity (government buy/sell-outs), that the price is dictate by which country has specific political system and how much PM they owe, rather than true market price. Unless you can predict you won't need to turn your PM into cash within next 5-10 years, which is hard calculation for anyone these days.
FDIC is now $250K PER bank. You just have multiple accounts across a few banks until your wealth is so much that that becomes unmanageable and then you just hand it over to the Berkshire Hathaways of the world.
Tesco is licensed in the UK, and so is covered by FSCS [1] (similar to US FDIC) up to £75k.
It's not so relevant here, but in the case that the bank became insolvent (very unlikely in this case), FSCS aims to pay out within 7 days, and will pay all claims within 20 days.
Tesco is a bank for effectively the working poor, young and migrant workers that cannot open an account at a normal highstreet banks.
These are people who may have to pay rent more than once a month, have direct debits for bills and more likely than not not have an overdraft over 100£ if at all.
If your bills bounce you will end up with fines, and even a lower credit score than the one which prompted you to open an account with Tesco in the first place.
I came to the UK in June this year. Both me and my wife moved because of the job. We are from another EU country.
What's interesting is that I signed us up for Tesco bank account but we were both rejected. Probably because we didn't have any history in UK yet but it still kind of sucked - now I am glad they rejected us. Ultimately the next day we went to red and blue US bank on the high street and got it all sorted within half an hour. We showed them contracts, documents and bills to our names (real estate agency through which we rent already sorted that out for us before we came) and we were done. Got our cards made at the spot as well.
So it was kind of the opposite for us. We could't get the bank account with Tesco because of their "security check" but could at the high street bank.
Luckily EU regulation now requires most banks to open a (basic) bank account. Just need an ID and a proof of address.
Some banks even allow opening the bank account over the internet if you are a EU resident.
(I know your pain though, opened a UK bank account a year ago, from the EU as well. The most difficult thing for me was actually the proof of address. Metro Bank required 2 plus 2 proofs of ID, a different bank was fine with just one proof of identity and even googled my post code when I forgot a letter :) )
> The most difficult thing for me was actually the proof of address.
You don't need to prove a UK address, just an address. Depending on the bank, you can open a UK bank account with an overseas address, and change it after you move.
If you haven't planned ahead, then anecdotally Barclays will open an account in branch with only a passport.
UK banks will also tend to be a lot easier to deal with if your employer is willing to write a letter and/or call their business banking contact to arrange for it.
Same thing, tho when I brought the letter they were meh about it said that the letter head did not look real enough....
I told them to sod off and to look up the company in the company house.
Passport Accounts in the UK are pretty limited with what you can do with them, so I don't advise opening one up front if you planning to immigrate.
Just ask your employer for a cash advance and either use cash for the first 2-4 weeks or use your debit/credit card from your previous country of residence.
When I relocated initially I've arranged that the employer will cover the hotel upto 6 weeks, provide everything needed for a bank account, provide/cover the accountant needed to sort any tax liabilities when moving funds, cover the deposit for the first rental and the agent fees.
If you are hired by a large corp which does relocation all the time they'll have a standard and even a better package, if they company doesn't do relocation on a regular basis make sure all your sides are covered.
Otherwise you can land in a limbo state where you need a bank account to rent a flat, and you need an address (a hotel won't do) to open a bank account (they ask for a utility bill).
UK financial policies are very weird, and in some cases I'd argue they go against the right for freedom of movement as granted by EU. I guess that doesn't mean much with Brexit, but still...
I've been working in a variety of EU countries, with no issues at all. In Denmark, I was even able to secure a mortgage within my second week in the country.
I always work for very reputable employers, with long-term contracts. And I have some savings. Well, here in the UK I have had enormous trouble to lease a £100 / month car after 2 years in the country because I did not reach 3 years of credit history.
Most of the heuristics they use are a joke. And illegal. If you have a chat with the Financial Ombudsman, he can probably sort you out.
I got denied an upgrade by O2 because Equifax doesn't like the fact that I am not registered to vote and I make a 6 figure salary in the UK.
