
Tesco Bank says attack cost it £2.5m and hit 9,000 people - edmorley
http://www.bbc.co.uk/news/business-37915755
======
lifeisstillgood
At an average of £277/account it's interesting to speculate on the method used
here

By increasing levels of awfulness:

\- an inside job. Bad but humans have betrayed trust placed in them since long
before Judas

\- a credentials exploit. It seems not to be a mass hit on ATMs as Tesco
allowed people to keep withdrawing. So potentially a long term phishing
exploit to gain passwords. But seems a very long game so ...

\- deep systems penetration on scale of Bank of Bangladesh. This would be
worst for Tesco and for the industry - to have people inside with control over
account transfers without your knowledge is a shutdown the bank level of
problem. This seems unlikely too as they have not, y'know, shutdown the bank.

So my speculation has led pretty much nowhere. We don't know what happened, so
we cannot take sensible precautions.

If I have to guess, it is not the worse case scenario. That's too horrific and
Tesco has not seemingly rebuilt all its system from source.

So I guess we plump for credentials exploit and a very fast offshore payment.
It's doable if Tesco's anti-fraud is not at the top of the game (as they are
new, run their own backend and are a grocers not a bank it's quite probable)

Inside job seems unlikely - too many accounts too many things to go wrong.

But I am jut guessing now. Too little data as Sherlock said

------
lifeisstillgood
It's surprisingly frustrating not to have details on this - and indeed most
other attacks.

I think we as an industry need full disclosure on all attacks (anonymised to
encourage reporting)

However we as customers need full disclosure on all attacks with attribution
so we can move our accounts to safer banks.

A strange dichotomy

