23 July 2017
download the report now

Cloned card cash-out operation touted as possible Tesco Bank breach explanation

17 November 2016  |  8282 views  |  3 credit card

A mass cash-out operation using cloned cards is the most plausible explanation of the Tesco Bank breach earlier this month which saw crooks steal around £2.5 million from 9000 customer accounts, according to an analysis from Digital Shadows.

Criminals drained the money from current accounts in what Tesco Bank CEO Benny Higgins has called "a systematic, sophisticated attack". Details have yet to be revealed but the National Crime Agency (NCA) is leading an investigation.

Cybersecurity specialist Digital Shadows has applied the techniques of the Analysis of Competing Hypothesis (ACH) to the publically available details, weighing the consistency and inconsistency of all available data points with four possible hypotheses.

Based on its analysis, the company says that two hypotheses, the use of a banking Trojan and cash-out operation using aggregated card information, are less likely. The use of a Trojan seems particularly unlikely, given that the National Cyber Security Centre says that it is “unaware” of any threat to the wider UK banking sector as a result of the Tesco attack.

More likely explanations for the incident are a payment system compromise or a cash-out operations using cloned cards. Digital Shadows says that it cannot determine which is more likely to be the right explanation but that a cash-out scam would likely have been simpler to execute with "fewer moving parts".

"While this cannot be counted as a concrete data point, it was assessed to potentially indicate that H3 (cash-out of cloned cards) may be the more plausible scenario," says the firm, which also warns that crooks are likely to try to sell the account information they have and that customers should be on the lookout for phishing emails.

Comments: (3)

A Finextra member
A Finextra member | 17 November, 2016, 10:41

No explanation of common denominator for the compromised card accounts such as 1) all of them were used by legitimate cardholders for ATM withdrawals? 2) which ATM machine/s?  3) were the cash out with the cloned cards made in another country/countries? which countries?

My guess is that pin codes and the mag-stripes were harvested by compromising several standalone terminals were the entire card and pin code have had to be entered. Perpetrators then used the clone cards with pin-codes all within a specific time period.


1 thumb up! 1 thumb up! (Log in to thumb up)
Diarmuid Murphy
Diarmuid Murphy - SOmewhere - Somewhere | 17 November, 2016, 12:10

Basic anti-fraud software on the host would have prevented (or at least reduced) this . On the assumption that Tesco are issuing Chip & PIN cards then usage at Mag devices or Fallback at CHip devices should raise alarm bells


2 thumb ups! 2 thumb ups! (Log in to thumb up)
Ganesh Vaidyanathan
Ganesh Vaidyanathan - Self employed - Croydon | 22 November, 2016, 18:08

One wonders how this could get past the fraud management algorithms on the host - sudden increase in the volume of fallback mag-stripe transactions, unusuallly high velocity of cash withdrawal transactions and potentially the unusual location of these withdrawals should have all sent alarm bells ringing very loudly. May be, with TESCO being a new bank, the limited volume of customer behaviour history data available to these algorithms limited their effectiveness.

1 thumb up! 1 thumb up! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Tesco Bank fraudsters drained £2.5 million from customer accounts

Tesco Bank fraudsters drained £2.5 million from customer accounts

09 November 2016  |  7352 views  |  0 comments | 9 tweets | 17 linkedin
Tesco Bank halts transactions after money disappears from customer accounts

Tesco Bank halts transactions after money disappears from customer accounts

07 November 2016  |  13875 views  |  7 comments | 25 tweets | 43 linkedin

Related company news


Related blogs

Create a blog about this story (membership required)
visit www.finastra.comvisit www.worldpaymentsreport.comvisit www.niceactimize.com

Top topics

Most viewed Most shared
German fintech factory FinLeap raises EUR39 millionGerman fintech factory FinLeap raises EUR3...
13690 views comments | 19 tweets | 15 linkedin
Mastercard to buy AI outfit BrighterionMastercard to buy AI outfit Brighterion
9912 views comments | 14 tweets | 20 linkedin
Barclays rides payments-as-a-service wave with investment in Form3Barclays rides payments-as-a-service wave...
8870 views comments | 16 tweets | 12 linkedin
hands typing furiouslyThe Digital Trade Chain: the blockchain tr...
8388 views 0 | 8 tweets | 16 linkedin
Mastercard and Scotiabank join Enterprise Ethereum AllianceMastercard and Scotiabank join Enterprise...
7423 views comments | 25 tweets | 16 linkedin

Featured job

London, UK (or flexible)

Find your next job