I asked why the hell can't I upgrade after I had no problems getting the phone on contract a year ago, got a stupid reply ordered an iPhone 7 from the Apple store and moved to EE.
I called Equifax to complain and they told me to send a letter of correction, I told them Amex gave me a credit limit higher than the average take home salary in the UK and they can sod off, I can't believe I've wasted 15 GBP on that fucking report.
The UK rules are a side effect of a system where there is no national ID number that is considered acceptable for identification purposes, and no national register of where people live, which makes it very easy for people to run away from debts etc..
The various id requirements and 3-year credit history expectation are basically workarounds for this.
I think you're talking about Metro bank? I know they're literally on the high street but they're meant to be a bit more innovative/useful when you actually go into a branch.
I normally use the phrase 'High Street bank' to mean those that have a branch on most high streets and range from unhelpful to really unhelpful. That's useful to know that Metro bank are living up to a different reputation.
One would hope Tesco would cover any costs incurred by customers that are a direct result of this. I know banks in the past have cancelled non-arranged overdraft fees when they've screwed up, but that's easier to do as it's cancelling a charge rather than actually paying money out.
One would hope, but again time is a factor. I've had a weird "I'll be OK soon but for now I'm in trouble" situation before with Bank of Scotland back when I was a student. BOS randomly decided overnight that instead of having an agreed-upon student overdraft limit of GBP 2000 I had none whatsoever and needed to start paying them the full balance immediately. Eventually this was resolved, but for four days I was unable to pay rent or buy food. I was extremely lucky I had friends/family I could rely on in the meantime and that it was resolved so quickly, others may not be so lucky.
I am astonished how many people in this discussion are completely unaware of the idea that some people aren't as lucky as us and work paycheque-to-paycheque. I know HN/SV is a bubble, but surely we're not so out of touch with reality...
Then again, maybe I am overly cynical. UK utilities at least do seem to have a more positive approach towards people struggling to pay than other countries.
To some degree you're right - if you've got a landlord you need to pay or a utilities provider (assuming you're not horrendously behind already) then sure, but it'd depend on the creditor. I suspect these lads wouldn't be particularly sympathetic, for example: https://www.eveningtelegraph.co.uk/2015/11/24/warning-of-loa...
An interview with Tesco exec on Radio 4 this morning suggested something like this was going on. Obvs they don't say what their detection rules are. Which makes you wonder how the attackers gamed them (inside info, or reverse engineering after compromising many accounts?)
Honestly based on the average amount in a checking account at a bank like this they probably could've drained the entire balance without triggering any limits.
Another way to look at it is that a relatively large amount of money was taken from Tesco, and Tesco has simultaneously been fooled into reducing the reported balance on 20,000 customer accounts.
The difference is between whether this is seen as a bank robbery, or a series of minor incidents of identity theft.
> personally doubt a wealthy person would use that bank and yet they seem to think their customers are pissing gold.
Actually they give a decent interest rate (relative to the competition) of 3% on the first £3,000[0] so I know a few people who have multiple accounts with them just to reap the interest.
I don't understand why you're subtracting inflation. Yes I know doing so gives you the 'real terms' increase in value, but if you stuff £3,000 in a mattress and pull it out after a year you don't notionally add inflation to it's value when comparing it to the value of savings. The savings in that account would still be 3% more than your mattress money, not 2.4% more. Unless you're comparing it to spending all the money right now.
Anyway, £6 (or £7.50) is the price of a meal. £72 (or £90) is the price of a few decent Christmas presents. These things add up.
He's probably subtracting inflation to make the interest rate of Tesco relative to the rest of the economy. Stuffing money in a mattress is a pretty poor idea when it should be very easy to find an investment scheme that covers inflation.
It's not like the rest of the economy is immune from inflation though. Do we adjust everything for inflation? It just strikes me as pointless complication. Really, the only point I can think of is comparing saving to outright immediate spending.
Certain statistics are usually inflation adjusted, like GDP.
Real Gross Domestic Product measures economic output adjusted for inflation or deflation.
If inflation is 20%, and you're earning 3% interest, your losing purchasing power.
If inflation is 1% and you're earning 3%, you're gaining.
