View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 12, 2016

Tesco Bank accused of leaving customers in danger of cyber attack

Did Tesco Bank put customers in danger of hacking through debit card practices?

By Alexander Sword

Tesco Bank may have left customers vulnerable to cyber attack by issuing sequential debit card numbers.

The Financial Conduct Authority is contacting British lenders to find out if they are doing the practice, according to the report in the Financial Times, which cited executives at two rival banks and someone briefed on Tesco’s security operations.

Normally, card numbers are assigned randomly. However, these claims suggest that Tesco Bank gave out account numbers in order, meaning that hackers could quickly move from one account to the next.

The practice may have made it much harder to detect the fraud as the hackers would have had a high success rate.

Around 9,000 customers were affected by the fraudulent transactions, according to Tesco, which was forced to pay back £2.5 million to fully reimburse the affected customers.

On 5 November, several customers complained that money had been withdrawn from their Tesco Bank accounts without permission. They also complained that cards had been blocked and about there being long delays in being able to contact the bank on the phone.

Tesco BankTesco Bank suspended online payments after it detected ‘suspicious activity’. Service had resumed by 10 PM on 8 November.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The bank also said that no customer personal data had been compromised.

The security of bank cards could become an increasingly targeted attack surface in the near future. An academic study published in the IEEE Security & Privacy journal and conducted by a team at Newcastle University recently found that hackers can work out the card number, expiry date and security code of Visa cards extremely easily.

The team automatically generated different variations of card security data and sent them to different payment websites. Once the details worked on a certain site they could be considered verified and used elsewhere.

These vulnerabilities are not present in the MasterCard network, the team also found.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.