Tesco Bank Hack Explained

A group of researchers from Newcastle University have written a paper entitled ‘Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?’ in which they claim that an attacker may exploit differences in website security solutions (such as 3D Secure, SafeKey and SecureCode) to build a distributed guessing attack which generates payment details (card number, expiry date, card verification value and postal address) – from which a hacker may collect each piece of information from various different merchant websites. It has been suggested that this was the means by which a group of hackers in Brazil and Spain gained access to British Tesco Bank customers' funds.

3D Secure stands for 3 Domain Secure, which entails cooperation between:

1) The Vendor
2) The Acquiring Bank
3) Visa and MasterCard

American Express SafeKey and MasterCard SecureCode are based on 3D Secure technology. 3D Secure is a form of two factor authentication.

An increase in the amount of information leads to an increase in the level of customer vulnerability. Customer information can be used to transfer money from one account to an accomplice via Western Union.

The Vulnerabilities are the result of a failure to conduct centralized checks across multiple websites by Visa and MasterCard.

Five pieces of information typically requested by vendors, from card issuers:

1/ Cardholder name

2/ 16 digit card number – Primary Account Number (PAN)

3/ Card expiry date

4/ Card verification value – 3 digit number on the reverse of the card

5/ Cardholder address

The most negligent online merchants only request that the card issuer provide the 16 digit Primary Account Number and the card expiry date. This lowers the barrier for criminals looking to make unauthorized purchases:

Guessing an expiry date takes, at most, 60 guesses – cards are usually valid for 5 years.

Guessing the card verification value takes 1,000 guesses.

Online databases such as BinDB and ExactBins are tools used by cyber criminals to find card/personal information.

PAN data is the ‘starting point’ for most of the brute force exploits.

PANs are easily available on the dark web. Cyber criminals sell card details on the various dark web markets. The amount of information and date of acquisition determine the price. Accounts hacked more recently are higher priced; PANs with no corresponding details are lower priced than PANs with

The researchers were able to show how hackers transfer the funds across international borders via popular wire transfer services such as Western Union. The entire process of accessing the funds and creating a new bogus account to move the funds into took less than 30 minutes.

Researchers used a website bot via Mozilla Firefox. The bot automates the process of guessing relevant card information by cycling through all of the possibilities:

The bot can be used to guessed the date of a card number on websites that do no require a credit card verification number – the researchers claim to have found a ‘handful of payment sites’ that allow for unlimited attempts at guessing the CVV2.

Address verification is performed on the numerical values, only. Alphabetical characters are ignored. Some websites fail to attempt to match the house/flat number with the postcode.

The paper also made reference to the long documented issue of NFC skimmers. Banks are issuing contact-less cards to make use of the increasingly pervasive contact-less payment systems.

The authors of the paper recommend the use of 3D Secure technologies and IP address velocity filters (to detect multiple attempts) by online retailers. The authors conclude by stressing the need for coordination, centralization and standardization of the online payment process payment.

* Some websites were prompted to change their online payment processes as a result of the paper. The names of the websites in question were kept anonymous by the researchers but are said to include iTunes, PayPal, Google and Amazon.