Investigators of the hacking incident at Tesco Bank are now allegedly looking into allegations that the bank failed to heed early warnings of the security flaw in its payments systems.
This follows the news that Tesco Bank confirmed a cyber-attack on its systems which resulted in £2.5 million (US$3.09 million) being stolen from 9,000 customer accounts.
Three anonymous sources are reported to have told The Times newspaper they believe investigators at the National Crime Agency (NCA) and the Financial Conduct Authority (FCA) think hackers used specially designed computers to use what is known as a Code 91 glitch to access debit card details of Tesco Bank customers.
The glitch allows criminals to repeatedly “ping” payment sites with random debit card numbers until they found a match with a customer's card number, expiry date and three-digit security code.
Those sources are claiming that the bank may have failed to act on a warning from Visa, issued a year ago, which warned banks about low-value transactions in particular. Tesco Bank allegedly ignored the warning, leaving its systems vulnerable.
Visa apparently warned that cyber-criminals could siphon off small amounts from victims' accounts, as a way to verify the validity of details, before launching a large-scale attack.
A Tesco Bank spokesperson told SCMagazineUK.com: “On 5 and 6 November Tesco Bank was targeted by fraud, which affected 9000 of our customers and cost us £2.5 million. We identified the fraud quickly and communicated immediately with our customers, the Financial Conduct Authority and National Crime Agency. This remains a criminal investigation.”
“We refunded each customer account in full and have taken steps to help reassure our customers that they can bank safely and securely at Tesco Bank. We have also confirmed directly with every customer impacted that none of their customer data was lost or stolen.”
“This incident has highlighted that all banks need to work together in the interests of all customers and the financial system.”
The NCA and NCSC were contacted for comment, but both declined as this is still an active investigation.