Jump to content
House Price Crash Forum

Archived

This topic is now archived and is closed to further replies.

Sledgehead

Tesco Bank Hacked

Recommended Posts

So 20,000 customers have had actual hard cash removed from their accounts, but the details are non-existent.

Tesco say it has something to do with their debit cards. But cards aren't blocked. Although now some are.

And it happened online ... but not at atms (I think) so online xfers are blocked. But theft was not by transfer, I think, but by debit card.

Confused. And they think that they can hide behind the "it would not be right to disclose info whilst we are investigating." Oh, and don't panic.

I'm not. But I don't have a current acc (the type affected - although they have other online accounts which can presumably make xfers) or a debit card with them.

 

Anyone affected? Anyone have a clue what has actually happened?

I'm reminded of fields of buffalo ruminating on the plains, flinching occasionally as one of their brothers drops with a thud following a distant report ...

Share this post


Link to post
Share on other sites

I luckilly took most of my cash out of there back in the summer. But I have money there still and will look once it is all sorted.

Perhaps one option they are looking at is an inside job? 

 

Share this post


Link to post
Share on other sites

Odd that this is a debit card fraud that is affecting apparently only tesco bank ... contactless skimming in store? That would certainly mass collection of card details, but not sufficient (one would have thought) to make withdrawals of size

... can't even work out whether the transactions appear on the accounts or whether the balance has just changed.

 

They reckon 40000 accs were compromised out of 136000: a huge %.

Share this post


Link to post
Share on other sites
1 hour ago, Frank Hovis said:

Sounds like Tesco has just lost £10m ...

And somebody else gained it : what a great way to be free of the thought that even £1m in your pension will only buy you £20k in retirement. As retirement planning goes it sure beats a bottle of whiskey and a loaded revolver ... and it's a 'victim-less' crime. You could go so far as to say they all deserve it (that is if you have had your morality twisted by retirement realities and the grand larceny of the BoE).  No-brainer to be perfectly honest ...

Share this post


Link to post
Share on other sites

Bit more confusion:

Quote

"... we have taken the decision today to temporarily stop online transactions from current accounts"

- Tesco Bank, Benny Higgins

and ....

Quote

Another customer, Inchindown, wrote: "Because of your failure to be open about this, I have moved all of the money in my tesco current account to another bank. "

Presumably Inchindown used a wheel barrow

source : http://news.sky.com/story/tesco-freezes-thousands-of-bank-cards-over-fraud-fears-10647549

Share this post


Link to post
Share on other sites

Bit more confusion:

Quote

On 6 November, Tesco Bank was forced to block some customers' credit card activity after "suspicious activity"

ibtimes

Girl on tesco security helpline told me the problem was with debit cards.

Share this post


Link to post
Share on other sites

From the tesco forum:

EmmaW wrote:
 

Quote

 

we have taken the decision today to temporarily stop online transactions from current accounts. This will only affect current account customers. While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal.

...

[this] refers to online payments to retailers. You should be able to make a Faster Payment as normal from your account by logging into online banking.

 

 

So it looks like a credit card scam. All online transactions other than cc purchases seem to not be blocked (contrary to first part of above).

Card-not-present transactions seem to be the ones they are blocking. 

 

 

Share this post


Link to post
Share on other sites

Here's a nasty one:

Quote

Re: Message for Current Account customers

Options
 

8 hours ago

Good morning

Do we need to report missing funds this morning, or can we assume that Tesco Bank will be able to identify all accounts that have been targeted. Our available balance has fallen by several thousand since yesterday.

Thanks

https://yourcommunity.tescobank.com/t5/News/Message-for-Current-Account-customers/td-p/6599

The option to "like" this post seems somewhat inappropriate ...

 

Share this post


Link to post
Share on other sites

the tesco forum doesn't make good reading for those who champion british banking:

Quote

I received a text last night asking me to check transactions on my account as my account had been targetted but I cannot login this morning to check the account.

