
Tesco Bank halts online payments after money was taken from 20K accounts - luxpir
http://www.bbc.co.uk/news/business-37891742
======
elcct
> Tesco Bank is stressing that relatively small amounts were taken from 20,000
> accounts

If someone is living month to month, said £500 missing could be very serious
complication of life and £25 "emergency fund" is a joke. I personally doubt a
wealthy person would use that bank and yet they seem to think their customers
are pissing gold.

~~~
laumars
In many instances the amount taken is significantly more than £500 too. One
colleague has had £800 taken. He's quite stressed right now.

~~~
alex_anglin
Wouldn't that be covered under deposit insurance?

~~~
smcl
Right, but until that insurance pays out you're maybe faced with a bill you
cannot pay in the meantime.

~~~
Cthulhu_
I'm sure the creditors would be lenient if you can prove this incident
complicated things for you.

~~~
DavidHm
Can't tell if this is sarcasm.

Then again, maybe I am overly cynical. UK utilities at least do seem to have a
more positive approach towards people struggling to pay than other countries.

~~~
noir_lord
Aye, it's one of the (very) few good things you can say about them
(generally).

------
joosters
I wonder what the security flaw was? It is interesting that all the customers
are still allowed to use their cards for cash withdrawals and payments, and
they can all still log in to their online accounts. There doesn't seem to be
any mention of a system-wide password reset.

So... it sounds like there wasn't a widespread theft of account credentials,
and that the attack was some kind of weakness in the bank's online systems.
Perhaps the attackers found a way to log in to accounts bypassing the usual
security checks? But that still doesn't explain it all.

All my online accounts have extra security when I create a payment to a new
individual. Some have an extra password check, some have SMS validation, and
so on. All of them send me a notification of a new payment being added. And
yet there doesn't seem to be reports of Tesco customers getting any of these
kind of messages. People only found about the losses when they logged into
their accounts, or when Tesco broadcast a "we've been hacked" message to
everyone.

Does anyone know what could have happened here?

~~~
devnull791101
i believe tesco is a customer services front end to hsbc, so i doubt that its
a bank end/ accounting problem. since its only online payments that have been
stopped it suggests a card details leak, including the security code. i
imagine this would only affect cards that dont have the 2 factor
(mastercard/visa) step set up. perhaps a successful phishing or malware attack
which has targeted tesco users

~~~
oarsinsync
I interpreted "online payments" to mean payments to accounts via online
banking, rather than credit/debit card payments online.

If it was a card details leak, I'd have expected cards to be cancelled, and
not allowing them to continue to be used.

~~~
zigzigzag
There are stories of people losing 2000 pounds leaving them with only 20
pounds left in the account. Hard to believe such people could get credit cards
with a 2k limit. Also if the fraudulent payments were card payments why not
just reverse them in the normal way. It sounds more like bank wires.

~~~
oarsinsync
> Hard to believe such people could get credit cards with a 2k limit

Unfortunately that's totally plausible, and infact, are the profitable
customers for credit card companies. Why give a credit card to someone who can
pay off their bills in full every month, when you can give someone more credit
than they earn, let them spend it all, and then pay you monthly with interest?

As a point of reference, my Amex limit is 5x my monthly post-tax earnings.
Back when I was only eligible for entry cards, at £250 limit increased to >£5k
within a year.

------
mstade
And this right here is why you should have accounts with at least three
separate banks, ideally in at least two different countries, and emergency
funds in all of them. Also – get a couple of credit cards! Even if you never
use the credit beyond what's necessary to keep it, it's good to have for when
the proverbial shit hits the fan. Cash is also useful for solving the basic
needs like getting food, but for paying bills it tends to be less so, since
it's increasingly a pain to bay bills by cash these days. The move to cashless
is unfortunately going faster than a feature parity alternative is being
developed and crucially, _adopted_.

As with almost anything financial, the key to lower risk is not putting all
the eggs in a single basket.

~~~
tome
> ideally in at least two different countries

Is it generally easy to open accounts in countries you are not resident in?

~~~
irq11
It depends on your country, and the country you're looking at.

If you are an American, be aware that merely having a bank account in a
foreign country will make your life a lot more complicated at tax time. It's
probably not worth the pain, unless you have a specific need.

~~~
genericpseudo
It's not so bad, actually; you have to file FBAR, which will take you a couple
of hours, but that's about it.

~~~
0xffff2
It only takes me a couple hours to do my taxes in the first place.

------
lifeisstillgood
it seems to be money transferred from accounts (£600 mentioned as an amount).
But to set up 20,000 new transfers, and extract money from them, without 2FA,
and without tripping any number of alarms is a terrible failure in security.

This will massively affect their provider fiserv, their internal team will
almost certainly have to be replaced and I would be surprised if they don't
throw their hands up and go back to being grocers. Retail banking is wafer
thin margins.

Edit: I cannot think of / find a similar case - this is amoungst the first if
not the first mass account attack I know of.

To do this there is a trace. Potentially an insider at Tesco to turn off the
2FA etc, or possibly they have penetrated the systems totally. Not sure which
is worse.

Also there must be some mule accounts - right now all the "Big Four" are
scouring their customers accounts for unusual deposits. We will hopefully see
where it went soon - presumably to several people who believed a Nigerian
Prince was sending them cash, and then sent it into a wash of Russian
accounts.

