Tesco Bank: How was £2.5m stolen from customers' accounts?
Report says criminals made contactless card purchases in the US and Brazil
It's been described as the worst cyber attack in British banking history, but little is known about how fraudsters stole £2.5m from 9,000 Tesco Bank account holders.
The financial services arm of Britain's largest supermarket group has sought to assure customers by saying that "no customer data has been lost" and that "none of our systems were breached".
Beyond that it has refused to disclose details, citing an ongoing criminal investigation. In the meantime its "reputation has been damaged by the raid", says the Sunday Times.
Subscribe to The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
Rumours, leaks and potential clues to the methods used by the hackers have begun to emerge, however. These revolve around several key themes:
Contactless payments
The Sunday Times claimed to "reveal" at the weekend that the criminals "went on a spending spree in shops in the US and Brazil to launder their ill-gotten gains".
According to the paper, "stolen" customer account details were uploaded onto smartphones and then used to make swathes of small purchases at US electricals retailer Best Buy and elsewhere across America and Brazil.
"The thieves loaded up on cheap goods to get around limits on mobile phone transactions," it added.
There is no source cited for the claims, but if true this explanation would call into question Tesco's assertion that "no customer data has been lost".
'Brute force'
Another possibility, or perhaps the forerunner of the big attack last week, was set out by Israeli cyber security company CyberInt.
The security firm told the Financial Times that it had found evidence of "Tesco Bank customers' current accounts, savings accounts and credit card details… being traded on the dark web", following a spike in attacks on the company's website in September.
The website allows "unlimited login attempts from the same IP address". Fraudsters could use a "brute force" attack to test "thousands of login and password combinations until one [is] found to work", says the BBC.
CyberInt's investigations uncovered a number of users on dark web forums who claim to have stolen as much as £1,000 at a time from Tesco Bank customers.
Mobile apps
More speculatively, cyber security companies have cited weaknesses in relation to Tesco Bank's mobile app. They say these might be prevalent across a number of so-called "challenger" banks.
"We were doing research into mobile apps across the UK market and found some problems with various apps that they have and reached out to try and warn them," the London-based company's chief executive, Martin Alderson, told the BBC.
He said he would not reveal the weaknesses he had identified in any detail, but said they were not confined to Tesco.
Alderson also said that while "top tier banks are really good with their mobile security… the second-tier banks and some of the financial tech companies can struggle with this".
What should you do?
Firstly, if you lost money you should have been compensated already. If you are a Tesco Bank customer and you don't think you did lose out, keep an eye on your accounts for suspicious activity anyway.
Always take appropriate security precautions with your accounts, such as keeping login details and pin numbers secure, using complex online passwords, and checking cash machines before use.
Obviously you could leave Tesco if you don't feel secure, but it's worth repeating that it states its systems were not compromised and that other banks have faced their own, albeit less successful, attacks in the past.
Tesco Bank cyber attack: Everything we know so far
9 November
Earlier this week, Tesco Bank confirmed that thousands of customers lost as much as £600 each last weekend after thieves stole money from their accounts.
It's the latest in a growing trend of companies being targeted by fraudsters. Here's everything you need to know.
What happened?
It became clear over the weekend that a number of Tesco Bank's current-account holders could not make online payments, with suggestions of widespread fraud and a logjam on customer service lines.
Benny Higgins, the bank's chief executive, confirmed that "40,000 accounts saw suspicious transactions over the weekend, of which half had money taken", says the BBC.
The bank has since revised those numbers, announcing yesterday that around 9,000 people had a total of £2.5m stolen from their accounts. All affected customers have now been fully refunded.
How will I know if I'm affected?
Tesco should have notified you by text message if your account was identified as being at risk. By now you should have received a refund for any money lost.
If you bank with Tesco and were not contacted, it's still worth checking your account for any unusual activity.
Under Financial Conduct Authority rules, banks are obliged to immediately refund any money lost as a result of fraud unless they can prove you were negligent or the breach happened more than 13 months ago.
So I'm in the clear if my money is still there?
Certainly for now. But as Tesco has released no details of how the breaches happened, keep an eye on things, especially as some customers have had up to £600 taken.
In an effort to reassure customers, Tesco has stated that customer data "was not compromised" during the attack, says the BBC [1]. So hopefully that means the hackers don't have the means to commit further fraud.
So Tesco doesn't know what happened?