When will the account be accessible so that I can check the transactions? - Trickie

Quote

I have also received a text about the fraud issues. I have not had any unusual transactions however I am unable to use my card at an ATM as the texts says I should be able to. I couldn't use it last night online and I haven't yet tried to use chip and pin.  - Telc1999

Quote

Yesterday I was told that my Debit Card was cancelled to protect me. Today you are telling me that online transactions are cancelled. Which is it please?  - Leah

- neither? - latest above was credit card!:lol:

Share this post


Link to post
Share on other sites

This is bad:

Quote

Checked my account I had the maximum balance of £3,000 but available has dropped to £574.53

So I've been done for over £2,400

Didn't get any sleep last night, still extremely upset. My card has NEVER been used at an ATM or at any retailer or on-online. So it's not a 3rd party retailer.


Could still have been contactlesly skimmed ...

 

Share this post


Link to post
Share on other sites

Some crumbs from tesco forum operative AdamF

 

Quote

@Preacher You should be able to access your account just now - the only aspects which will not function are online transactions to retailers or contactless payments.

So card-not-present stuff - including contactless. 

 

Share this post


Link to post
Share on other sites

More stuff basically admitting this is card-centric :

Quote

For those impacted we will re issue you with a card within 7-10 days and until then you can continue to use your existing card for Chip & Pin transactions only. We are sorry for any inconvenience.

Note that contactless is no longer being accepted.

 

 

Share this post


Link to post
Share on other sites

Another case where the card has never been used:

Quote

I have not used this card in a card machine or used it online - randomcitizen

yeah, but have you had it in your wallet in a public place?

Share this post


Link to post
Share on other sites

Tesco don't have monopoly on contactless, why aren't other banks seeing this happening? Also how do you get several hundred to thousands out of someones account having contactless skimmed? This is going to be an inside job. Overnight batch will have contained something fun that did a transfer on every account number it had been provided with.

I heard that they were moving staff from Edinburgh HQ to Glasgow and Newcastle. These two cities are the regional delivery sites for the UK entire for HP enterprise services (whilst it still exists), so have they outsourced to HPE? So my guess...rogue staff, or bent-from-the-off inbound best-shore chair warmer.

Share this post


Link to post
Share on other sites
11 minutes ago, DabHand said:

Tesco don't have monopoly on contactless, why aren't other banks seeing this happening? Also how do you get several hundred to thousands out of someones account having contactless skimmed? This is going to be an inside job. Overnight batch will have contained something fun that did a transfer on every account number it had been provided with.

I heard that they were moving staff from Edinburgh HQ to Glasgow and Newcastle. These two cities are the regional delivery sites for the UK entire for HP enterprise services (whilst it still exists), so have they outsourced to HPE? So my guess...rogue staff, or bent-from-the-off inbound best-shore chair warmer.

 

I think you're right, and I suspect the government cyber security teams will be working closely with Tesco right now. I don't think we'll know the outcome until after they have caught them.

Share this post


Link to post
Share on other sites

http://www.bbc.co.uk/news/technology-37896273

It said it spotted "suspicious transactions" on 40,000 accounts over the weekend, with money reportedly taken from about half of them.

---

This seems like a sophisticated attack, well planned, and well organised. And done after pay day - when people get a small Christmas bonus. No stealth job, this was a smash and grab. This isn't some individual or even a group of people trying to guess passwords, - this has to be some program that automatically analysed the accounts and withdrew money very quickly, with the full knowledge that the whole system would be shut down afterwards.

Share this post


Link to post
Share on other sites
2 hours ago, Sledgehead said:

Another case where the card has never been used:

yeah, but have you had it in your wallet in a public place?

Mines never left the house . It's in a drawer , still in the envelope it arrived in. 

Share this post


Link to post
Share on other sites

I find this sort of thing disturbing.  I can't open a bank account without myriads of evidence showing who I am -- and, normally, I have to include things like employer's records of salary payments, etc etc.  Yet it seems that it is possible to open bank accounts that receive money scammed in this way and for the money just to disappear.  Amazingly, there is never any questioning from journos, etc, about this when this sort of scam happens, as if the KYC regs don't seem to apply when people have been scammed, which, ironically, is exactly the sort of situation you'd expect it to be most suited to.

