Earlier this month Tesco revealed that, following a “sophisticated” attack, £2.5 million had been stolen from the current accounts of 9,000 of its customers.
This attack is considered to be the largest ever cyber attack on a UK bank to have resulted in a massive financial loss. It has initiated a criminal investigation, which is being led by the National Crime Agency and NCSC (National Cyber Security Centre) in order to shed light on how it happened and who was behind it.
Despite the negative implications of the incident, the attack has raised an important question in the public’s eye – how prepared are institutions and end users for cyber attacks?
Data breaches are nothing new and they certainly don’t look good for a company’s reputation, but when customer’s money is affected and their privacy compromised, the problem becomes even more serious. Earlier this year HSBC suffered a ‘denial of service attack’ which prevented customers from accessing their accounts. Yet, never before has there been an attack on such a scale as the one reported by Tesco Bank. Thus, evaluating the potential banking cyber weaknesses and looking at the way Tesco Bank’s security was breached can help better detect and prevent similar attacks in the future.
Tesco Bank took the attack seriously
First of all, fortunately for its customers, Tesco bank appears to be taking the matter as seriously as it should be by informing them of what is happening and refunding accounts as soon as possible.
Indeed, Alex Mathews, Technical Manger EMEA at Positive Technologies concluded that Tesco’s approach in mitigating the attack has been adequate and reasonable: “As always with fast-developing big attacks such as this, detailed information on the criminal techniques used and the extent to which it will impact customers, will probably only emerge over the next few days. The fact that a full stop has been put on online transactions and the rapidity with which the CEO issued a statement, both show how seriously the bank is taking it. The security team's emergency plan appears to be in full affect.
"Our own research into online banking systems found that 25 per cent of investigated systems are under threat of serious attack - including theft of money by an authorised user - as a result of rounding attacks, unauthorised access to arbitrary user operations, and SQL Injection. About half of the tested systems (55 per cent) allow an unauthorised user to access a database management system with personal and financial data.”
How was its security breached?
A huge number of theories have circulated about the cause of the problem, including Tesco Bank being “hacked by an online group, or even compromised from within,” said Lee Munson, security researcher at Comparitech.com. However, as Tesco Bank still hasn’t given any details, it is hard to speculate whether the company was warned before the breach or how their security was breached and by whom.
Nevertheless, the attack displays the need for customers and organisations to help detect fraud. On the one hand, this raises an important issue not just for Tesco Bank’s customers, but for many within a generation of digital natives, who are unaware of the dangers of the internet. In a time when online banking, mobile payment methods and online banking readers are huge parts of everyday life, cyber security awareness is a necessity.
Organisations, on the other hand, also need to enhance the protection of valuable intellectual property or financial resources against theft. Although Tesco Bank had a good response towards the attack, they shouldn’t have let it happen in the first place. Given the increasing pace, strength and complexity of cyber threats nowadays, it is hard to speak of full cyber attack protection. Yet, corporations could start addressing the issue among their employees and customers as well as prioritise IT security risks and develop mitigating strategies.
How can customers protect themselves?
According to Lee, Tesco Bank has learned a valuable lesson from this attack and has promised to “put in place the necessary technological, procedural or people changes required to mitigate the risk of it happening again”. Despite that, customers need to be on their guard, not only for suspicious activities around their accounts, but also phishing emails referencing the incident and trying to trick them into visiting an imposter website. Lee added that “the correct course of action is, of course, for customers to type their online banking URL directly into their browser and, once logged in, they should change their passwords, whether their account has been compromised or not.”
Troy Gill, Manager of Security Research at AppRiver offers further guidance on phishing campaigns, “Whenever a big brand is affected it’s a green light to scammers. A message can quickly be crafted, designed to look like it’s a legitimate Tesco communication, and then sent randomly to all emails in a database with the hope that some may find their mark. Paying attention to details, such as URLs and email addresses, can prevent terrible situations where customers willingly hand over all their personal data via a phishing message or malicious website.
"Having protection such as email filtering can help scam messages even getting to a customer’s inbox but one of the best tactics is customer training. If they know what to look for then they’re more likely to notice when things feel off.”
Another thing that Tesco Bank’s customers could have done better is in terms of the one-to-one response times after its initial communication that accounts had been compromised. Lee explained that affected customers should immediately contact the bank when they come across any suspicious emails, SMS or phone calls and wait for guidance from the bank itself on the situation.
Finally, Lee concluded that from customers’ security point of view, overall British banking has a good level of security: “Incidents such as this are extremely rare and, in Britain at least, all losses arising from unauthorised activity must be refunded immediately anyway. Not only that, the financial services industry is extremely proactive in protecting its assets, as evidenced by massive recent operations such as Wire Shark and Operation Resilient Shield.”
In addition to Tesco Bank’s quick thinking to “temporarily suspend the online transaction signals to limit any further damage,” said Mike Fenton, CEO at Redscan, it is advisable that both customers and employees get familiar with the potential security and privacy risks connected to online banking such as mobile malware infections, data loss and identity theft.
Dean Alvarez, Features Editor at IT Security Guru
Image source: Shutterstock/alexskopje