But I would be amazed if it all gets out the country. It would trip so many
alarms. Of course if it did not trip alarms

Some predictions - Gov will enforce GPG level encryption for every bank
interaction - 2FA with Time based OTP for example. This will force a huge
upgrade in retail banking - and will be good for the economy.

And Apple IPhone is the perfect host for making time based two factor auth
that smooth. Good for apple. Android might just see the whole UK market as
large enough to get its act together.

~~~
pjc50
> Gov will enforce GPG level encryption for every bank interaction - 2FA with
> Time based OTP for example

I don't think that's going to happen just yet. UK bank regulation is famously
light touch and the government is extremely preoccupied at the moment.

(The loss applies to the bank, not the customers, so they've got plenty of
incentive to fix this. And it's quite possible it's a backend hack from the
sound of some of the other comments on this thread, for which 2FA is no use)

~~~
jackweirdy
What's surprised me in moving to the US from the UK is just how effective the
light touch approach has been for the UK from a consumer perspective. In
effect, banks are told to get in a room and ensure they're not worlds apart
technically. The outcome of that has been Faster Payments and the SMS
transfers that followed it, and soon a read and write open banking API.

In the US I still get charged for withdrawing from my Wells account at a Chase
ATM.

~~~
guitarbill
If memory serves, the fees UK banks were charging were outrageous compared to
other EU countries. Only recently via government pressure have fees got more
reasonable. Make no mistake, UK banks are also scum.

The only time it works without regulation is when banks' interest align with
customers, e.g. contactless payment. For the bank, less PIN exposure so less
chance of compromise and liability. For customers, quick tap-to-pay. Win-win
for once.

~~~
jackweirdy
Fees for what? The only bank fee I've ever paid is a £1 fee for paying by card
in a non GBP currency.

------
martinald
It looks like faster payments are still allowed, as are in person chip and pin
and cash withdrawls.

My guess someone (either insider or via technical means) has got a list of all
the debit card numbers, ccv and account details - maybe even 3DSecure/VfV
details?

People are then doing loads of payments via online cardholder not present.

Going to be a pain to figure what is what on this.

"Ref: Customers will still be able to use their cards for cash withdrawals,
chip and pin payments, and bill payments. The bank is blocking customers from
making online payments using their debit card, although transfers between
accounts and to other people are still allowed, a spokesperson said."

------
coldcode
The worst thing that can happen for any bank is to have its customers' money
taken away. No one will ever do business with that bank again. You can screw
up everything else but lose people's money is unforgivable.

~~~
joosters
I don't think this is at all true. Customers at just about every bank are hit
by fraud, a lot of it through no fault of the customer, and yet banks don't
seem to spend much time tracking down the criminals.

It must be far cheaper for the banks to reimburse customers rather than to
patch all the security weaknesses of their financial systems. This strongly
suggests that the reputational cost of hacking and fraud just isn't that big.

~~~
mcherm
> banks don't seem to spend much time tracking down the criminals

I am curious how you come to this conclusion, given that banks are extremely
reticent to discuss what security measure they take and to avoid any publicity
about security breaches (even publicity about how they caught someone brings
the problem back to the public's mind). So if they WERE being effective in
tracking down the criminals, how would you know?

~~~
joosters
There are plenty of reports of people who, after getting refunded for a
fraudulent transaction, get told that the bank won't investigate it, and that
they should report it to the police themselves if they want to get someone to
investigate. That doesn't strike me as banks caring too much.

I'm not saying the banks care nothing for security, and I am sure that they
don't want to lose money if they had a choice, but their actions often give an
outward impression of not being too bothered about individual losses.

------
diegoprzl
I'm only surprised at this not happening every week. I suppose that completely
hacking a bank is not easy to monetize, even if breaking its security is.

------
283894
I just signed up for 2 Tesco accounts the other day to dump 3k in each for the
3% interest.

I'm certainly not going to be doing anything with the accounts until Tesco
give some more clarification on what actually happened (although the way these
things work, I doubt there will ever be a full technical response.)

Also if it is some sort of internal breach, would any other data have been
taken?

Back in 2012, Tesco were storing passwords in plain text.

[http://www.bbc.co.uk/news/technology-19316825](http://www.bbc.co.uk/news/technology-19316825)

~~~
simonvc
Tesco ask you to log on with "character 2 and 4 from your password" which sort
of implies they must store the password in clear text (unless some kind of
zeroknowledge/homomorphic encryption magic i've not heard of.)

~~~
joncrocks
Depending on the length of the password, it's possible to encode/hash (+salt)
all possible outputs of challenge combinations at the point of storing your
password.

It's a bit like having a number of related passwords, which the bank can ask
you for any of them, and then verify is correct.

------
andybak
I know banking and retail are separate but as an organisation Tesco hasn't got
a good history for security:

[https://www.troyhunt.com/the-tesco-hack-heres-how-it-
probabl...](https://www.troyhunt.com/the-tesco-hack-heres-how-it-probably/)

[https://www.troyhunt.com/lessons-in-website-security-
anti/](https://www.troyhunt.com/lessons-in-website-security-anti/)

~~~
nthcolumn
I sent them multiple vuln for free for both their online shopping site and an
online (yes on the internet) payroll system
[https://payslipview.com/Login.aspx?ReturnUrl=%2fdefault.aspx](https://payslipview.com/Login.aspx?ReturnUrl=%2fdefault.aspx)

I had a smug thank you response.

------
DrNuke
Most times the snake is inside in the form of disparaged employees or corrupt
managers: how are Tesco bank personnel recruited and treated, compared with
their peers at more established banks?

