Cloned card cash-out operation touted as possible Tesco Bank breach explanation

Cloned card cash-out operation touted as possible Tesco Bank breach explanation

A mass cash-out operation using cloned cards is the most plausible explanation of the Tesco Bank breach earlier this month which saw crooks steal around £2.5 million from 9000 customer accounts, according to an analysis from Digital Shadows.

Criminals drained the money from current accounts in what Tesco Bank CEO Benny Higgins has called "a systematic, sophisticated attack". Details have yet to be revealed but the National Crime Agency (NCA) is leading an investigation.

Cybersecurity specialist Digital Shadows has applied the techniques of the Analysis of Competing Hypothesis (ACH) to the publically available details, weighing the consistency and inconsistency of all available data points with four possible hypotheses.

Based on its analysis, the company says that two hypotheses, the use of a banking Trojan and cash-out operation using aggregated card information, are less likely. The use of a Trojan seems particularly unlikely, given that the National Cyber Security Centre says that it is “unaware” of any threat to the wider UK banking sector as a result of the Tesco attack.

More likely explanations for the incident are a payment system compromise or a cash-out operations using cloned cards. Digital Shadows says that it cannot determine which is more likely to be the right explanation but that a cash-out scam would likely have been simpler to execute with "fewer moving parts".

"While this cannot be counted as a concrete data point, it was assessed to potentially indicate that H3 (cash-out of cloned cards) may be the more plausible scenario," says the firm, which also warns that crooks are likely to try to sell the account information they have and that customers should be on the lookout for phishing emails.

Comments: (3)

A Finextra member
A Finextra member 17 November, 2016, 10:41Be the first to give this comment the thumbs up 0 likes

No explanation of common denominator for the compromised card accounts such as 1) all of them were used by legitimate cardholders for ATM withdrawals? 2) which ATM machine/s?  3) were the cash out with the cloned cards made in another country/countries? which countries?

My guess is that pin codes and the mag-stripes were harvested by compromising several standalone terminals were the entire card and pin code have had to be entered. Perpetrators then used the clone cards with pin-codes all within a specific time period.


Diarmuid Murphy
Diarmuid Murphy - Bank of Ireland - Dublin 17 November, 2016, 12:102 likes 2 likes

Basic anti-fraud software on the host would have prevented (or at least reduced) this . On the assumption that Tesco are issuing Chip & PIN cards then usage at Mag devices or Fallback at CHip devices should raise alarm bells


Ganesh Vaidyanathan
Ganesh Vaidyanathan - Self employed - Croydon 22 November, 2016, 18:081 like 1 like

One wonders how this could get past the fraud management algorithms on the host - sudden increase in the volume of fallback mag-stripe transactions, unusuallly high velocity of cash withdrawal transactions and potentially the unusual location of these withdrawals should have all sent alarm bells ringing very loudly. May be, with TESCO being a new bank, the limited volume of customer behaviour history data available to these algorithms limited their effectiveness.