Tuesday, December 13, 2016

The Tesco digital bank heist, a new report

The issue is the bank heist of customer account data and the subsequent theft, in the UK.  Remember,this was a grocery store becoming a bank!
Merkle: To put this news into perspective, the issues described were first discovered in a report published by FT. After Tesco Bank had lost close to £2.5m during a hack attack, it became apparent that the cause had to be identified as soon as possible. With over 9,000 customers affected by this theft, recovering the funds remains the number one priority.In the meantime, the investigation goes on. So far, things are not looking good for Tesco Bank and its management. It turns out that the institution used sequential debit card numbers for their payment cards, which is an absolute no-go in the financial sector. This puts the original explanation of Tesco bank suffering from a ”highly sophisticated attack” into a different spotlight.When a bank uses sequential payment card numbers, they open themselves up to different types of abuse. Just over a week ago, we published an article about a study that explained how it takes six seconds to guess full credit card information. Using sequential card numbers only makes that job easier, which is the last thing any bank wants to deal with.

And the conclusion:

As one would come to expect, Tesco Bank uses Visa debit card for their clients. Visa is also the only payment network not detecting multiple invalid payment requests on the same card, giving hackers plenty of options to exploit the information. Moreover, they can just go down the list of sequential card numbers to generate the expiry date and CVV code for the card in question.All of this points out that smaller banks have a lot of things to take into consideration. The Financial Conduct Authority has contacted British lenders to see if they are employing a similar tactic, although no results have been made public yet. Traditional finance continues to dig its own grave, and banks are the cause of most of the evil taking place in the sector. 

Smart card fixes all this, it will not release any customer data except by permission and only to another authorized smart card.   Hence, if data is hacked, then we have mostly one conclusion; a smart card has been counterfeited.

One other note.  Most hacks rely in a phish, someone downloads the virus from an e mail attachment.  Never do this, ever.

No comments: