Little is currently known about how money was stolen from thousands of Tesco Bank current account (checking account) holders last weekend. It is clear now, however, that approximately 9,000 customers rather than the initial estimate of 20,000 were affected.
“We’ve now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal,” said chief executive Benny Higgins. This seems to imply that the incident is over.
Needless to say, the usual claims have been made in the British media. The Daily Telegraph ran a story headlined: Spy agency GCHQ investigates Tesco Bank cyber theft amid fears it was ‘state sponsored’. Both of these suggestions are unlikely.
In fact the report itself makes clear that it is the UK’s new National Cyber Security Centre (NCSC) that has been contacted. The NCSC is part of GCHQ but describes its primary purpose as “to reduce the cyber security risk to the UK by improving its cyber security and cyber resilience.” It would be normal practice for the NCSC to become involved in any major incident. It remains possible that it was state-sponsored. Higgins described it as “a systematic, sophisticated attack”. Andrew Bailey, chief executive of the UK’s Financial Conduct Authority is reported to have said the incident “looks unprecedented in the UK.” However, the circumstantial evidence all points in another direction.
The bank has already repaid the stolen money and removed the block on card not present transactions. This suggests that it believes the incident is over. Higgins also commented very early on that the bank knew “exactly” the nature of the attack, but could not say more because it was part of a criminal investigation.
It is unusual to have such confidence so early in an investigation. If the bank had been breached in the usual ‘hack and steal’ manner, it would normally take weeks if not months of forensic examination to ensure that there are no intruders on the network, and no hidden malware left behind.
There is, however, a strange comment in the bank’s FAQ for worried customers:
Q. Should I change all of my online banking and personal details that you hold?
A. Tesco Bank has not been subject to a security compromise and it is not necessary for customers to change their login or password details. To stay safe online we do recommend that customers regularly change their passwords.
Note also that a BBC report commented, “Tesco has yet to use the word ‘hacking’ to describe the breach.” Putting all of these together (Tesco bank knows what happened, it is over, and its systems were not compromised), there seems to be a strong implication that this was not a standard criminal hack.
There are three immediate possibilities. Commenting on the FAQ Q&A, CensorNet’s CEO Ed Macnair said, “They may have discovered that Tesco Bank itself wasn’t attacked but rather a third-party supplier, or that all those customers were the victims of phishing scams. There are a few reasons why Tesco Bank could say that, technically, it was not the subject of a security compromise; but it’s hugely ambiguous and not at all helpful really.”
F-Secure’s Sean Sullivan puts forward another possibility. According to the bank’s documentation, there should be a one-time code sent to phones when a customer logs in. Once the code is entered, the customer inputs their password. “Perhaps there was a flaw with the one-time code process,” he suggested, “that allowed the attacker/s to bypass that step. And then they just tried known passwords from database dumps. That might be consistent with ‘Tesco Bank has not been subject to a security compromise’; as in, the internal network is secure. And also consistent with ‘not necessary for customers to change their login or password’ – because the flaw has been fixed? But then, you should also change your passwords. (Better advice would be to use ‘unique’ passwords.)”
A third possibility is that the attack was instigated by an insider with admin credentials (an employee or a contractor — think Snowden). Technically, just the customers’ banking details could have been exfiltrated without compromising the system. This seems unlikely since the bank has returned to full operational status — which it would not have done had customers’ details been removed. The alternative here is that the insider operated entirely within the network over the weekend to transfer funds out of individual accounts. This would explain how the bank knows ‘exactly’ what happened, and why it can be confident that its systems were not technically compromised.
All of this is currently conjecture. We don’t know what did happen; and we will not know until the bank tells us.