This article is more than 1 year old
'Tesco Bank's major vulnerability is its ownership by Tesco,' claims ex-employee
Links to supermarket's systems may have exposed vulnerability
A former techie at the UK's Tesco Bank reckons the recent high-profile breach may be down to security shortcomings at the bank's parent supermarket.
Earlier this month Tesco Bank admitted that an estimated £2.5m had been stolen from 9,000 customer accounts in the biggest cyber-heist of its kind to affect a UK bank. The National Crime Agency (NCA), with technical support from the newly established UK National Cyber Security Centre (NCSC), is leading a criminal investigation into the breach. NCSC issued a statement saying it was "unaware" of any threat to the wider UK banking sector.
Tesco Bank's security procedures were solid but the bank was exposed because of Tesco's "not-very-secure-at-all systems" – a weakness hackers might well have exploited, our informed source (who requested anonymity) speculates.
TB [Tesco Bank] use all the standard security processes, and have significant numbers of ex-RBS staff. Security architecture is sound, and vulnerabilities are patched in a timely manner. Fraud monitoring systems are industry standard. A full breach is very unlikely, and there are much bigger and better targets if a gang has access to relevant zero-days.
All staff are vetted as per standard processes – TB is no more vulnerable to an internal breach than anyone else. Again, bigger and better targets are available. TB does have a problem with retaining experienced staff, and hoping that junior staff will step up when they leave, but that's not uncommon.
TB had one breach when they first opened Current Accounts – someone in the card printers got a list of card numbers and sold them. It was caught in time, and cards were destroyed. Presumably security at the printers has been improved, but I'd consider that to be a continuing possible vulnerability.
However, TB's major vulnerability is its ownership by Tesco, and the links between its secure systems and Tesco's not-very-secure-at-all systems. There was no evidence of patching and monitoring occurring in Tesco systems that we linked to at all. I strongly suspect that the Clubcard system has been breached and a list of TB account numbers farmed from there. I also suspect that nothing will be done to trace that possible route – TB has no influence over Tesco at all, due to relative scale, and the apparent bad relations between the chief executives.
In a follow-up email the former Tesco Bank worker, who worked in IT for the bank and at one time on its anti-fraud system, offered more details on security failings at the parent retailer.
I worked on a TB project that had to verify certain customer information on Tesco systems. The Tesco system would fall over on a regular basis, and we would have to tell Tesco it was down – they wouldn't monitor it. It later became clear that it was an app server running on a very outdated piece of middleware, completely unpatched. This was standard for Tesco systems. [The] only exception was the credit card payment system, which was secure because it was regulated. Separately I was aware of an effort to tie some TB systems more closely to Clubcard. However, it had to be abandoned once the architects discovered how insecure Clubcard itself was.
Various theories about what might have caused the breach at Tesco Bank have already been suggested. Security watchers have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach.
Around 136,000 customers hold current accounts with Tesco Bank. Holders of other accounts were not affected by the breach.
Security intelligence firm Digital Shadows recently applied techniques for the Analysis of Competing Hypothesis (ACH) to assess the likelihood of the various competing explanations on offer. It concluded that either payment system compromise or the cash-out of cloned cards were the two theories that best matched the available facts. Cash-out of cloned cards would likely have been simpler to execute than payment system compromise, according to Digital Shadows, prompting the firm to lean towards this theory while not ruling out other possibilities.
El Reg ran insights from the former Tesco Bank techie past Digital Shadows. In response, Digital Shadows said that it had seen nothing so far which would suggest security problems at Tesco supermarket was behind the breach before conceding that it was still investigating the breach.
Ken Munro, a director at security consultancy Pen Test Partners, described the former Tesco staffer's theory as all too plausible, based on his years of experience in the IT biz rather than any direct knowledge of the supermarket's systems.
"So often it's the incidental systems that cause issues," Munro told El Reg. "One builds a secure app, but then has to hook it up to an existing access/authorisation system, or something similar. I remember a pen test a few years back of a network that was pretty much bulletproof – up to date, pretty well configured, reasonable passwords etc.
"Then we found an old fax server that was on the same domain. It didn't take long to compromise that flaky fax box and from there the domain controller. All the good work was undone by some failed oversight of one box.
"You're probably only as secure as your least secure system," Munro concluded.
Tesco Bank provided this statement: "On 5 and 6 November, Tesco Bank was targeted by fraud, which affected 9000 of our customers and cost us £2.5m.
"We identified the fraud quickly and communicated immediately with our customers, the Financial Conduct Authority and National Crime Agency. This remains a criminal investigation.
"We refunded each customer account in full and have taken steps to help reassure our customers that they can bank safely and securely at Tesco Bank." ®