CyberCrimeSecuritySecurity Management

Tesco Bank Halts Transactions After Online Fraud

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Cash taken from 40,000 bank accounts over the weekend, prompting Tesco to halt online transactions

Tesco Bank has halted online transactions after reports emerged this weekend of fraud on customer accounts. Up to 40,000 personal accounts of Tesco bank holders are said to have been affected.

Tesco Bank is understood to have more than seven million customer accounts and 4,000 staff, and has been challenging traditional High Street banking chains for a number of years now.

Unfortunately for it, customers began complaining this weekend of money missing from their bank accounts, as much as £600.

Criminal Activity

iphone-watch-tescobank-75Benny Higgins, chief executive of the supermarket chain’s banking arm, told The Guardian newspaper that the decision to stop online transactions was an attempt to protect customers. He said 40,000 accounts had been affected, half of which had had money withdrawn in what he described as “online criminal activity”.

TechWeekEurope has not been able to reach Tesco, despite repeated attempts, at the time of writing.

“We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts. That is why, as a precautionary measure, we have taken the decision today to temporarily stop online transactions from current accounts. This will only affect current account customers,” Higgins was quoted as saying.

“While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal. We are working hard to resume normal service on current accounts as soon as possible.”

“We continue to work with the authorities and regulators to address the fraud and will keep our customers informed through regular updates on our website, Twitter and direct communication.”

Security Worries

There is no word yet whether the missing money is the result of a compromise of Tesco systems, but it should noted that the supermarket’s systems, albeit not banking, have been compromised before.

In 2013 it called the police after it discovered that ClubCard vouchers had gone missing from customer accounts. Reports at that time indicated vouchers worth hundreds of pounds had been stolen from those shoppers who had stored up their rewards.

In 2012 TechweekEurope revealed that the Tesco website contained an XSS flaw, which could have helped hackers hijack customer accounts by having session cookies sent to attacker-controlled servers.

In 2014 Tesco confirmed that over 2,000 customers had had their usernames and passwords stolen in a security breach. Even worse this account data was posted on popular text-sharing site Pastebin. The supermarket was then forced to deactivate the compromised online accounts.

Expert view

“This significant hack at Tesco Bank follows a recent string of huge cyber-attacks on well-established companies and organisations,” said Andrew Tschonev, technical specialist at Darktrace. “In this latest situation, it is clear that financial information is not being sufficiently protected by the traditional security measures which fail in the face of an ever-evolving threat.

“With attackers targeting everyone and anyone, today’s businesses cannot safely assume that ‘it won’t happen to them’. By developing an ‘immune system’ for their networks, companies can identify suspicious behaviours as they emerge, and respond to them before serious damage is done.

“Tesco Bank has a long road ahead. Establishing exactly what has happened, who has been affected and how they can recover is going to be a complex task. However, the consequent shake-up in their security team should help strengthen their defences for the future. Other businesses will have to echo such reform in their own security practices, if they want to avoid being next.”

Are you a security expert? Try our quiz!