Cyber security

Hacked: Did Tesco Bank fall for the oldest trick in the book?

By Oliver Smith 12 December 2016
Summary

Turns out the 9,000 Tesco Bank customers hacked might've been easily protected.

Tesco Bank is still paying back some £2.5m to over 9,000 of its customers who had their accounts hacked at the beginning of November.

Now there’s an allegation that the “systematic sophisticated attack” that Tesco described might have been caused by something rather more mundane.

Tesco Bank printed sequential card numbers on its debit cards, according to a report from the Financial Times, meaning that criminals could quickly figure out the long bank card number for thousands of accounts.

With this, hackers would have a relatively simple job of guessing each card’s expiry date and security code (something which can often be done without alerting banks), after which they could start spending.

More trouble to come?

If true, this would appear to be a painfully basic oversight, typically banks randomise the long bank card numbers to prevent exactly this kind of security problem.

In a statement Tesco Bank said: “As this remains an ongoing investigation, we will not comment on specific questions regarding the incident. However, we will confirm that our first priority was, and remains, to ensure that our customers’ accounts are safe and secure, and that we communicate with our customers immediately and transparently.”

But Tesco might not be the only bank in trouble.

The FT reports that the Financial Conduct Authority has also contacted several other British banks and lenders to ensure they haven’t been issuing sequential card numbers as well.

If they have been, Tesco’s hack might only be the start.

If only these banks had given out smart cards with changing numbers

Read more: This high-tech card is being rolled out by French banks to eliminate fraud