Tesco Bank - Security Breach!
-
- Lemon Quarter
- Posts: 2947
- Joined: November 4th, 2016, 3:46 pm
Tesco Bank - Security Breach!
If you use Tesco Bank, please check your account ASAP as they have had some sort of security breach at a 3rd party.
My own account seems to be involved, so I am waiting to talk to a human, at the moment
My own account seems to be involved, so I am waiting to talk to a human, at the moment
-
- Lemon Quarter
- Posts: 2947
- Joined: November 4th, 2016, 3:46 pm
Re: Tesco Bank - Security Breach!
An update. Chip & Pin Dr Card transactions, Direct Debits & Standing Orders are still happening, but it is not currently possible to log into the online banking and electronic payments are not being allowed.
I seemed to have an EP in limbo yesterday as my available balance was less than my balance, and I haven't done any transactions on that account for a couple of weeks.
Interesting times.
I seemed to have an EP in limbo yesterday as my available balance was less than my balance, and I haven't done any transactions on that account for a couple of weeks.
Interesting times.
-
- Posts: 3
- Joined: November 4th, 2016, 2:07 pm
Re: Tesco Bank - Security Breach!
[quote="Slarti"
I seemed to have an EP in limbo yesterday as my available balance was less than my balance, and I haven't done any transactions on that account for a couple of weeks.
Interesting times.[/quote]
What is an EP? I have the same discrepancy between balance and available balance.
Regards
Linfiter
I seemed to have an EP in limbo yesterday as my available balance was less than my balance, and I haven't done any transactions on that account for a couple of weeks.
Interesting times.[/quote]
What is an EP? I have the same discrepancy between balance and available balance.
Regards
Linfiter
-
- Lemon Quarter
- Posts: 2947
- Joined: November 4th, 2016, 3:46 pm
Re: Tesco Bank - Security Breach!
EP=Electronic Payment usually made through browser or mobile app.
-
- Lemon Quarter
- Posts: 4108
- Joined: November 4th, 2016, 9:42 pm
Re: Tesco Bank - Security Breach!
Be careful when you edit quotes, you lost the trailing ']' from theLinfiter wrote:[quote="Slarti"...
... wrote: bit - that's why it didn't work.
-
- Lemon Quarter
- Posts: 2947
- Joined: November 4th, 2016, 3:46 pm
Re: Tesco Bank - Security Breach!
Well it all seems to be back to normal and Tesco have posted this on their website as well as texting it to account holders, Mrs S and I
Full service has resumed for our customers
We can confirm that normal service has resumed at Tesco Bank following the temporary suspension of online transactions from current accounts.
Our first priority throughout this incident has been protecting and looking after our customers.
We’ve now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal. We’re also keen to reassure our customers that none of their personal data has been compromised.
Around 9,000 customers were affected by these fraudulent transactions and all customers affected have been fully reimbursed. We are continuing to work closely with the authorities and regulators in their criminal investigation of this incident.
I’d like to thank our customers for their patience during this time, and to apologise for the worry and inconvenience this issue has caused.
Sounds as if it was someone else who was breached.
Full service has resumed for our customers
We can confirm that normal service has resumed at Tesco Bank following the temporary suspension of online transactions from current accounts.
Our first priority throughout this incident has been protecting and looking after our customers.
We’ve now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal. We’re also keen to reassure our customers that none of their personal data has been compromised.
Around 9,000 customers were affected by these fraudulent transactions and all customers affected have been fully reimbursed. We are continuing to work closely with the authorities and regulators in their criminal investigation of this incident.
I’d like to thank our customers for their patience during this time, and to apologise for the worry and inconvenience this issue has caused.
Sounds as if it was someone else who was breached.
-
- Lemon Half
- Posts: 7479
- Joined: November 4th, 2016, 6:11 pm
Re: Tesco Bank - Security Breach!
Tesco Bank must be thanking their lucky stars this happened in US election week. For the most serious ever breach of banking technology to pretty much drop off the news is remarkable.
There will be regulatory consequences of course.
Scott.
There will be regulatory consequences of course.
Scott.
-
- Posts: 4
- Joined: November 9th, 2016, 2:08 pm
Re: Tesco Bank - Security Breach!
I have a current account with Tesco Bank that was not affected by the "hack". It doesn't have much money in it.
