Tesco Bank: How was £2.5m stolen from customers' accounts?

Report says criminals made contactless card purchases in the US and Brazil

Tesco
(Image credit: Matt Cardy/Getty Images)

It's been described as the worst cyber attack in British banking history, but little is known about how fraudsters stole £2.5m from 9,000 Tesco Bank account holders.

The financial services arm of Britain's largest supermarket group has sought to assure customers by saying that "no customer data has been lost" and that "none of our systems were breached".

Beyond that it has refused to disclose details, citing an ongoing criminal investigation. In the meantime its "reputation has been damaged by the raid", says the Sunday Times.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE
https://cdn.mos.cms.futurecdn.net/flexiimages/jacafc5zvs1692883516.jpg

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Rumours, leaks and potential clues to the methods used by the hackers have begun to emerge, however. These revolve around several key themes:

Contactless payments

The Sunday Times claimed to "reveal" at the weekend that the criminals "went on a spending spree in shops in the US and Brazil to launder their ill-gotten gains".

According to the paper, "stolen" customer account details were uploaded onto smartphones and then used to make swathes of small purchases at US electricals retailer Best Buy and elsewhere across America and Brazil.

"The thieves loaded up on cheap goods to get around limits on mobile phone transactions," it added.

There is no source cited for the claims, but if true this explanation would call into question Tesco's assertion that "no customer data has been lost".

'Brute force'

Another possibility, or perhaps the forerunner of the big attack last week, was set out by Israeli cyber security company CyberInt.

The security firm told the Financial Times that it had found evidence of "Tesco Bank customers' current accounts, savings accounts and credit card details… being traded on the dark web", following a spike in attacks on the company's website in September.

The website allows "unlimited login attempts from the same IP address". Fraudsters could use a "brute force" attack to test "thousands of login and password combinations until one [is] found to work", says the BBC.

CyberInt's investigations uncovered a number of users on dark web forums who claim to have stolen as much as £1,000 at a time from Tesco Bank customers.

Mobile apps

More speculatively, cyber security companies have cited weaknesses in relation to Tesco Bank's mobile app. They say these might be prevalent across a number of so-called "challenger" banks.

"We were doing research into mobile apps across the UK market and found some problems with various apps that they have and reached out to try and warn them," the London-based company's chief executive, Martin Alderson, told the BBC.

He said he would not reveal the weaknesses he had identified in any detail, but said they were not confined to Tesco.

Alderson also said that while "top tier banks are really good with their mobile security… the second-tier banks and some of the financial tech companies can struggle with this".

What should you do?

Firstly, if you lost money you should have been compensated already. If you are a Tesco Bank customer and you don't think you did lose out, keep an eye on your accounts for suspicious activity anyway.

Always take appropriate security precautions with your accounts, such as keeping login details and pin numbers secure, using complex online passwords, and checking cash machines before use.

Obviously you could leave Tesco if you don't feel secure, but it's worth repeating that it states its systems were not compromised and that other banks have faced their own, albeit less successful, attacks in the past.

Tesco Bank cyber attack: Everything we know so far

9 November

Earlier this week, Tesco Bank confirmed that thousands of customers lost as much as £600 each last weekend after thieves stole money from their accounts.

It's the latest in a growing trend of companies being targeted by fraudsters. Here's everything you need to know.

What happened?

It became clear over the weekend that a number of Tesco Bank's current-account holders could not make online payments, with suggestions of widespread fraud and a logjam on customer service lines.

Benny Higgins, the bank's chief executive, confirmed that "40,000 accounts saw suspicious transactions over the weekend, of which half had money taken", says the BBC.

The bank has since revised those numbers, announcing yesterday that around 9,000 people had a total of £2.5m stolen from their accounts. All affected customers have now been fully refunded.

How will I know if I'm affected?

Tesco should have notified you by text message if your account was identified as being at risk. By now you should have received a refund for any money lost.

If you bank with Tesco and were not contacted, it's still worth checking your account for any unusual activity.

Under Financial Conduct Authority rules, banks are obliged to immediately refund any money lost as a result of fraud unless they can prove you were negligent or the breach happened more than 13 months ago.

So I'm in the clear if my money is still there?

Certainly for now. But as Tesco has released no details of how the breaches happened, keep an eye on things, especially as some customers have had up to £600 taken.

In an effort to reassure customers, Tesco has stated that customer data "was not compromised" during the attack, says the BBC [1]. So hopefully that means the hackers don't have the means to commit further fraud.

So Tesco doesn't know what happened?

Bosses have told the BBC they know exactly what happened, but that as it's an open police investigation they cannot disclose details. All they're saying is that it was a "systemic, sophisticated attack".

Robert Schifreen, the editor of the computer safety website Security Smart, isn't happy about what he sees as a lack of transparency.

"It could be… that people have been attaching skimming devices, card readers and cameras specifically to Tesco's cash point machines, so that they've been capturing people's accounts there," he told the BBC.

"It could be somebody who works at Tesco Bank who's had access to the database. It could be somebody else, who Tesco have passed information to, and that information has been hacked."

What if I am affected?

If Tesco hasn't already contacted you, then you should call the bank yourself. It aims to refund all lost money in the next 24 hours.

Under Financial Conduct Authority rules, banks are obliged to refund money lost as a result of fraud unless they can prove you were negligent or the breach happened more than 13 months ago.

How can I protect myself in the future?

Without knowing exactly how the cyber attack happened, it's hard to pinpoint anything that customers might be inadvertently doing that leaves them exposed.

The BBC says that because "criminals may have been able to get into the bank's systems without any input, or leak of information, from individual customers… there are few obvious precautions that customers can take".

However, you should always keep your online account details secure, use passwords that are difficult to guess and check cash machines before you use them.

To some extent, your fate is always in your bank's hands: if its systems are hacked then your details could be taken. Most use encryption and other forms of protection to try to prevent this.

After an investigation last month, Which? said Lloyds, Santander and TSB had a comparatively poor record for protecting customer details. All three disputed the findings – and Tesco wasn't even included.

Is Tesco alone?

Absolutely not. HSBC was subject to a cyber attack in January, but it said it was able to prevent customers' accounts being affected, although it also had to block access to online banking for a while.

Companies across the economy are increasingly being forced to defend against online attacks. In the UK high-profile corporate victims have included Carphone Warehouse, TalkTalk and Vodaphone

How has Tesco been affected?

To some extent the hack is small, representing just 0.5 per cent of its seven million customer accounts, but investors always fear a breach will hit customer confidence so shares have been hit.

Tesco's share price was down 1.2 per cent today, to around 198.7p.

The attack has been described as the worst in British corporate history and "unprecedented" by the regulator, which the Daily Telegraph says could issue a fine to Tesco Bank if it deems security was not adequate.

To continue reading this article...
Continue reading this article and get limited website access each month.
Get unlimited website access, exclusive newsletters plus much more.
Cancel or pause at any time.
Already a subscriber to The Week?
Not sure which email you used for your subscription? Contact us