Real, not nominal, returns are what people care about.
> If inflation is 20%, and you're earning 3% interest, your losing purchasing power.
Yes but I think the point the person you're replying to is trying to make is that it doesn't matter because the inflation rate is not dependent on where you put your money.
Shouldn't the comparison be to the interest rates and risk with comparable places to put/invest your money? I suppose if inflation were extremely high or low compared to interest rates then it would affect your appetite for risk vs interest rate, but I don't think that's the case here.
But investing in 'the economy' generally means investing in the stock market. Which introduces risk, which isn't great for an emergency fund - and you'll no longer be covered by FSCS.
When you're storing small sums of money (less than 10k €/$), the amount you lose from inflation from stuffing money in a mattress over a year is negligible.
There aren’t many other options when it comes to low risk, short term money storage. Certainly beats any cash ISA rate atm (some of which are actually below inflation).
There’s a website[0] dedicated to helping with this style of saving, so I think it’s a fairly popular thing with people who don’t want to leave money on the table.
What hassle? If you need a current account, open a Tesco one, and you're getting free money.
(If you opening multiple ones, and juggling money between them or whatever, you're probably just the sort of person who gets a kick out of doing this sort of thing, and so the exact figure is beside the point...)
Think of it as a savings account and it's fairly competitive in the current climate. No monthly pay-in required, no direct debits etc. required, just 3% interest no questions asked.
"Overseas Trade Statistics. In July 2016 the value of exports (EU and Non-EU) decreased to £23.9 billion, and imports (EU and Non-EU) decreased to £39.7 billion, compared with last month. Consequently the UK is a net importer this month, with imports exceeding exports by £15.9 billion."
I would guess because the UK economy is worth ~£2tn. £150bn of imports raising at 20% isn't a huge impact (around 1-2% - not a huge deal in the grand schemes of things).
fat chance, some back office operations will move (as little as possible), and the lucrative front office work will remain in London as that's where the clients are
Whether you like it or not the USD is the world peg right now and a currencies worth in USD is its true measure of inflation. What the national bank prints is negligible in comparison.
I wonder what the security flaw was? It is interesting that all the customers are still allowed to use their cards for cash withdrawals and payments, and they can all still log in to their online accounts. There doesn't seem to be any mention of a system-wide password reset.
So... it sounds like there wasn't a widespread theft of account credentials, and that the attack was some kind of weakness in the bank's online systems. Perhaps the attackers found a way to log in to accounts bypassing the usual security checks? But that still doesn't explain it all.
All my online accounts have extra security when I create a payment to a new individual. Some have an extra password check, some have SMS validation, and so on. All of them send me a notification of a new payment being added. And yet there doesn't seem to be reports of Tesco customers getting any of these kind of messages. People only found about the losses when they logged into their accounts, or when Tesco broadcast a "we've been hacked" message to everyone.
From the Article "I've not heard of an attack of this nature and scale on a UK bank where it appears that the bank's central system is the target"
Sounds like it's a breach from within (or at least not though compromised accounts), this would explain the lack of concern from Tesco about resting security (much to the chagrin of customers, i'm sure) and the huge numbers of affected accounts.
there was a victim on the radio this morning saying his account had been breached. But he said the account is one he just uses for savings. He received the card in the post years ago and it has sat in his safe ever since. It's never left his house. So couldn't understand how someone could have ever got his details
Disclaimer: I don't use Tesco Bank so this is just speculation and some observations.
The types of 2FA vary dramatically between banks. Some use an SMS OTP but as we know phone numbers aren't secure [0]. Most use a card reader but they often do this differently. Some use the 'identify' function to log on and the 'sign' function for payments (as designed) but others use the 'respond' function for everything. The danger in using 'respond' for payments is that the account and amount aren't entered into the card reader so you don't know what you are authorising.
<pure-speculation>
If Tesco have a flaw in how they are using 2FA, by only using 'respond', then local malware could intercept genuine payments, alter the account/amount details, and get the user to authorise this. Or Android malware could intercept SMS messages. N.B. This assumes the issue is in the faster payments system but it could be in the payment card system. It appears cash points still work but this is a separate system to debit card payments.
