22 July 2017
visit www.avoka.com

Tesco Bank left itself vulnerable to fraud by using sequential card numbers - FT

12 December 2016  |  9406 views  |  3 Credit card

Tesco Bank may have left itself open to fraud by issuing debit cards with sequential numbers, according to a report by the FT.

Criminals last month drained £2.5 million from 9000 current accounts at the supermarket chain's banking operations in a hack that was described by Tesco Bank CEO Benny Higgins as "a systematic, sophisticated attack", and billed as "unprecedented in the UK" by the country's banking watchdog.

According to the FT, in the month since the Tesco Bank breach, the Financial Conduct Authority has contacted several British lenders to check if they too are using a sequential numbering scheme for their cards.

Researchers at Newcastle University earlier this month published a study which demonstrated how criminals could have speared the bank's defences by automatically and systematically generating different variations of the card security data and firing it at multiple websites.

Because the Visa card system does not detect multiple invalid payment requests on the same card from different websites, unlimited guesses can be made to find the correct expiry date and CVV code.

In a reply to an FT query, Tesco Bank refused to confirm or deny the report. “As this remains an ongoing investigation, we will not comment on specific questions regarding the incident," says the bank. "However, we will confirm that our first priority was, and remains, to ensure that our customers’ accounts are safe and secure, and that we communicate with our customers immediately and transparently.”

Comments: (3)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 12 December, 2016, 17:46

How's this possible? I thought V/MC rules require card numbers to be compliant with MOD 10 / Luhn algorithm, which ensures that they won't be sequential?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 13 December, 2016, 13:44

That is the point. All cards follow the Luhn algorithm, if you know that then the sequence of the cards can remain sequential. It doesn't mean literally increment by 1, rather what is the next valid number following the Luhn algorithm.

Even not being sequential doesnt solve the issue at all. If you are able to keep "pinging cards" with bots, then all you are doing is making the process longer, but you can still just guess card details.

Serious fault with the issuer to be fair in responding to x number of invalid requests. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 13 December, 2016, 17:40

@AFinextraMember:

TY for your clarification. I assumed sequential meant incremented by 1.

Any idea why FCA would need to contact British lenders to see "if they too are using a sequential numbering scheme for their cards"? Since they must all be generating their numbers using some algorithm, isn't it obvious that they're indeed using a sequential numbering scheme?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Guesswork alone can crack Visa card security - Newcastle University

Guesswork alone can crack Visa card security - Newcastle University

05 December 2016  |  10686 views  |  12 comments | 16 tweets | 27 linkedin
Cloned card cash-out operation touted as possible Tesco Bank breach explanation

Cloned card cash-out operation touted as possible Tesco Bank breach explanation

17 November 2016  |  8280 views  |  3 comments | 6 tweets | 13 linkedin
Tesco Bank fraudsters drained £2.5 million from customer accounts

Tesco Bank fraudsters drained £2.5 million from customer accounts

09 November 2016  |  7349 views  |  0 comments | 9 tweets | 17 linkedin
Tesco Bank halts transactions after money disappears from customer accounts

Tesco Bank halts transactions after money disappears from customer accounts

07 November 2016  |  13871 views  |  7 comments | 25 tweets | 43 linkedin

Related company news

 

Related blogs

Create a blog about this story (membership required)
visit www.finastra.comvisit www.niceactimize.comvisit www.ncr.com

Top topics

Most viewed Most shared
German fintech factory FinLeap raises EUR39 millionGerman fintech factory FinLeap raises EUR3...
13297 views comments | 19 tweets | 15 linkedin
Mastercard to buy AI outfit BrighterionMastercard to buy AI outfit Brighterion
9442 views comments | 14 tweets | 20 linkedin
Barclays rides payments-as-a-service wave with investment in Form3Barclays rides payments-as-a-service wave...
8511 views comments | 16 tweets | 12 linkedin
hands typing furiouslyThe Digital Trade Chain: the blockchain tr...
8151 views 0 | 8 tweets | 16 linkedin
Mastercard and Scotiabank join Enterprise Ethereum AllianceMastercard and Scotiabank join Enterprise...
7006 views comments | 25 tweets | 15 linkedin

Featured job

Competitive base, bonus, benefits
London or South-East, UK

Find your next job