June 24, 2018

Tesco Bank Deals with Digital Heist

Cybersecurity experts and IT auditors better saddle up — the world just experienced its first successful digital bank robbery.

The Tesco heist

Last weekend cyber criminals executed a sophisticated attack on Tesco Bank (subsidiary of the British grocery chain) and successfully stole £2.5 million (~$3.1 million) from customer accounts. While the money was refunded quickly and Tesco assured customers that no personal data was compromised, it’s still a huge security failure for them.

Reports initially said around 30% of the company’s 136,000 current accounts got hit. However, new numbers released by the company said only 7% were actually missing money.

So far, investigators have not released any information about possible suspects but one Member of Parliament is speculating it could be a foreign government entity (coughRussiacough) to blame. Let’s hope it’s not state-sponsored and it’s actually some run-of-the-mill criminal they can just lock up.

Digital bandits get creative

If you didn’t believe it before when we talked about cyber extortion, it is safe to say that now we are officially entering the digital wild west! This is the first time hackers actually succeeded in stealing money directly from a bank. The Wall Street Journal reports:

Criminals have hacked into banks before, but it is rare for them to actually withdraw money from customer accounts. Thieves targeted J.P. Morgan Chase & Co. two years ago and got access to names, addresses and other information of 76 million customer households, but the bank said they didn’t steal funds.

In general, most banks have an electronic vault that is hard to crack so it would be difficult for thieves to run away with actual moolah. But, that doesn’t mean banking data isn't a prime target for cybercriminals according to the 2016 Verizon Data Breach Investigations Report:

As consumers began to access financial information online, cybercriminals targeted the theft of both login credentials and ultimately the money in the accounts. Financial account login credentials can be used to exfiltrate money through transfers via online banking applications. Phishing and malware can team up to capture account and routing numbers to commit ACH Fraud. The Crimeware pattern makes another appearance in the form of banking Trojans (e.g., Zeus, Dyre and Dridex) that have evolved to efficiently target static and thus reusable banking information. Privilege Misuse by banking employees is another pattern that leads to banking data loss. Simply put, employees have access to this data, and often use it for their own gain solely or in collusion with external criminal groups.

The financial services industry ranked third in the number of of cyberattacks last year. Incidences occur daily but few are large enough to hit the news.

Banks fight back

Due to their vulnerability to cybercrime, banks are getting smarter — even banding together rather than going it alone with their security measures. For example, in August, the Wall Street Journal reported that eight mega banks started a cybersecurity club to share information and ideas.

It’s just too bad Tesco Bank wasn’t invited to the club. Tesco Bank's claim that “the security of your accounts is a priority for Tesco Bank” is almost laughable now. But, as a smaller bank with only 7 million customers (most of which are inactive), it might not have the resources to create a digital fortress like the bigger banks can. Just look at J.P. Morgan — its budget for cybersecurity this year alone is $600 million.

But, even without a big budget for cybersecurity, the company sure did get a reality check and has quite the headache to deal with now. Regulators are ready to hand out fines for shoddy controls. One estimate says the company may be on the hook for nearly £2 billion in fines under the EU’s General Data Protection Regulation.

Getting caught with their pants down sounds like it will be very expensive. Other banks, large and small, would be wise to learn from their mistake. Hey, I’m sure we could drum up a few rockstar IT auditors to test for vulnerabilities.

Are banks sitting ducks for this type of crime? Are companies and regulators doing enough to protect customers’ money?

Image: iStockPhoto

Related articles

SHOCKER: Doesn’t Appear that Stanford Auditors were Doing Any Auditing

allen-stanford_1018295c.jpgLast week’s indictment of Allen Stanford has brought up the always popular question when fraud, occurs: “Who are the auditors that were asleep at the wheel of this disaster?”
Well, in this case, the auditors were a local UK two-person shop, CAS Hewlett, which must be Queen’s English for Friehling & Horowitz.
It doesn’t appear that CAS Hewlett has a website, but they’ve been doing the Stanford “audits” for at least 10 years, so obv they’re legit. PwC and KPMG both have offices on Antigua but Stanford preferred to stay with its “trusted firm”. Totally understandable.
And the best part? The founder of the firm, Charlesworth “Shelly” Hewlett died in January, approximately a month before the story broke on the Ponz de Stanford.
This all adds up to who-the-fuck-knows if audits were even occurring and for us to speculate if Shelly needed to get got because Stan knew that the poo and fan were coming together. Just sayin’.

New Bail Hearing for Stanford Set for Monday Because He Just Might Split

Stan the Man will spend the weekend pumping iron in a Houston jail because all signs are kinda, sorta pointing to the possibility of him going on the lam after a judge granted the silver medalist in the Ponzi competition a measly $500,000 bail.
Stanford’s attorney called bullshit because “he had already shown the financier was no flight threat.”
Judge David Hittner didn’t buy it and remanded Stan to jail until Monday based on the evidence presented by prosecutors:

testimony from a pilot who flew Mr. Stanford to Libya and Switzerland before government officials raided his Houston offices; testimony from a friend of Mr. Stanford’s daughter who gave him $36,000 in cash, and claims that $100 million was withdrawn from a Swiss bank account Mr. Stanford controlled

C’mon, your honor, that’s just walking around money! My client can’t be expected to strut around without serious money on hand!

New Bail Hearing Set for Stanford
[WSJ]