</pure-speculation>
From what I've read no one will lose money but having transactions frozen is still a big inconvenience. As mentioned elsewhere here, this is why it's a good idea to have many different bank accounts from various parent institutions (also important from a deposit guarantee position). Some banks share the same infrastructure and liability. Always have some cash available too, although that is getting harder to spend everywhere [1].
Welp, just because you get to have Verizon give up your phone number because someone asked nicely doesn't mean it is universally a bad idea
Hell, I can't even get authenticated with my provider half the time because the simcard comes with it's ID/PIN/password that is printed on your contract. You need that to do any changes on your account.
I personally think cell phones can be made secure enough and are the most convenient. If somebody really wants to fuck with you, they will anyway, for most people there is not much point to it anyway
Not all banking systems require 2FA, phone banking doesn't.
If tested systems that allow you to transfer money between accounts, if you can bypass the initial authentication you can transfer money without needing to use 2FA or generating a TUN code.
Well there hasn't been an APT (Advanced Persistent Threat) attack yet on a UK bank yet (although we've seen them on banks in the developing world). Perhaps this is the first and perhaps the attackers figures that doing many smaller transactions would work for longer than big ones.
Agreed with your concerns. The fact that it was widespread and no action from Tesco that indicates any understanding of what was compromised suggests they have no clue.
So they may still be vulnerable. If UK customers can find a low (or no) cost alternative place to put what remains of their money, I'd do that now. This might not be over.
They may not know how the attackers gained access or if they're still inside until incident responders have done a full workup on the network.
i believe tesco is a customer services front end to hsbc, so i doubt that its a bank end/ accounting problem. since its only online payments that have been stopped it suggests a card details leak, including the security code. i imagine this would only affect cards that dont have the 2 factor (mastercard/visa) step set up. perhaps a successful phishing or malware attack which has targeted tesco users
It's a moot point, but forex's are also used to move money internationally. It is ultimately buying and selling currencies, but you get much better rates than through the bank because the forex isn't actually moving your money. It's receiving money into accounts which are in the senders country, and then, using its accounts in the receivers country, it pays the receiver.
Also means the receiver doesn't get hit with fees to receive an international payment.
There are stories of people losing 2000 pounds leaving them with only 20 pounds left in the account. Hard to believe such people could get credit cards with a 2k limit. Also if the fraudulent payments were card payments why not just reverse them in the normal way. It sounds more like bank wires.
> Hard to believe such people could get credit cards with a 2k limit
Unfortunately that's totally plausible, and infact, are the profitable customers for credit card companies. Why give a credit card to someone who can pay off their bills in full every month, when you can give someone more credit than they earn, let them spend it all, and then pay you monthly with interest?
As a point of reference, my Amex limit is 5x my monthly post-tax earnings. Back when I was only eligible for entry cards, at £250 limit increased to >£5k within a year.
It does sound like bank transfers - either SWIFT or Faster Payments. If it's a backend attack they could well have bypassed all the usual checks, including checking for positive balance & overdraft limits.
That still seems odd... phishing & malware attacks are going on all the time, so a targetted strike on Tesco bank users all at the same time would be a very 'restrained' attack. Phishing would take place over several days, so the attackers would be gathering account details piece by piece. Also, the first thing that banks tend to do when a large scale phishing attack has been successful is to re-issue new passwords and card numbers, yet Tesco haven't done this. So whatever avenue of attack the hackers had, Tesco must be confident that they have closed it off without needing to junk any compromised account details?
And this right here is why you should have accounts with at least three separate banks, ideally in at least two different countries, and emergency funds in all of them. Also – get a couple of credit cards! Even if you never use the credit beyond what's necessary to keep it, it's good to have for when the proverbial shit hits the fan. Cash is also useful for solving the basic needs like getting food, but for paying bills it tends to be less so, since it's increasingly a pain to bay bills by cash these days. The move to cashless is unfortunately going faster than a feature parity alternative is being developed and crucially, adopted.
As with almost anything financial, the key to lower risk is not putting all the eggs in a single basket.