What I'd like is a special setting on my bank account that says something like 'I don't want to transfer money / buy things from enterprises that haven't got a decent 'know your customer' score.  I'd also like to only ever make payments overseas when I've cleared the payment beforehand'.  But, no.  The banks say that despite their massive intrusion into my privacy when I need to open a bank account, they're happy for the money I entrust with them to go off to shady places and just disappear on a whim.  

Share this post


Link to post
Share on other sites
1 hour ago, DabHand said:

Tesco don't have monopoly on contactless, why aren't other banks seeing this happening? Also how do you get several hundred to thousands out of someones account having contactless skimmed? This is going to be an inside job. Overnight batch will have contained something fun that did a transfer on every account number it had been provided with.

I merely point out that it is cards that are being revoked, not transactions. Clearly the card is the vector for the exploit. That is how the victims appear to have been targetted. How they got around the security is for later.

Yes, the card details (the targetting info) could have been accessed from inside, but there is no need. That same targetting info could have been collected over the course of a weekend by contactless skimming in-store. 40,000 records is not a lot. >80,000 attended a footie match at the weekend. The diff is that would have been across a whole bunch of cards. Presumably it had to be tescos cards because of some inside info, and yes, maybe that same insider could have provided the card details. But system weaknesses and customer details aren't the same thing, so maybe they didn't have knowledge of both.

For instance, what is they had discovered a way to change / by-pass the contactless limit?

Obviously I take your point, and agree in most respects. It just seems to me that contactless could have enabled this in some way. I'd be interested to know what proportion of tesco bank customers have contactless. As I understand it they were gagging for it back in Aug. The roll-out started soon afterwards.

Share this post


Link to post
Share on other sites
1 hour ago, 200p said:

http://www.bbc.co.uk/news/technology-37896273

It said it spotted "suspicious transactions" on 40,000 accounts over the weekend, with money reportedly taken from about half of them.

---

This seems like a sophisticated attack, well planned, and well organised. And done after pay day - when people get a small Christmas bonus. No stealth job, this was a smash and grab. This isn't some individual or even a group of people trying to guess passwords, - this has to be some program that automatically analysed the accounts and withdrew money very quickly, with the full knowledge that the whole system would be shut down afterwards.

I see what you are saying. Not that familiar with payment systems. Is there a good reason for them to use card payments rather than direct bank transfers using faster payments etc?

 

Share this post


Link to post
Share on other sites

Another thought: instant access savings accounts are not (afaik) being targeted.

So that suggests they simply couldn't make faster payment transfers (savings account balances should have been larger than current acc balances one would suspect , so should have featured in the attack).

They basically had to use card payments (I'm guessing), presumably because that is what they really had knowledge of.

Share this post


Link to post
Share on other sites
37 minutes ago, Sledgehead said:

I see what you are saying. Not that familiar with payment systems. Is there a good reason for them to use card payments rather than direct bank transfers using faster payments etc?

 

I don't work in banking, and I haven't read too much into it, but if you are saying it was stolen via card payments this might be why, looking at how money is moved from my accounts:

If I do a "bank transfer" - I have to set up the receiver, and this requires a password to set up.

"Faster payments" - I think this might work with authorised trusted counter parties. E.g. other banks or utility companies.

https://en.wikipedia.org/wiki/Faster_Payments_Service

"Card payment" - usually this requires you to enter the security code on the back of the card, but somehow this was by-passed?

Share this post


Link to post
Share on other sites

It has just revealed the fundamental flaw of the debit card system. The whole idea of a card hard wired direct into an individual's primary bank account is flawed. Doubly so now that contractless cards remove even the basic PIN protection layer. This was a crime waiting to happen.

Share this post


Link to post
Share on other sites

I think someone has either got hold of the algorithm that generates card numbers, expiry dates and the 3 digit signature codes or someone has stolen those details from Tesco.

Either way very embarrassing and its starting to look like keeping payments separate from your current account would be a very sensible approach..

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • The Prime Minister stated that there were three Brexit options available to the UK:   82 members have voted

    1. 1. Which of the Prime Minister's options would you choose?


      • Leave with the negotiated deal
      • Remain
      • Leave with no deal

    Please sign in or register to vote in this poll. View topic


×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.