Tesco Bank left its customers exposed to cyber crime by issuing sequential debit card numbers, a practice most banks avoid because it lets hackers remain undetected while working quickly through thousands of accounts, according to rival lenders.
A sustained cyber attack on Tesco Bank last month forced the company to repay £2.5m of losses to 9,000 customers in a heist described as unprecedented by regulators.
Since then the Financial Conduct Authority has contacted several British lenders to check if they are also issuing sequential card numbers, according to executives at two of the banks contacted by the watchdog.
Tesco Bank refused to confirm whether it had issued sequential card numbers or if it had recently changed its practices in this area. It said in an emailed statement: “As this remains an ongoing investigation, we will not comment on specific questions regarding the incident. However, we will confirm that our first priority was, and remains, to ensure that our customers’ accounts are safe and secure, and that we communicate with our customers immediately and transparently.”
The financial offshoot of the UK’s largest supermarket group has not said how the money was stolen. But it has insisted that no customer data were lost and none of its systems were breached in the “highly sophisticated attack”.
Cyber security experts and banking executives say that issuing sequential card numbers makes it easier for hackers to guess the expiry dates and security codes without alerting the bank that there is a risk of fraud. “It raises a question mark — it is not good,” said one.
James Maude, senior security engineer at Avecto, said: “By using sequential numbers it may have meant that it was harder to spot the fraud because every card number they tried would be genuine, of course.”
The Visadebit cards issued by Tesco Bank have a six-digit issuer identifier number, a nine-digit primary account number unique to each customer, and a single check digit.
Most banks use software to randomly generate a primary account number for each customer. But at Tesco Bank these numbers were issued sequentially, according to executives at two rival banks and another person briefed on Tesco’s security operations. The FCA declined to comment.
Researchers at Newcastle University said in a recent paper that they had identified a flaw in Visa’s security system, which allowed hackers to guess a customer’s card number, expiry date and security code in “as little as six seconds” by using an automated programme to fire numbers at hundreds of websites until one worked.
Because Visa — unlike MasterCard — allows unlimited attempts to enter payment card details at different websites, hackers were likely to have used a “distributed guessing attack” to steal money from Tesco Bank customers, the researchers found.
They described this as “frighteningly easy”. Yet cyber security experts said Tesco Bank’s sequential card numbers may have left its customers even more vulnerable.
Visa said in response: “The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.”
Other banks targeted by the same attack on Tesco Bank said the hackers originated from IP addresses in Brazil and may have used complicit or fake retailers.
The UK’s new National Cyber Security Centre and the National Crime Agency are leading a criminal probe into the hack. The FCA is also investigating. If the bank were shown to have sloppy cyber defences the FCA could consider launching an enforcement investigation.