Unfortunately, the people who are likely to be most negatively impacted by an incident like this (relatively smaller amounts taken across a large number of accounts) are not in the position to have multiple bank accounts. Someone who is living paycheck to paycheck needs to aggregate all of their funds in one bank account in order to write a check for rent, and to avoid excessive non-sufficient fund fees.
Agreed that this is sage advice for anyone who is able to financially have multiple accounts though.
Thing is, you don't even have to have a whole lot of money to set up multiple accounts. I started doing this when I was still a student, because I got freaked out by how easy it was to skim cards back in the dizzy. (Maybe it still is, but in the EU most cards seem to smart cards these days so you can't just do the swipe skim anymore – at least, I don't think so.)
I had four accounts:
- A: current account, where I would receive whatever little money I'd make on the side every once in a while, and benefits
- B: savings account, where I'd move most money I received in account A; this account had full freedom but pretty much no meaningful interest
- C: second savings account, where I'd actually put savings; some restrictions but better interest
I also had a mixed debit/credit card connected to A – it had terrible limits (something like £250) but it was enough to make purchases throughout the day. At the end of the day, I'd move funds from B to fill the credit back up, thereby never getting any penalties. It's important not to actually use this credit for more than whatever the allotted free time is. (I think I had 30 days free credit, but always paid it back immediately anyway.) A almost never had any money on it, and if I needed to make larger purchases than the credit allowed I'd just transfer it when I needed it. This setup worked well, and I had a couple of scares where my card had to be blocked, but I never lost money. My savings were abysmal (living hand to mouth) and it was the same funds moving around all the time – I just made sure that my exposure on the card was almost always the bank's money. They're pretty quick in settling things when shit hits the fan then.
This setup breaks down if someone manages to hack the bank or you though, since it's all in the same bank. This is why I use multiple banks today.
Obviously mileage varies by country, but my experience with banks in the EU is that once you've got an account, they're more than happy to set up more stuff for you. (Ye olde Wells Fargo trap, I s'pose.)
Most banks like to insist that you use them exclusively, but I've never heeded that advice and so far I've never had a problem with it. If anything, they seem to work (ever so slightly) harder to get all of your business.
OK while I am a big fan of multiple bank accounts (I have three, all for different purposes) this advice is total overkill and inappropriate for anyone who isn't financially stable, which unfortunately, is half of Americans. Two different countries? No thanks, I'm not screwing with that nightmare. I'd like to keep my money in the form of US dollars, I have no need for foreign currency and I don't want to waste money converting to and from different currencies. Most people that I know lack the discipline to manage multiple accounts at multiple institutions.
Credit cards are great for some but inappropriate for others who lack discipline or funds. Keep in mind you spend more when using plastic over cash as well. [1]
Perhaps the suggestion was made from an European standpoint? Two accounts in Euros within the SEPA area [1] means no costs for currency conversions or bank transfers between your accounts.
Well, the bank in question holds GBPs, converting to/from Euros to GBPs seems incredibly inconvenient and has no real benefits. Most people get their wage in a single currency and use a single currency in their every day lives.
I have a family member who gets their pension in Canadian dollars but lives in the US. Since he lives in the US he has no need for Canadian dollars. He says that his money loses a quarter of its value converting from Canadian dollars to US dollars. I don't know if that's true, its what he told me.
That's because the exchange rate has gone down - not from frictional transaction costs. The worst ripoff forex fees are in the 1% range. You can do much better if you look.
Further it's relatively easy to keep USD in a Canadian bank account if you want to.
Most banks I've ever done business in the EU with will let you keep a currency account, in select currencies. Having two (or more) accounts in different countries is not particularly difficult then, it's just like having a different bank account. There are usually no capital requirements either, although there may be an annual (but small) charge, and you may have to all and actually talk to someone to get it set up since it's usually not self service.
Even so, the vast, vast majority of Europeans have income and expenses in a single currency, in a single country.
If they don't, then within the Eurozone they still don't necessarily need two accounts. It might be convenient, if it enables using local systems to pay utility bills on two properties, for example.
If currencies are being changed, SEPA doesn't help.
