Don’t bank on it…
Updated 22:20 to reflect Tesco Bank’s reduced claim for the number of accounts compromised
On Sunday, Tesco Bank confirmed that 9000 customers had had funds removed from their accounts, in an attack which the banking regulator has described as “unprecedented in the UK”.
From the various reports I have picked up a number of interesting features:1) The bogus transactions are reported to have come from abroad, Brazil having been specifically cited.2) The problem came to light on Sunday morning, which probably meant the attack was deliberately scheduled for a day when foreign attackers used to a 5 or 6 day banking week might have expected the attack to go unnoticed for 24 hours.3) The sheer volume of accounts compromised suggests it was not a matter of a successful phishing run or compromising user authentication details for each account.4) The vector of attack was either systemic, or may have been the result of a prior compromise at a third party (similar to the Target attack in the US last year).5) Each individual reported loss figure appears to be multiples of 300 pounds.
The 300 pounds figure, in particular, looks interesting, given that that is a common withdrawal limit for UK debit cards. Clearly it was caught reasonably quickly, although reading between the lines only after customers started raising the alarm. This puzzles me, because I know from my own experience that my own bank has raised fraud queries with me over foreigh transactions at spending levels much lower than this. As usual, there are two questions associated with this attack: what was the specific vector of compromise, and which protections – if any – should have trapped it failed to?
Tesco Bank have themselves – in promising to reimburse all customer losses from the attack – all but admitted responsibility and that the problem was systemic. I am of the opinion that they should be open and reveal the complete details of their findings once their investigation and remediations are complete, so that others may learn from the experience.
The consequences of this incident to Tesco Bank could be long-term, and significant. From a purely dispassionate perspective, this will be an interesting scenario to watch play out. But of course there is more to it than that.
Firstly there is the financial impact of the reimbursement, although given any bank’s standing reserves that should be, one might hope, if not trivial then at least undamaging to the bank’s continued operation.
Secondly, as one respected security commentator remarked to the BBC, it can be expected to dramatically affect public trust in the bank, and that could in its turn have significant impact on future business. The financial cost is unpredictable, but it could be noticeable.
Thirdly, not only have some of the bank’s customers been inconvenienced, they are all already being warned – not just by pundits but by the Government’s fraud protection agency – to be on the lookout for further fraud attempts, regardless of whether their accounts were tapped in the original attack or not. The near certainty that this was a mechanistic attack leaves open the possibility that significant customer details were exfiltrated before the monetary facet of the attack began. If they were, the criminals will now be in possession of significant sensitive information, which could allow them to mount further extremely plausible phishing attempts be it by e-mail, by telephone, or old-fashioned postal mail. (That last one is rarely seen these days, due to the inconvenience and cost of handling and sending paper, but if the value of the target is big enough they may consider it worth the effort.)
Fourthly, hypothetically – and this is the real kicker – if this breach was the result of negligence or bad practice it could lead to the banking regulator or the ICO, or perhaps both, getting involved more directly than they already will be, which could eventually lead to the bank facing punitive sanctions.
So here we are back to the drum I beat most commonly when writing about information security: regardless of their field of endeavour, every organisation has an asset that is mostly overlooked – customer trust. Once damaged by an incident – especially one of the severity of Tesco Bank’s – it can be hard to recover. Better, then, to protect it by taking action to prevent malicious attacks by engaging regularly in active penetration testing and security reviews, not just of your own organisation but also of subsidiaries and the supply chain.