As
one of the UK’s largest retailers with a seemingly ubiquitous
presence, the Tesco brand is held in high regard by the British
public. The company have leveraged their favourable brand name to
expand into telecommunications and banking.
That
faith, built up over decades of providing reliable service as a
retailer has been shaken this week with the news that several
thousand Tesco Bank customers had their accounts raided by thieves.
The result of which is that several customers were unable to access
their hard earned money as result of the theft and because Tesco Bank
was forced to all online transactions.
The
uncertainty that persists as a result of the scant information
released by Tesco has only amplified the horror – the current
perception being that Tesco is unaware as to the root cause of its
security failure.
The
number of victims was initially pegged at 20,000
with 40,000 accounts said have been tampered with in total.
Irregardless of how many may have lost money to the hackers all
140,000 were inconvenienced over the weekend when the bank stopped all
customers from accessing their accounts. Tesco's most recent
communications claim that 9,000 customers were affected. A figure of $3.1 million is said to have been refunded to the customers in question.
https://www.tescobank.com/help/current-account-fraud-update/
The
statement released by Tesco Bank:
Tesco Bank can confirm that, over the weekend, some of its customers’ current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently...As a precautionary measure, we took the decision on Sunday 6 November 2016 to temporarily stop online transactions from current accounts. This will only affect current account customers. While online debit transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal. We are working hard to resume normal service on current accounts as soon as possible.https://www.tescobank.com/
Tesco
have carefully
refrained
from using the words ‘hacked’ or ‘hacking’ in any of their
communications in relation to the breach. This important omission
raises more questions as to how so many
customers
were so swiftly defrauded, with a number having been cleared of their
life savings.
The
stock market has reacted to the news in a predictable fashion, the
stock price having dropped on the realization that Tesco stands to
lose millions as a result of the impending fines imposed on companies
found to have run afoul of UK data protection legislation.
While
on the one hand Tesco Bank have been quick to acknowledge the breach
other questions remain. Besides being informed that proceeds of the
crime were moved to Brazil and Spain no information has been provided
as to how
the thieves gained access to so many accounts. The speed of the
attack is suggestive of an automated process.
Additionally, Tesco claim:
Additionally, Tesco claim:
Tesco Bank has not been subject to a security compromise and it is not necessary for customers to change their login or password details. To stay safe online we do recommend that customers regularly change their passwords.
The
attack against Tesco draws immediate comparisons with that suffered
by Heartland
Payment Systems
in 2008. In that instance customer data was leaked by way of an SQL
injection attack on point of sale terminals at the retailer TJ/TK Maxx –
who were in turn compromised by their failure to safeguard their
wireless Poorly encrypted wireless data traffic. SQL injection was
also the method used in the attack on Talk Talk.
The
attack in Target is yet another similar, large scale data breach.
http://www.cnet.com/news/target-hack-strips-banks-and-credit-unions-of-200m/
Tesco
are working with the authorities to establish how they were so
easily compromised in what they have referred to as “a
systematic, sophisticated attack”. They claim to have
reimbursed all affected customers.
The U.K.’s Financial Conduct Authority (FCA) regulatory body has described the fraud as “unprecedented.” The head of the FCA, Andrew Bailey, spoke of his concerns regarding weaknesses in bank's complex IT systems.
He drew attention to the fact that the elaborate systems employed the financial houses created multiple points of failure for cybercriminals to take advantage of.
Unlike a number of other breaches in which bank details have been stolen, no data has so far appeared for resale on the dark web.
The U.K.’s Financial Conduct Authority (FCA) regulatory body has described the fraud as “unprecedented.” The head of the FCA, Andrew Bailey, spoke of his concerns regarding weaknesses in bank's complex IT systems.
He drew attention to the fact that the elaborate systems employed the financial houses created multiple points of failure for cybercriminals to take advantage of.
Unlike a number of other breaches in which bank details have been stolen, no data has so far appeared for resale on the dark web.
0 comments:
Post a Comment