I wouldn't recommend that for the average individual (who, unlike most of the readers on this site, don't have a lot of disposable cash in savings anyways) - at least from a tax filing perspective. At the very least you're going to have to start filing an FBAR annually, and (depending on tax treaties) have deal with withholding credits. That all aside, there's the currency-conversion hassle, and the fees associated with moving cash internationally.
Ah. My bad - yes, I replied from a North-American-centric perspective. I have no knowledge of the EU, and can only assume that the common market would make things simpler (though I wonder if the banks there are really independent of each other, and shocks in each others' home economies.)
It depends on your country, and the country you're looking at.
If you are an American, be aware that merely having a bank account in a foreign country will make your life a lot more complicated at tax time. It's probably not worth the pain, unless you have a specific need.
You actually mean no -- Estonia making it easier is exceptional, and only happened in June.
For example, I considered opening this Tesco account, since I need to keep about £1500 in my British account for student loan payments. Tesco offer 3% interest on the balance, but I should have opened the account before I emigrated.
Yeah, my accounts in the US always get flagged for manual review at creation time and "extended initial funds holding" because my SSN doesn't match my DOB (because it was issued when I got my Green Card, and not when I was born).
I've even had to convince banks that they're allowed to open an account for me in the first place...
Right, I'm in the EU and and EU citizen to boot, so that's probably why it's been easier for me. Funnily enough, the UK has been the most difficult country to open a bank account in, because of their insisting on using utility bills as proof of residence, and apparently a residence is more or less a must. My first UK account took a few days of hassling to get set up, because I didn't yet have a residence, but was living in a hotel. A proof of employment and a couple of face to face meetings with supervisors cleared that up though.
Thanks Dad. You realize that for every single bad thing that happens there are always additional steps that could have been taken to prevent it? Unfortunately there is a trade-off most people make between living their life and prepping for the end times.
I'd rather keep my money in one place - if you've got 3 accounts in separate banks that means 3 accounts to pay attention to to make sure nothing is going out that shouldn't and also multiplies the risk factor?
So the risk of something happening is larger (but not quite 3x due to shared vulnerability and multiple event), however is risk of being locked and unable to function is significantly smaller as long as you can operate with the subset of accounts.
If you are in the position (like most) where all your account contents are guaranteed and the only thing you are hedging on is convenience vs risk of cashflow problems.
I keep a lot of money in cryptocurrency in my cold wallets. Those can't be seized, no run on the banks there, and thus far the appreciation has been great.
Your cryptocoins can be tainted by a government though.
That is, the addresses can be published by whatever entity with a threat to taint addresses they send value too unless the target addresses turn the value over to the government entity.
I replied to a comment stating that cryptocoins can't be seized. My point was that they really don't offer much of an advantage over bank accounts in that respect, not that they were more flawed...
That creates a light-cone of taint, and really gambles on a big enough portion of the economy caring about taint.
Also, hard to taint coins you don't realize exist. Not that I have any of those, mine are all from exchanges, but miners could easily have backup coins, as could OTC traders
it seems to be money transferred from accounts (£600 mentioned as an amount). But to set up 20,000 new transfers, and extract money from them, without 2FA, and without tripping any number of alarms is a terrible failure in security.
This will massively affect their provider fiserv, their internal team will almost certainly have to be replaced and I would be surprised if they don't throw their hands up and go back to being grocers. Retail banking is wafer thin margins.
Edit: I cannot think of / find a similar case - this is amoungst the first if not the first mass account attack I know of.
To do this there is a trace. Potentially an insider at Tesco to turn off the 2FA etc, or possibly they have penetrated the systems totally. Not sure which is worse.
Also there must be some mule accounts - right now all the "Big Four" are scouring their customers accounts for unusual deposits. We will hopefully see where it went soon - presumably to several people who believed a Nigerian Prince was sending them cash, and then sent it into a wash of Russian accounts.
But I would be amazed if it all gets out the country. It would trip so many alarms. Of course if it did not trip alarms
Some predictions - Gov will enforce GPG level encryption for every bank interaction - 2FA with Time based OTP for example. This will force a huge upgrade in retail banking - and will be good for the economy.
