Friday, 11 November 2016

What went wrong at Tesco Bank?


Tesco Bank has enlisted the help of the National Cyber Security Centre (NCSC) following the most serious cyber-attack launched against a UK bank.

The attack against the supermarket giant's banking arm involved the theft of £2.5m from 9,000 customers' accounts, funds that the bank quickly reimbursed. Initially theft against 20,000 accounts was feared but this figure was revised downwards late on Tuesday night.

Ian Mann, chief exec of cyber-security service ECSC, said the size of the breach indicates that is it likely that either Tesco's internal systems, or its mobile application, have been hacked.

Tesco Bank's method of access for customers is "weak for this type of system", according to Mann. "Username is your email by default, and you only need digits from a numeric PIN. By requiring limited digits from the PIN on login, they make it virtually impossible to hash (encrypt) the PINs they have stored. This means a compromise of their customer database will reveal all logins and passwords to the attacker."