Last Tuesday, as Americans were filling out their ballots, about 40,000 U.K. citizens were left wondering what happened to their bank accounts. Tesco Bank, the banking arm of a large supermarket chain, stopped all online transactions for its 140,000 customers the day before. The reason, The Guardian reports, was simple: a large sum of money was transferred to Spanish and Brazilian accounts without customer knowledge or approval.
It was a cyberattack. One compromising not just bank accounts, but also the confidence of security between a bank and its customers. It’s not the first time this has happened and it probably won’t be the last. It is, however, a sign of things to come: cyberattacks on banks through a variety of methods.
In this case, the cybercriminals made away with about 2.5 million pounds (roughly $3.1 million USD) from 9,000 customer accounts, according to The Register. They also left behind a confused security community, which wondered just how so much money could be stolen with so little indication as to how it was done. The bank, according to reports from SecurityWeek, knew “exactly” how the attackers managed to breach its systems, though it refuses to give details due to an ongoing criminal investigation.
Now, it usually takes weeks, if not months, for even the largest organizations to identify and verify attack methods and actors. That said, this case doesn’t demonstrate the usual discovery timeline. Curiously enough, Tesco isn’t even calling the attack a “hacking” incident, and insists their systems weren’t compromised. So what, exactly, is going on?
There are several theories on how this attack could’ve taken place. All of them are plausible, though we won’t know until Tesco either gives an official statement or criminal charges are pressed against the attacker(s). Still, it may behoove us to understand just how an attack like this could happen and what banking customers can do to defend themselves.
The first possibility is the insider theory. This theory suggests an inside threat—a disgruntled employee with administration privileges, for example—worked with a team of cybercriminals to conduct the heist. These types of threats are notoriously difficult to defend against, as most inside threats come from lack of attentiveness, not malice. Still, it could explain why Tesco was able to detect the breach’s origins so quickly.
Second, there’s the third party theory. This theory suggests a compromised third-party organization, tied to Tesco Bank, led to the incident. It’s certainly possible. Last year, chain retailers, restaurants and hotel chains suffered breaches thanks to weaknesses in their preferred point-of-sale systems. This means responsibility for a breach could very well lie with a partnering organization.
Third, is the brute force theory. This theory suggests cybercriminals used a simplistic technique called a “brute force attack.” Essentially, attackers would use programs to automatically test thousands of login and password combinations, allowing it to discover thousands of valid ones.
This third theory is plausible. If true, though, it’d cast a lot of doubt on Tesco’s ability to secure its assets. For one, such an attack requires a security oversight allowing virtually unlimited guesses for username/password combinations. It begs the question that if the bank failed to prevent such a simple attack, then what else is vulnerable?
Regardless, this likely won’t be the last large scale cyberheist. Banks are prime, though hardened, targets with lucrative rewards. 2016 has seen other attempted bank robberies, including one which nearly saw $951 million stolen from Bangladesh’s central bank. 2017 will likely see more.
So what should you do if your bank of choice were to fall victim to a cyberattack? Well, there are a few things you should take into consideration:
- Change your password as soon as possible. If your bank ever suffers from a cyberattack, you will need to change your password. Use a strong, complex password at least eight characters long with numbers, symbols and uppercase and lowercase letters. Using a password manager is an easy way to generate and manage complex passwords.
- Avoid emails purporting to be from your bank. Banks are a particularly sensitive institution in our lives. They hold our money and therefore our attention. So it’s easy for crooks to take advantage of that attention by posing as these institutions to reel in users’ banking data. Never respond to an email from your bank that demands you surrender sensitive information. This is not your bank: it is a phishing attack — an attack method designed to trick users into giving up sensitive information. Just delete the email and follow the next tip.
- Call your bank. Call your bank if it has been compromised or if you believe your account is. Direct calls to your bank can help ensure you’re getting valid information directly from the source, and can prepare you for whatever adjustments your bank may need to make. Calling can also help clarify any questions you may have when it comes time to update your account.