I would love to know how the breach was carried out but I expect customers will not be told (for security reasons). Please post here if you have any idea of how it was done, (inside job, etc??),
cheers,
Martin
I would love to know how the breach was carried out but I expect customers will not be told (for security reasons). Please post here if you have any idea of how it was done, (inside job, etc??),
cheers,
Martin
-
- Lemon Half
- Posts: 7479
- Joined: November 4th, 2016, 6:11 pm
Re: Tesco Bank - Security Breach!
Given that they don't appear to be making changes to the online system, or mandating wholesale password resets, I suspect the security of Tesco Bank's own banking system wasn't breached.
There's been lots of use of the word "online" in the deliberately vague official statements, but I think the only restriction they put in place was online payments to retailers using debit cards.
So I suspect that the baddies somehow got hold of a whole load of Debit Card details (number, expiry and CVV) and starting making thousands of purchases, possibly to compliant "merchants".
So either:
- an inside job at their 3rd party card supplier
- a security breach at the above
- "discovery" of the algorithm to create new numbers/CVVs
Disclaimer - pure speculation, though I used to work at Tesco Bank.
Scott.
There's been lots of use of the word "online" in the deliberately vague official statements, but I think the only restriction they put in place was online payments to retailers using debit cards.
So I suspect that the baddies somehow got hold of a whole load of Debit Card details (number, expiry and CVV) and starting making thousands of purchases, possibly to compliant "merchants".
So either:
- an inside job at their 3rd party card supplier
- a security breach at the above
- "discovery" of the algorithm to create new numbers/CVVs
Disclaimer - pure speculation, though I used to work at Tesco Bank.
Scott.
-
- Lemon Quarter
- Posts: 2947
- Joined: November 4th, 2016, 3:46 pm
Re: Tesco Bank - Security Breach!
Online debit card payments to retailers was one thing that they blocked, together with contactless payments and electronic payments, through the website, to the extent that for a couple of days I couldn't even login.swill453 wrote:Given that they don't appear to be making changes to the online system, or mandating wholesale password resets, I suspect the security of Tesco Bank's own banking system wasn't breached.
There's been lots of use of the word "online" in the deliberately vague official statements, but I think the only restriction they put in place was online payments to retailers using debit cards.
So I suspect that the baddies somehow got hold of a whole load of Debit Card details (number, expiry and CVV) and starting making thousands of purchases, possibly to compliant "merchants".
So either:
- an inside job at their 3rd party card supplier
- a security breach at the above
- "discovery" of the algorithm to create new numbers/CVVs
Disclaimer - pure speculation, though I used to work at Tesco Bank.
Scott.
Cheers
Slarti
-
- Lemon Half
- Posts: 7479
- Joined: November 4th, 2016, 6:11 pm
Re: Tesco Bank - Security Breach!
They may have been ultra cautious and temporarily blocked vectors which weren't actually attacked.Slarti wrote:Online debit card payments to retailers was one thing that they blocked, together with contactless payments and electronic payments, through the website, to the extent that for a couple of days I couldn't even login.
My hunch stands, until shown otherwise
Scott.
-
- Lemon Half
- Posts: 7479
- Joined: November 4th, 2016, 6:11 pm
Re: Tesco Bank - Security Breach!
Still no info from any authoritative source on the nature of the breach.swill453 wrote:So either:
- an inside job at their 3rd party card supplier
- a security breach at the above
- "discovery" of the algorithm to create new numbers/CVVs
However the Reg reports on an "Analysis of Competing Hypothesis (ACH)" using the available data, which said "cash-out of cloned cards is more likely than other possibilities it examined".
So maybe I'm kinda right. Remains to be confirmed though.
http://www.theregister.co.uk/2016/11/16 ... _analysis/
Scott.
-
- Lemon Quarter
- Posts: 2947
- Joined: November 4th, 2016, 3:46 pm
Re: Tesco Bank - Security Breach!
Thing is, I've only ever done direct debits out of my Tesco account. The card has never been used.swill453 wrote:Still no info from any authoritative source on the nature of the breach.swill453 wrote:So either:
- an inside job at their 3rd party card supplier
- a security breach at the above
- "discovery" of the algorithm to create new numbers/CVVs
However the Reg reports on an "Analysis of Competing Hypothesis (ACH)" using the available data, which said "cash-out of cloned cards is more likely than other possibilities it examined".
So maybe I'm kinda right. Remains to be confirmed though.
http://www.theregister.co.uk/2016/11/16 ... _analysis/
Scott.
I only do the monthly DD as I needed something to use up the £750 monthly payment in that was needed, so I set my Tesco credit card to be paid by DD from the account and then topped it back up to £3k for the interest.