Bosses have told the BBC they know exactly what happened, but that as it's an open police investigation they cannot disclose details. All they're saying is that it was a "systemic, sophisticated attack".
Robert Schifreen, the editor of the computer safety website Security Smart, isn't happy about what he sees as a lack of transparency.
"It could be… that people have been attaching skimming devices, card readers and cameras specifically to Tesco's cash point machines, so that they've been capturing people's accounts there," he told the BBC.
"It could be somebody who works at Tesco Bank who's had access to the database. It could be somebody else, who Tesco have passed information to, and that information has been hacked."
What if I am affected?
If Tesco hasn't already contacted you, then you should call the bank yourself. It aims to refund all lost money in the next 24 hours.
Under Financial Conduct Authority rules, banks are obliged to refund money lost as a result of fraud unless they can prove you were negligent or the breach happened more than 13 months ago.
How can I protect myself in the future?
Without knowing exactly how the cyber attack happened, it's hard to pinpoint anything that customers might be inadvertently doing that leaves them exposed.
The BBC says that because "criminals may have been able to get into the bank's systems without any input, or leak of information, from individual customers… there are few obvious precautions that customers can take".
However, you should always keep your online account details secure, use passwords that are difficult to guess and check cash machines before you use them.
To some extent, your fate is always in your bank's hands: if its systems are hacked then your details could be taken. Most use encryption and other forms of protection to try to prevent this.
After an investigation last month, Which? said Lloyds, Santander and TSB had a comparatively poor record for protecting customer details. All three disputed the findings – and Tesco wasn't even included.
Is Tesco alone?
Absolutely not. HSBC was subject to a cyber attack in January, but it said it was able to prevent customers' accounts being affected, although it also had to block access to online banking for a while.
Companies across the economy are increasingly being forced to defend against online attacks. In the UK high-profile corporate victims have included Carphone Warehouse, TalkTalk and Vodaphone
How has Tesco been affected?
To some extent the hack is small, representing just 0.5 per cent of its seven million customer accounts, but investors always fear a breach will hit customer confidence so shares have been hit.
Tesco's share price was down 1.2 per cent today, to around 198.7p.
The attack has been described as the worst in British corporate history and "unprecedented" by the regulator, which the Daily Telegraph says could issue a fine to Tesco Bank if it deems security was not adequate.
Sign up for Today's Best Articles in your inbox
A free daily email with the biggest news stories of the day – and the best features from TheWeek.com
-
John Prescott: was he Labour's last link to the working class?
Today's Big Quesiton
By Harriet Marsden, The Week UK Published
-
Mary Poppins tour: 'humdinger' of a show kicks off at Bristol Hippodrome
The Week Recommends Stefanie Jones and Jack Chambers are 'true triple threats' as Mary and Bert in 'timeless' production
By Irenie Forshaw, The Week UK Published
-
Jaguar's stalled rebrand
In the spotlight Critics and car lovers are baffled by the luxury car company's 'complete reset'
By Abby Wilson Published
-
Tesco to reward lockdown temps with 16,000 permanent jobs
Speed Read The supermarket giant has more than doubled online capacity since lockdown amid boom in demand
By Mike Starling Last updated
-
How coronavirus put the weekly shop back in vogue
Speed Read Tesco boss says transactions have halved as basket size doubles
By The Week Staff Last updated
-
Coronavirus: supermarkets start rationing to combat panic buying
Speed Read Stockpiling has led to empty shelves at some UK supermarkets - but shortages may be short-lived
By The Week Staff Published
-
Tesco blames falling bread demand for 1,800 job cuts
Speed Read Supermarket chain's announcement comes after rivals trimmed workforces
By The Week Staff Last updated
-
Tesco to sell plasters in diverse skin tones
Speed Read Move to diversify plaster offering follows viral tweet last year
By The Week Staff Last updated
-
Tesco facing Christmas card forced labour claims
Speed Read Six-year old’s discovery of a note from prisoners in a Chinese gulag puts spotlight on retailer’s relationship with suppliers
By The Week Staff Last updated
-
Tesco weighs up sale of Thai and Malaysian stores
Speed Read Analysts say the chain would need high price to offload ‘jewel in its crown’
By The Week Staff Last updated
-
UK supermarkets ‘fuel poverty and abuse’, says Oxfam
Speed Read New study highlights mistreatment of workers on farms and plantations
By The Week Staff Last updated