it seems to be money transferred from accounts (£600 mentioned as an amount). But to set up 20,000 new transfers, and extract money from them, without 2FA, and without tripping any number of alarms is a terrible failure in security.
This will massively affect their provider fiserv, their internal team will almost certainly have to be replaced and I would be surprised if they don't throw their hands up and go back to being grocers. Retail banking is wafer thin margins.
Edit: I cannot think of / find a similar case - this is amoungst the first if not the first mass account attack I know of.
To do this there is a trace. Potentially an insider at Tesco to turn off the 2FA etc, or possibly they have penetrated the systems totally. Not sure which is worse.
Also there must be some mule accounts - right now all the "Big Four" are scouring their customers accounts for unusual deposits. We will hopefully see where it went soon - presumably to several people who believed a Nigerian Prince was sending them cash, and then sent it into a wash of Russian accounts.
But I would be amazed if it all gets out the country. It would trip so many alarms. Of course if it did not trip alarms
Some predictions - Gov will enforce GPG level encryption for every bank interaction - 2FA with Time based OTP for example. This will force a huge upgrade in retail banking - and will be good for the economy.
And Apple IPhone is the perfect host for making time based two factor auth that smooth. Good for apple. Android might just see the whole UK market as large enough to get its act together.
Yeah, they must have found a way to add payees to the online system without needing 2FA, or else they were able to spoof the 2FA in an automated fashion. If Tesco was using SMS as a 2FA (don’t do this! it isn’t secure) then perhaps they had hacked the internal phone system so that they could intercept the 2FA challenge codes in transit?
I wonder how many mule accounts they had set up? Surely having lots of small transactions into a single account followed very quickly by a large one offshore is going to trigger fraud alerts in any modern clearing bank?
It seems there are three main ways to monetise credit card / account data:
1. aggregate into a mule account
2. aggregate into an international account
3. extract cash via ATMs / payments
All three suffer from a high propensity to trigger alerts, and so rely on a fairly sophisticated understanding of each banks trigger rates.
So back in 2010 some banks could be hit with a flash attack (4) where hundreds of debit transactions for similar amounts at same time would not trigger stops (one assumes the debit approval infrastructure was fast and in memory and only went back to the ledger every five mins)
So as attackers find new vulnerabilities banks apply new systems.
Some predictions - Gov will enforce GPG level encryption for every bank interaction
I don't think encryption levels are anything to do with the fraud problems (at the customer facing end, at least, which I guess you are referring to because of the talk of OTP)
> Gov will enforce GPG level encryption for every bank interaction - 2FA with Time based OTP for example
I don't think that's going to happen just yet. UK bank regulation is famously light touch and the government is extremely preoccupied at the moment.
(The loss applies to the bank, not the customers, so they've got plenty of incentive to fix this. And it's quite possible it's a backend hack from the sound of some of the other comments on this thread, for which 2FA is no use)
What's surprised me in moving to the US from the UK is just how effective the light touch approach has been for the UK from a consumer perspective. In effect, banks are told to get in a room and ensure they're not worlds apart technically. The outcome of that has been Faster Payments and the SMS transfers that followed it, and soon a read and write open banking API.
In the US I still get charged for withdrawing from my Wells account at a Chase ATM.
The banking API stuff is mandated by Europe (PSD2) and the Competition and Markets Authority. The banks didn't come up with the APIs by getting in a room together - the authorities are imposing the APIs on them.
If memory serves, the fees UK banks were charging were outrageous compared to other EU countries. Only recently via government pressure have fees got more reasonable. Make no mistake, UK banks are also scum.
The only time it works without regulation is when banks' interest align with customers, e.g. contactless payment. For the bank, less PIN exposure so less chance of compromise and liability. For customers, quick tap-to-pay. Win-win for once.
The financial hit needn't be disastrous. One would have thought Tesco had insurance!
Tesco's strategic response will be more about reputation, branding and customer relationships than about the direct profits they earn from their financial services.
I would be surprised if Her Majesty's Government started micromanaging security (unless there was political pressure to do so). That's not their style. Much better to require that banks, and their customers, are adequately insured against this kind of fraud, and then let the invisible hand decide the optimum level of security.
How would one launder so much stolen bank account credit so quickly? It depends on whether you need to remain anonymous or not. If, say, you're an established Russian gangster with an established network of ATM withdrawal agents, it's relatively straightforward. Sure, some of the agents will get caught, but that's their problem, not yours.
On the other hand, if you're within reach of British justice, I guess we're talking about Bitcoins. Can the scammers move their stolen cash to a Bitcoin market that's large enough and liquid enough to swallow that much transaction volume before the cash is frozen? I've no idea.
If I was a legislator, I would look for ways to attack bitcoin laundering / tumbling. Bitcoin transactions are anonymous, but they are also public. It's always possible to look at the Bitcoins in your wallet and see if they are in any way tainted by association with known dirty money.
In business terms, a screw up like that would rank as far worse than a data security breach. If Tesco Bank can't negotiate an insurance policy properly, it's a wonder the organisation has survived for 19 years.
This will massively affect their provider fiserv, their internal team will almost certainly have to be replaced and I would be surprised if they don't throw their hands up and go back to being grocers. Retail banking is wafer thin margins.
Edit: I cannot think of / find a similar case - this is amoungst the first if not the first mass account attack I know of.
To do this there is a trace. Potentially an insider at Tesco to turn off the 2FA etc, or possibly they have penetrated the systems totally. Not sure which is worse.
Also there must be some mule accounts - right now all the "Big Four" are scouring their customers accounts for unusual deposits. We will hopefully see where it went soon - presumably to several people who believed a Nigerian Prince was sending them cash, and then sent it into a wash of Russian accounts.
But I would be amazed if it all gets out the country. It would trip so many alarms. Of course if it did not trip alarms
Some predictions - Gov will enforce GPG level encryption for every bank interaction - 2FA with Time based OTP for example. This will force a huge upgrade in retail banking - and will be good for the economy.
And Apple IPhone is the perfect host for making time based two factor auth that smooth. Good for apple. Android might just see the whole UK market as large enough to get its act together.