23 September 2017
visit www.avoka.com

Cloned card cash-out operation touted as possible Tesco Bank breach explanation

17 November 2016  |  8599 views  |  3 credit card

A mass cash-out operation using cloned cards is the most plausible explanation of the Tesco Bank breach earlier this month which saw crooks steal around £2.5 million from 9000 customer accounts, according to an analysis from Digital Shadows.

Criminals drained the money from current accounts in what Tesco Bank CEO Benny Higgins has called "a systematic, sophisticated attack". Details have yet to be revealed but the National Crime Agency (NCA) is leading an investigation.

Cybersecurity specialist Digital Shadows has applied the techniques of the Analysis of Competing Hypothesis (ACH) to the publically available details, weighing the consistency and inconsistency of all available data points with four possible hypotheses.

Based on its analysis, the company says that two hypotheses, the use of a banking Trojan and cash-out operation using aggregated card information, are less likely. The use of a Trojan seems particularly unlikely, given that the National Cyber Security Centre says that it is “unaware” of any threat to the wider UK banking sector as a result of the Tesco attack.

More likely explanations for the incident are a payment system compromise or a cash-out operations using cloned cards. Digital Shadows says that it cannot determine which is more likely to be the right explanation but that a cash-out scam would likely have been simpler to execute with "fewer moving parts".

"While this cannot be counted as a concrete data point, it was assessed to potentially indicate that H3 (cash-out of cloned cards) may be the more plausible scenario," says the firm, which also warns that crooks are likely to try to sell the account information they have and that customers should be on the lookout for phishing emails.

Comments: (3)

A Finextra member
A Finextra member | 17 November, 2016, 10:41

No explanation of common denominator for the compromised card accounts such as 1) all of them were used by legitimate cardholders for ATM withdrawals? 2) which ATM machine/s?  3) were the cash out with the cloned cards made in another country/countries? which countries?

My guess is that pin codes and the mag-stripes were harvested by compromising several standalone terminals were the entire card and pin code have had to be entered. Perpetrators then used the clone cards with pin-codes all within a specific time period.


1 thumb up! 1 thumb up! (Log in to thumb up)
Diarmuid Murphy
Diarmuid Murphy - SOmewhere - Somewhere | 17 November, 2016, 12:10

Basic anti-fraud software on the host would have prevented (or at least reduced) this . On the assumption that Tesco are issuing Chip & PIN cards then usage at Mag devices or Fallback at CHip devices should raise alarm bells


2 thumb ups! 2 thumb ups! (Log in to thumb up)
Ganesh Vaidyanathan
Ganesh Vaidyanathan - Self employed - Croydon | 22 November, 2016, 18:08

One wonders how this could get past the fraud management algorithms on the host - sudden increase in the volume of fallback mag-stripe transactions, unusuallly high velocity of cash withdrawal transactions and potentially the unusual location of these withdrawals should have all sent alarm bells ringing very loudly. May be, with TESCO being a new bank, the limited volume of customer behaviour history data available to these algorithms limited their effectiveness.

1 thumb up! 1 thumb up! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Tesco Bank fraudsters drained £2.5 million from customer accounts

Tesco Bank fraudsters drained £2.5 million from customer accounts

09 November 2016  |  7571 views  |  0 comments | 9 tweets | 17 linkedin
Tesco Bank halts transactions after money disappears from customer accounts

Tesco Bank halts transactions after money disappears from customer accounts

07 November 2016  |  14187 views  |  7 comments | 25 tweets | 43 linkedin

Related company news


Related blogs

Create a blog about this story (membership required)
visit www.capgemini.comdownload the paper nowvisit www.temenos.com

Top topics

Most viewed Most shared
HSBC switches on selfie payments in ChinaHSBC switches on selfie payments in China
13024 views comments | 27 tweets | 42 linkedin
AXA launches blockchain to cover late flight compensationAXA launches blockchain to cover late flig...
8985 views comments | 13 tweets | 27 linkedin
Apple P2P payments service nears launchApple P2P payments service nears launch
8438 views comments | 19 tweets | 27 linkedin
SBI Ripple Asia advances on South KoreaSBI Ripple Asia advances on South Korea
8018 views comments | 16 tweets | 1 linkedin
European Commission makes fintech a priority in supervisory shakeupEuropean Commission makes fintech a priori...
7791 views comments | 31 tweets | 45 linkedin

Featured job

New York, NY - USA (some flexibility on location)

Find your next job