Cyber criminals boast on dark web about Tesco Bank breach

Tesco store

Hackers called Tesco Bank a "cash milking cow" and "easy to cash out" in posts on dark web forums months before this week's attack, according to cybersecurity firm Cyberint.

The Financial Times was the first to break the news of Cyberint carrying out its probe of hidden web pages, where it said it had found conversations about a tool that tested thousands of login and password combinations, to allow access to Tesco accounts.

Although the bank had tried to prevent these attacks, this tool eventually led them to success.

In an interview with the BBC, Elad Ben-Meir, Cyberint's marketing vice-president, said: "It was a cat and mouse game, but we saw indicators starting from September - so two months before the actual attack - of quite a few threat actors saying, 'We've been successfully getting into accounts and cashing out through various means.'"

According to Ben-Meir, these discussions took place in several forums, including AlphaBay, Hacking Forum, and other less known spaces.

"One of the guys said, 'I used to cash out 1,000 every week without anyone ever noticing'," said Ben-Meir.

These claims made on the dark web could potentially be linked to the money stolen by Tesco Bank about a week ago, although this is still unclear.

The Sunday Times suggested that the theft was made possible by contactless payments through smartphones.

Cyberint and a mobile app specialist, Codified Security, both tried to tell Tesco Bank about their findings, with the hopes of securing business.

Martin Alderson, chief executive of Codified Security, told the BBC his company had tried to reach out to Tesco Bank after finding issues with the bank's app.

Codified Security had done research into UK mobile apps and Alderson said Tesco Bank was not the only lender who was contacted with reports of issues.

Alderson did not say name of the other banks involved, but said: "The top tier banks are really good with their mobile security," referring to NatWest, Barclays, and other popular banks.

The Tesco Bank hack was initially said to have affected around 20,000 customers, who had their funds withdrawn on the 5 and 6 November.

In a statement, a Tesco Bank spokesperson said: "We'd like to reassure our customers that none of their personal data has been compromised."

Tesco Bank paid out 2.5 million to 9,000 of its customers, yet the company said suspicious activity was found for 40,000 out of its 136,000 current accounts. The company said that all customers affected by the hack have been refunded.

Tesco Bank CEO, Benny Higgins, commented: "Our first priority throughout this incident has been protecting and looking after our customers and we'd again like to apologise for the worry and inconvenience this issue has caused."

Can you monitor your security risk profile accurately? Sign up to our live webinar on 24 November, sponsored by Tenable, to find out how your security budget can make the best impact on your business.

07/11/2016: 20,000 customers hit by Tesco Bank hack

Tesco Bank has blocked online transactions using current accounts after 20,000 customers had money fraudulently withdrawn over the weekend.

The bank, owned entirely by the shopping chain Tesco, revealed over 40,000 accounts had seen suspicious activity since Saturday, of which half had money stolen.

Online payments using current accounts have been temporarily stopped while the incident is investigated. Customers will still be able to use their cards in-store and at cash machines, according to a post on the Tesco Bank website.

"We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers' accounts," said Benny Higgins, chief executive of Tesco Bank.

"We are working hard to resume normal service on current accounts as soon as possible," added Higgins. "We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible."

After losing 600 over the weekend, one customer said Tesco Bank offered 25 as a gesture of goodwill, according to the BBC.

Another man complained his account balance had dropped by 700, while another claimed she could no longer afford to "feed my kids in school tomorrow."

The Financial Conduct Authority ensures that banks must refund money lost through fraudulent activity immediately, as well as any charges or interest incurred as a result.

The bank is currently working with regulators and relevant authorities to investigate the circumstances of the hack. A spokesperson for UK data privacy regulator ICO told IT Pro it was assessing the details of the incident, and will investigate if it finds that Tesco has failed to have "appropriate measures in place to keep people's personal data secure" and "enforce if necessary."

Higgins has so far failed to provide any information as to how the accounts were compromised.

"It's unclear yet exactly what happened, but there are a number of potential sources behind the attack," said Piers Wilson, head of product management at Huntsman Security. "It could be a case of insider activity, where an employee has misused their access privileges to take cash from customer accounts."

Wilson also suggests the hack could have come from an outside source, targeting either the bank itself or a company that Tesco shares data with. It is unlikely to have been the result of 'card-skimming' at cash machines, as other banks would have seen similar hacks, according to Wilson.

"Tesco Bank has been quick to respond to the breach, taking immediate measures to minimise the damage," added Wilson. "However we've seen reports that thousands of customers have had cash stolen from their accounts, leaving some in very difficult financial circumstances."

The Bank, which was bought by Tesco from RBS in 2008, now has almost 8 million customer accounts.