And Apple IPhone is the perfect host for making time based two factor auth that smooth. Good for apple. Android might just see the whole UK market as large enough to get its act together.
Yeah, they must have found a way to add payees to the online system without needing 2FA, or else they were able to spoof the 2FA in an automated fashion. If Tesco was using SMS as a 2FA (don’t do this! it isn’t secure) then perhaps they had hacked the internal phone system so that they could intercept the 2FA challenge codes in transit?
I wonder how many mule accounts they had set up? Surely having lots of small transactions into a single account followed very quickly by a large one offshore is going to trigger fraud alerts in any modern clearing bank?
It seems there are three main ways to monetise credit card / account data:
1. aggregate into a mule account
2. aggregate into an international account
3. extract cash via ATMs / payments
All three suffer from a high propensity to trigger alerts, and so rely on a fairly sophisticated understanding of each banks trigger rates.
So back in 2010 some banks could be hit with a flash attack (4) where hundreds of debit transactions for similar amounts at same time would not trigger stops (one assumes the debit approval infrastructure was fast and in memory and only went back to the ledger every five mins)
So as attackers find new vulnerabilities banks apply new systems.
Some predictions - Gov will enforce GPG level encryption for every bank interaction
I don't think encryption levels are anything to do with the fraud problems (at the customer facing end, at least, which I guess you are referring to because of the talk of OTP)
> Gov will enforce GPG level encryption for every bank interaction - 2FA with Time based OTP for example
I don't think that's going to happen just yet. UK bank regulation is famously light touch and the government is extremely preoccupied at the moment.
(The loss applies to the bank, not the customers, so they've got plenty of incentive to fix this. And it's quite possible it's a backend hack from the sound of some of the other comments on this thread, for which 2FA is no use)
What's surprised me in moving to the US from the UK is just how effective the light touch approach has been for the UK from a consumer perspective. In effect, banks are told to get in a room and ensure they're not worlds apart technically. The outcome of that has been Faster Payments and the SMS transfers that followed it, and soon a read and write open banking API.
In the US I still get charged for withdrawing from my Wells account at a Chase ATM.
The banking API stuff is mandated by Europe (PSD2) and the Competition and Markets Authority. The banks didn't come up with the APIs by getting in a room together - the authorities are imposing the APIs on them.
If memory serves, the fees UK banks were charging were outrageous compared to other EU countries. Only recently via government pressure have fees got more reasonable. Make no mistake, UK banks are also scum.
The only time it works without regulation is when banks' interest align with customers, e.g. contactless payment. For the bank, less PIN exposure so less chance of compromise and liability. For customers, quick tap-to-pay. Win-win for once.
The financial hit needn't be disastrous. One would have thought Tesco had insurance!
Tesco's strategic response will be more about reputation, branding and customer relationships than about the direct profits they earn from their financial services.
I would be surprised if Her Majesty's Government started micromanaging security (unless there was political pressure to do so). That's not their style. Much better to require that banks, and their customers, are adequately insured against this kind of fraud, and then let the invisible hand decide the optimum level of security.
How would one launder so much stolen bank account credit so quickly? It depends on whether you need to remain anonymous or not. If, say, you're an established Russian gangster with an established network of ATM withdrawal agents, it's relatively straightforward. Sure, some of the agents will get caught, but that's their problem, not yours.
On the other hand, if you're within reach of British justice, I guess we're talking about Bitcoins. Can the scammers move their stolen cash to a Bitcoin market that's large enough and liquid enough to swallow that much transaction volume before the cash is frozen? I've no idea.
If I was a legislator, I would look for ways to attack bitcoin laundering / tumbling. Bitcoin transactions are anonymous, but they are also public. It's always possible to look at the Bitcoins in your wallet and see if they are in any way tainted by association with known dirty money.
In business terms, a screw up like that would rank as far worse than a data security breach. If Tesco Bank can't negotiate an insurance policy properly, it's a wonder the organisation has survived for 19 years.
It looks like faster payments are still allowed, as are in person chip and pin and cash withdrawls.
