Oversight
By Charles Parker, II; Information Security Architect
And the hits keep coming. The Swift issue involving over $100M in thefts has recently been not in the news nearly as much. The Swift system is currently being updated and upgraded so this does not occur again.
Just as the banking industry begins to move back into its normal, conservative stance, another issue in the industry occurs and is well-placed in the news.
This recent issue occurred with Tesco Bank, located in the UK. Tesco Bank noted suspicious activity and transactions with 40K accounts of their total 136K accounts. These transactions occurred over a weekend. In approximately half of these accounts, there was money missing. What triggered the suspicious activity flag was the bank’s fraud algorithm.
The bank is presently working with the National Crime Agency to investigate this. This has been reported as one of the larger breaches in recent history.
Method
As with most attacks, this has been labeled as “sophisticated”. The attack and thefts occurred over a 24-hour period with the varying amounts. This was probably meant to gather/steal as much as possible prior to being caught, much like structuring transactions to avoid being detected.
The bank’s actions indicate the attack did not involve the bank’s core computer system. Had more of the functions facing the clients been locked down, it would have been more likely the enterprise would have been compromised.
With the timing, it also appears the attack was automated. With the number of accounts with stolen money involved experiencing this within the 24-hour period, the automated attack is probable. The attack also appears to be website-oriented. With any maintenance or updates, there can be new errors or bugs that were not present previously.
Even with the best, detailed planning, evening if a DFMEA process were to be utilized, there may be issues. These issues provide for an attack point. The attackers do consistently scan the websites on their reader for changes and new vulnerabilities. This could also be directly from a third party, who had access to their system, being compromised. This may have allowed the third party’s infected system to infect Tesco Bank’s system. This is much like person A, who has the flu, shaking hands with person B and passing the virus.
There had been issues in the past with their web-based systems. In 2014 thousands of Tesco Bank accounts were deactivated after the client’s login IDs and passwords were shared online.
Reaction
Outwardly facing, the bank’s reaction to this was limited. The bank did not limit the funds to be drawn from ATMs, use of most debit or credit cards, and pay bills. A relative few of the client’s cards were shut down. The bank did, however, suspend its online transactions.
Guidance for Customers
If your bank is a victim of this, there are many steps available to follow to protect yourself, your money, and personal, confidential information. With passwords, the password should be challenging. The 12345678 or 23456789 would not be recommended. There should be the upper and lower case, numbers, and special characters.
Any personal information, such as the street you grew up on or your first pet’s name, should not be included in the password. This information could be secured from other online resources.
The same password should not be used for various websites. This may be tempting, however, the attackers know it is also. The client would not want to provide access to all of their websites by using one password for them all.
When possible if offered, two-factor authentication should be used. Granted this is one more step, but it will, however, add a new level of security and complexity the attackers may not want to deal with.
About The Author
Charles Parker, II can be reached online at [email protected] and InfoSecPirate (Twitter).
