Tesco Bank has revealed that the “unprecedented” attack on its online accounts at the weekend resulted in the loss of £2.5m. The banking arm of the supermarket chain also revised down the number of accounts from which money was removed from 20,000 to 9,000 and announced that banking services had been restored for all its customers.
Tesco bank issued its update hours after Andrew Bailey, the chief executive of the Financial Conduct Authority, told MPs that the incident was unprecedented in the UK and regarded as serious. Bailey told the Treasury select committee that “there are elements of this that look unprecedented and it is serious, clearly”.
Benny Higgins, the chief executive of Tesco Bank, apologized to customers. “Our first priority throughout this incident has been protecting and looking after our customers, and we’d again like to apologize for the worry and inconvenience this issue has caused,” he said.
“We’ve now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal. We’d also like to reassure our customers that none of their personal data has been compromised.”
Tesco Bank said it was continuing to work closely with the authorities and regulators in their criminal investigation.
The National Crime Agency (NCA) is one of a number of organizations scrutinizing what has taken place at the supermarket chain’s banking arm, which has more than 7 million customers.
The National Cyber Security Centre, the new division of the surveillance agency GCHQ created last month, confirmed it was working with the NCA, which has launched a criminal inquiry. The NCSC said it was “providing direct assistance to the company at their request, including on-site assistance”.
“In the case of cyber-related incidents, it can, on certain occasions, take a significant period of time to understand the incident given the technical complexities involved. So the story will emerge over time. During this period it is vital that nothing is said publicly that could interfere with the criminal investigation,” the NCSC said.
“Given the investigation thus far and the evidence at hand, the National Cyber Security Centre is unaware of any wider threat to the UK banking sector connected with this incident.”
Bailey told MPs that the FCA was in close contact with Tesco and the bank had reassured the regulator that the customers whose money had been stolen would be reimbursed by the end of Tuesday. He said it was too early to know the exact cause, but said it appeared to be related to debit cards and that computer hackers were looking for weaknesses and “points of entry” into banks.
“It looks like it’s [in] online banking, clearly appears to be on debit card side of online banking as far as we can tell. But it requires further urgent analysis ,” said Bailey. He said he was confident that Tesco knew which customers were affected by the incident which began to unfold on Saturday night when the bank began texting customers about unusual activity from their accounts.
A number of theories have circulated about the cause of the problem, including that it was caused by an internal security breach. Conservative MP Chris Philp, a member of the Treasury select committee, has raised the idea that it could have been the work of a foreign power. “I think we can’t rule out the possibility, at all, that this is state-sponsored,” he told the BBC earlier this week.
As the crisis was unfolding, Higgins had said the decision to suspend some banking activities was an attempt to protect customers from “online criminal activity”. He described the raid as “a systematic, sophisticated attack”.
The NCSC said its role was to provide support to the investigation, work with the company concerned to manage the incident, investigate the root causes, and use any lessons learned to provide future guidance and policy on cyber security.
The Information Commissioner’s Office is also scrutinizing the situation. It fined telecom company TalkTalk a record £400,000 in October for failing to stop the personal data of 157,000 customers being hacked.
Andrew Tyrie, the Conservative MP who chairs the Treasury select committee, said after the hearing that “the attack on Tesco’s retail accounts is deeply troubling. Banks have a long way to go to improve the resilience and security of their IT systems”. Another member of the committee, Steve Baker, said: “the vulnerability of Tesco Bank highlights the crucial importance of technical security to the financial system.”
Risk to other banks
Security experts have linked the recent attack which cost Tesco Bank £2.5 million to the Retefe trojan and warned that countless other banks are also at risk around the world.The cyber-attack against the British lender affected 9000 customers in the end, with Tesco forced to pay out millions to compensate them this week.
Although the bank temporarily stopped online transactions from debit accounts, other services such as cash withdrawals were allowed to continue, hinting that the problem hasn’t affected the bank’s core IT systems, Eset security evangelist Peter Stancik claimed in a blog post.
“Our active malware monitoring and Eset Threat Intelligence services show that Tesco Bank has recently been on the target list of Retefe trojan horse,” he continued. “Disturbingly, our analysis shows that there is quite a lengthy list of other banks located in many other countries in this malware’s crosshairs. It must also be said that this campaign began at least as far back as February 2016.”
Retefe typically infects users in the form of a malicious email attachment masquerading as an invoice or similar and is equipped with several sophisticated components to guarantee success.
For one, it uses Tor to configure a proxy server designed to mimic the targeted bank’s site, which effectively carries out a man in the middle attack on the traffic flowing from the customer to their online banking account.
To avoid suspicion, it installs a fake root certificate designed to prevent any warning notices that the site they’re interacting with isn’t the bank’s genuine site. There’s even a mobile component designed to help bypass two-factor authentication by intercepting one-time passcodes.
Lieberman Software vice-president of product strategy, Jonathan Sander, explained why Retefe and malware like it are so dangerous.
“If the bad guy owns your machine, you can put all the security you want on the server and it won’t matter. When you have the user change their password, the bad guy sees it. When you switch up the website process, the bad guy sees that too and can emulate it,” he said.
“The only thing that can be truly effective is a very diligent end user who knows what to look for. That means all the banks can do is offer tips on how to spot the fake sites collecting user data that the malware creates and hope the user is diligent enough to learn and watch for signs of the bad guys at work.”
Retefe has been active this year in various countries and was flagged by Palo Alto after striking in Sweden, Switzerland, and Japan.
Other UK banks on the hit list include Halifax, HSBC, Natwest, Barclays and Sainsbury’s Bank, according to Eset. Eset researcher Robert Lipovsky told Infosecurity that monitoring of the banking Trojan botnet configuration files had led his team to deduce the malware is actively targeting users of these banks.
Users suspecting they’ve been infected are advised to monitor their accounts carefully, change log-ins, delete the fake Comodo certificate and use reputable anti-malware on PC and mobile device.