26 May 2017
register for the webinar

Cloned card cash-out operation touted as possible Tesco Bank breach explanation

17 November 2016  |  7816 views  |  3 credit card

A mass cash-out operation using cloned cards is the most plausible explanation of the Tesco Bank breach earlier this month which saw crooks steal around £2.5 million from 9000 customer accounts, according to an analysis from Digital Shadows.

Criminals drained the money from current accounts in what Tesco Bank CEO Benny Higgins has called "a systematic, sophisticated attack". Details have yet to be revealed but the National Crime Agency (NCA) is leading an investigation.

Cybersecurity specialist Digital Shadows has applied the techniques of the Analysis of Competing Hypothesis (ACH) to the publically available details, weighing the consistency and inconsistency of all available data points with four possible hypotheses.

Based on its analysis, the company says that two hypotheses, the use of a banking Trojan and cash-out operation using aggregated card information, are less likely. The use of a Trojan seems particularly unlikely, given that the National Cyber Security Centre says that it is “unaware” of any threat to the wider UK banking sector as a result of the Tesco attack.

More likely explanations for the incident are a payment system compromise or a cash-out operations using cloned cards. Digital Shadows says that it cannot determine which is more likely to be the right explanation but that a cash-out scam would likely have been simpler to execute with "fewer moving parts".

"While this cannot be counted as a concrete data point, it was assessed to potentially indicate that H3 (cash-out of cloned cards) may be the more plausible scenario," says the firm, which also warns that crooks are likely to try to sell the account information they have and that customers should be on the lookout for phishing emails.

Comments: (3)

A Finextra member
A Finextra member | 17 November, 2016, 10:41

No explanation of common denominator for the compromised card accounts such as 1) all of them were used by legitimate cardholders for ATM withdrawals? 2) which ATM machine/s?  3) were the cash out with the cloned cards made in another country/countries? which countries?

My guess is that pin codes and the mag-stripes were harvested by compromising several standalone terminals were the entire card and pin code have had to be entered. Perpetrators then used the clone cards with pin-codes all within a specific time period.


1 thumb up! 1 thumb up! (Log in to thumb up)
Diarmuid Murphy
Diarmuid Murphy - SOmewhere - Somewhere | 17 November, 2016, 12:10

Basic anti-fraud software on the host would have prevented (or at least reduced) this . On the assumption that Tesco are issuing Chip & PIN cards then usage at Mag devices or Fallback at CHip devices should raise alarm bells


2 thumb ups! 2 thumb ups! (Log in to thumb up)
Ganesh Vaidyanathan
Ganesh Vaidyanathan - Self employed - Croydon | 22 November, 2016, 18:08

One wonders how this could get past the fraud management algorithms on the host - sudden increase in the volume of fallback mag-stripe transactions, unusuallly high velocity of cash withdrawal transactions and potentially the unusual location of these withdrawals should have all sent alarm bells ringing very loudly. May be, with TESCO being a new bank, the limited volume of customer behaviour history data available to these algorithms limited their effectiveness.

1 thumb up! 1 thumb up! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Tesco Bank fraudsters drained £2.5 million from customer accounts

Tesco Bank fraudsters drained £2.5 million from customer accounts

09 November 2016  |  7135 views  |  0 comments | 9 tweets | 17 linkedin
Tesco Bank halts transactions after money disappears from customer accounts

Tesco Bank halts transactions after money disappears from customer accounts

07 November 2016  |  13569 views  |  7 comments | 25 tweets | 43 linkedin

Related company news


Related blogs

Create a blog about this story (membership required)
visit www.events.sap.comvisit dh.comVisit www.capgemini.com/worldreports

Top topics

Most viewed Most shared
BBVA launches Open API marketplaceBBVA launches Open API marketplace
10468 views comments | 47 tweets | 70 linkedin
Twins fool HSBC voice biometrics - BBCTwins fool HSBC voice biometrics - BBC
9260 views comments | 21 tweets | 24 linkedin
Bank/fintech collaboration can take transaction banking to new heightsBank/fintech collaboration can take transa...
6973 views comments | 12 tweets | 24 linkedin
UK SMEs missing out on £1.6bn by not accepting 'next gen' paymentsUK SMEs missing out on £1.6bn by not...
6952 views comments | 25 tweets | 18 linkedin
Security experts struggle in search for WannaCry clues - ReutersSecurity experts struggle in search for Wa...
6272 views comments | 3 tweets | 3 linkedin

Featured job

Six Figure Base + Commission + Stock Options

Find your next job