Tesco Bank may have left customers vulnerable to cyber attack by issuing sequential debit card numbers.
The Financial Conduct Authority is contacting British lenders to find out if they are doing the practice, according to the report in the Financial Times, which cited executives at two rival banks and someone briefed on Tesco’s security operations.
Normally, card numbers are assigned randomly. However, these claims suggest that Tesco Bank gave out account numbers in order, meaning that hackers could quickly move from one account to the next.
The practice may have made it much harder to detect the fraud as the hackers would have had a high success rate.
Around 9,000 customers were affected by the fraudulent transactions, according to Tesco, which was forced to pay back £2.5 million to fully reimburse the affected customers.
On 5 November, several customers complained that money had been withdrawn from their Tesco Bank accounts without permission. They also complained that cards had been blocked and about there being long delays in being able to contact the bank on the phone.
Tesco Bank suspended online payments after it detected ‘suspicious activity’. Service had resumed by 10 PM on 8 November.
The bank also said that no customer personal data had been compromised.
The security of bank cards could become an increasingly targeted attack surface in the near future. An academic study published in the IEEE Security & Privacy journal and conducted by a team at Newcastle University recently found that hackers can work out the card number, expiry date and security code of Visa cards extremely easily.
The team automatically generated different variations of card security data and sent them to different payment websites. Once the details worked on a certain site they could be considered verified and used elsewhere.
These vulnerabilities are not present in the MasterCard network, the team also found.