Skip to main content

Lessons aren’t being learnt

Earlier this month, Tesco Bank suffered (opens in new tab) the worst breach the financial services sector has seen. At the time of writing, it’s believed that £2.5m was stolen from around 9,000 current account holders, while 136,000 customers had online banking temporally suspended.

The bank reacted relatively quickly, presumably once their fraud detection systems raised the alert, but that’s likely to be of little comfort to those who suffered the inconvenience of losing money or having their services suspended.

An investigation into precisely what happened is on going and, for now, Tesco Bank is remaining tight-lipped on any details about how the breach may have occurred. But speculation is rife, and reports of hackers on dark web forums bragging about their ability to riffle through bank accounts have begun to emerge. A number of security companies have also claimed they warned the bank about possible vulnerabilities months before. A picture is emerging, and it doesn’t look great.

Adding to the confusion surrounding what may have happened is the fact Tesco Bank posted an FAQ on its website saying: ‘Tesco Bank has not been subject to a security compromise and it is not necessary for customers to change their login or password details.’ Not only does this suggest that hackers were able to get directly in to bank accounts, but also that Tesco Bank has a pretty good idea about what went on.

Financial services has a problem

Tesco Bank may now be the poster child for what happens when a bank’s security isn’t up to scratch, but it certainly isn’t alone in its failure to protect customers. According to the Office for National Statistics, of 3.8 million cases of fraud in the year ending March 2016, the majority (2.5 million) related to bank and credit account fraud. Following a recent study, consumer group Which? also criticised some of the UK’s biggest banks for failing to have adequate security measures in place – in particular a lack of two factor authentication.

As if that wasn’t damming enough, a Freedom of Information request by The Sunday Times revealed that over the past five years fraud allegedly committed by staff at a bank or building society resulted in loses of £5.4m. However, David Clark, a detective chief superintendent who heads the economic crime directorate at the City of London police, told the paper he was sure the actual number would be far higher – and I tend to agree.

Expect the unexpected

It’s been said before, but I’ll say it again; at the moment it isn’t a case of if you are breached, but when. Hackers are becoming increasingly sophisticated and employees increasingly unpredictable and this combination puts all businesses, not just banks, in a precarious position.

Gone are the days when employees would work from a single location on a single device. Now we’re everywhere – updating spreadsheets from a laptop in a coffee shop, checking emails from an iPad at the airport, or granting access to a Google Doc from a hotel lobby. People have now become known unknowns and managing that level of uncertainty is a huge security challenge. And, while there clearly are malicious insiders, it isn’t just the rogue employee that’s skimming a bit of the top you need to worry about. Instead it’s the CEO who writes his password down for his PA, or the account manager who clicks a link someone sent her on Facebook that are the problem. As more and more daily business is done in the cloud the problem just gets worse.

In order to reduce the risk, monitoring and access controls are imperative. Organisations need to know who has accessed what, where from and what they are doing with it. The other thing is to know is, are they allowed to do what they are trying to? We need to know more than the basic ‘access attempts,’ we need to know about every single person, what their role is and if they are acting within it.

There’s also the issue of knowing that people are who they say they are. Who knows who could get hold of the bit of paper the CEO’s scribbled his password on in the aforementioned example? Authentication needs to be part of the standard security mix. And it needs to be multi-factor. SMS authentication has its place, but only as part of a wider more intelligent multi-factored authentication approach, that’s designed for today’s advanced threat landscape. 

Everyone has habits – such as location, time of day, and frequency of login – and by learning these and using them as part of the authentication mix, legitimate access attempts for trusted users are allowed, and those that are nefarious blocked.

The lesson

While we await the results of the investigation into Tesco Bank’s woes, one thing is clear, online services are getting far more precarious. The week prior two NHS trusts were taken offline by a possible ransomware hit, a week later Adult Friend Finder (opens in new tab) found itself in the middle of a media storm as millions of users’ details went AWOL. These are all very different organisations, with one thing in common – they simply weren’t adequately equipped to protect themselves or, in some cases, their customers.

We’re living in a new world, one where the security tools of yesteryear no longer work. One where data is a currency and hacking is a hobby. It’s a sorry state of affairs – we’re playing whack a mole and constantly losing. In some ways we’ve made the job of cyber criminals easier by over complicating how we approach security. Spot solutions that only protect against a specific type of threat had their place, but they don’t work together like they should, leaving blind spots that can be exploited. We need to see into every corner and every crevice so there is nowhere for the criminals to hide.

Only time will tell how Tesco Bank is impacted in the long term but in the meantime, other businesses – financial and otherwise – simply must do more. Ultimately, the businesses that can protect themselves are going to stand head and shoulders above the rest.

Ed Macnair, CEO, CensorNet (opens in new tab)

Image Credit: Welcomia / Shutterstock