So I don't see how my card could have been cloned.
-
- Lemon Half
- Posts: 7479
- Joined: November 4th, 2016, 6:11 pm
Re: Tesco Bank - Security Breach!
It would depend on how the details were obtained (hypothetically at the moment of course).Slarti wrote:So I don't see how my card could have been cloned.
Getting hold of your physical card, or intercepting its use, are only some of the possible ways, I suggested a few more in my post.
Scott.
-
- Lemon Quarter
- Posts: 2947
- Joined: November 4th, 2016, 3:46 pm
Re: Tesco Bank - Security Breach!
Latest update.
Tesco are sending out new debit cards to those who had fraudulent transactions attempted, according to their text to Mrs S.
I haven't had a text, so I wonder if that means it was her card that was the attack vector. We'll see when new card or cards come through.
Still very odd.
Slarti
Tesco are sending out new debit cards to those who had fraudulent transactions attempted, according to their text to Mrs S.
I haven't had a text, so I wonder if that means it was her card that was the attack vector. We'll see when new card or cards come through.
Still very odd.
Slarti
-
- Lemon Half
- Posts: 7479
- Joined: November 4th, 2016, 6:11 pm
Re: Tesco Bank - Security Breach!
I missed this story, which gives some more information, that mobile phones were used in contactless transactions for low amounts of money in the US and Brazil.
http://www.thetimes.co.uk/article/tesco ... -92tjftd57
I don't have an account at The Times so I can't see the whole article though. As far as I can see there's still no indication of how the thieves managed to get hold of the debit card details.
Scott.
http://www.thetimes.co.uk/article/tesco ... -92tjftd57
I don't have an account at The Times so I can't see the whole article though. As far as I can see there's still no indication of how the thieves managed to get hold of the debit card details.
Scott.
-
- Lemon Quarter
- Posts: 2947
- Joined: November 4th, 2016, 3:46 pm
Re: Tesco Bank - Security Breach!
Here's a non paywall similar story http://www.ibtimes.co.uk/tesco-bank-und ... ck-1593709 which doesn't look good for Tesco.
On the replacement card front, Mrs S has had a replacement, I haven't.
Ah, just worked out why. Her card is contactless, mine isn't, which fits in with the Times story.
Interesting times
Slarti
On the replacement card front, Mrs S has had a replacement, I haven't.
Ah, just worked out why. Her card is contactless, mine isn't, which fits in with the Times story.
Interesting times
Slarti
-
- Lemon Half
- Posts: 7479
- Joined: November 4th, 2016, 6:11 pm
Re: Tesco Bank - Security Breach!
Looks like the "glitch" mentioned is some "feature" of the card-handling system* that allowed the thieves to repeatedly hit it with random card number/expiry combinations, and get some indication as to whether it was actually a valid number or not. A different error code possibly.
Then once they had a bunch of valid numbers, they loaded them into mobile phones and went on a contactless spending spree.
* - not sure if this would be at Tesco Bank itself, or somewhere further down the line.
Scott.
Then once they had a bunch of valid numbers, they loaded them into mobile phones and went on a contactless spending spree.
* - not sure if this would be at Tesco Bank itself, or somewhere further down the line.
Scott.
-
- Lemon Quarter
- Posts: 2947
- Joined: November 4th, 2016, 3:46 pm
Re: Tesco Bank - Security Breach!
It appears that it is a fault with the Visa system, Tesco cards being Visa https://www.theguardian.com/technology/ ... udy-claimsswill453 wrote:Looks like the "glitch" mentioned is some "feature" of the card-handling system* that allowed the thieves to repeatedly hit it with random card number/expiry combinations, and get some indication as to whether it was actually a valid number or not. A different error code possibly.
Then once they had a bunch of valid numbers, they loaded them into mobile phones and went on a contactless spending spree.
* - not sure if this would be at Tesco Bank itself, or somewhere further down the line.
Scott.
But why only Tesco Bank?
Slarti
-
- Lemon Quarter
- Posts: 1708
- Joined: November 5th, 2016, 9:37 am
Re: Tesco Bank - Security Breach!
This security weakness is specific to Visa payments and the same attack does not work against Mastercard. I have read elsewhere that the weakness was known by Visa and an advisory note to update systems was made some time ago, and so it may be that Tesco Bank did not update its Visa payment system.Slarti wrote: But why only Tesco Bank?
Slarti
All the best, Si