My guess someone (either insider or via technical means) has got a list of all the debit card numbers, ccv and account details - maybe even 3DSecure/VfV details?
People are then doing loads of payments via online cardholder not present.
Going to be a pain to figure what is what on this.
"Ref: Customers will still be able to use their cards for cash withdrawals, chip and pin payments, and bill payments.
The bank is blocking customers from making online payments using their debit card, although transfers between accounts and to other people are still allowed, a spokesperson said."
The worst thing that can happen for any bank is to have its customers' money taken away. No one will ever do business with that bank again. You can screw up everything else but lose people's money is unforgivable.
I don't think this is at all true. Customers at just about every bank are hit by fraud, a lot of it through no fault of the customer, and yet banks don't seem to spend much time tracking down the criminals.
It must be far cheaper for the banks to reimburse customers rather than to patch all the security weaknesses of their financial systems. This strongly suggests that the reputational cost of hacking and fraud just isn't that big.
> banks don't seem to spend much time tracking down the criminals
I am curious how you come to this conclusion, given that banks are extremely reticent to discuss what security measure they take and to avoid any publicity about security breaches (even publicity about how they caught someone brings the problem back to the public's mind). So if they WERE being effective in tracking down the criminals, how would you know?
There are plenty of reports of people who, after getting refunded for a fraudulent transaction, get told that the bank won't investigate it, and that they should report it to the police themselves if they want to get someone to investigate. That doesn't strike me as banks caring too much.
I'm not saying the banks care nothing for security, and I am sure that they don't want to lose money if they had a choice, but their actions often give an outward impression of not being too bothered about individual losses.
For small amounts, things absolutely go un-tracked. There's just too much fraud to go after smaller actors. And often when you do, you just find a hapless mule that was used to relay the money. Something like this, where it's 10M pounds and a severe internal breech is different.
I'm only surprised at this not happening every week. I suppose that completely hacking a bank is not easy to monetize, even if breaking its security is.
I just signed up for 2 Tesco accounts the other day to dump 3k in each for the 3% interest.
I'm certainly not going to be doing anything with the accounts until Tesco give some more clarification on what actually happened (although the way these things work, I doubt there will ever be a full technical response.)
Also if it is some sort of internal breach, would any other data have been taken?
Back in 2012, Tesco were storing passwords in plain text.
Tesco ask you to log on with "character 2 and 4 from your password" which sort of implies they must store the password in clear text (unless some kind of zeroknowledge/homomorphic encryption magic i've not heard of.)
That is not the password though. They call that the 'Security Number'.
After entering the two digits of the 'Security Number' you then receive a 'One Time Access Code' through a text or phone call, although I have never logged in to my account before, and seem to be unable to get past this step now.
I think you then enter your proper password in, which I would hope is not stored in plain text, although the article I linked seemed to imply this was the case back in 2012.
Depending on the length of the password, it's possible to encode/hash (+salt) all possible outputs of challenge combinations at the point of storing your password.
It's a bit like having a number of related passwords, which the bank can ask you for any of them, and then verify is correct.
I have an account at Metro Bank in UK. One day I was on the phone with them, and to authenticate myself they asked me for characters 2/4/7 from the password.
At the same time, they advise you to never give your password away, and that they will never ask you for your (full) password.
Wait, that's still awful! It allows you to crack each character individually. For instance, a 10-letter password requires 26^10 ~= 1.4e14 attempts to test every option if you only have a hash of the full password, but only 10*26 = 260 attempts to test every option for every individual character.
I have to use two passwords to login to Lloyds bank. One conventional password (which is presumably stored salted and hashed) and one where I have to enter characters from three positions they choose. The latter is intended to mitigate the risk of using your account from a vulnerable computer. The former takes care of vulnerabilities on their end (as far as any password can).
Most times the snake is inside in the form of disparaged employees or corrupt managers: how are Tesco bank personnel recruited and treated, compared with their peers at more established banks?
If someone is living month to month, said £500 missing could be very serious complication of life and £25 "emergency fund" is a joke. I personally doubt a wealthy person would use that bank and yet they seem to think their customers are pissing gold.