Posted by Kevin on November 7, 2016.
Forensic investigation into the Tesco Bank hack this weekend will only be in its initial stages. Until we get the results, everything is conjecture. Nevertheless there are some things worth considering.
Tesco Bank is not one of the Big Banks. It may well have been targeted for that reason, with the cyber criminals assuming – and apparently accurately – that Tesco’s defences might be more easily breached than Barclay’s.
The criminals were certainly well organized. We are told that 40,000 accounts experienced fraudulent activity, and that 20,000 accounts lost money. There is an implication, not yet proven, that 20,000 frauds were detected and blocked before Tesco shut down online transactions. The other 20,000 succeeded. All seems to have happened over the weekend when bank staff levels were minimal.
The unproven implication is that serious criminal planning was involved. Assuming that fraud would rapidly be detected, the plan was to extract as much as possible in as short a period of time as possible. That in turn suggests that the hackers may have been on site for some time working out which accounts to attack, and what amount would least likely trigger the fraud detection.
Nothing is yet known about how or when. One obvious possibility is that an admin was phished and gave up his credentials. With keys to the kingdom, the hackers could slip in invisibly, and then rapidly hide their tracks once in the network. Currently this is my guess.
But we shouldn’t forget that TalkTalk succumbed to an advanced attack that prompted the NCSC’s technical director Ian Levy to comment, “TalkTalk originally described its breach as a sophisticated cyber attack, but it was a structured query language (SQL) injection attack, supposedly by a 15-year-old; and when the vulnerability is older than the perpetrator, you can’t call it advanced.”
I think everyone will be hoping it wasn’t as simple as this – or the ICO will have something to say about it!
It is clear that Tesco’s fraud detection system noticed the fraud very rapidly – fast enough to block 20,000 transactions even if not fast enough to block another 20,000. And the incident response system was rapid enough to lock down the bank and bring in the NCA. Emails to potentially affected customers were despatched pretty quickly, and a notice appeared on the site within around 24 hours.
That’s pretty good; but that seems to be as far as it went. Actual customer support was appalling. Worried customers called the number they were given and either couldn’t get through or weren’t told anything. It was never going to be easy over a weekend, but the bank simply wasn’t prepared for this eventuality. And it should have been. That’s what incident response is all about.Submitted in: Expert Views, Kevin Townsend's opinions |