Tesco Bank fined millions over 2016 cyber-attack - MSE News

eskbanker

karlie88 wrote: »

£2.26m taken via 34 fraudulent transactions? I don't believe a word of that.

Hats off to the fraudsters though, they saw a gap and went for it BIG TIME. I seem to recall lots of iPhone purchases in South America - must have been a very large co-ordinated effort.

I'm interested in how they managed it...

The FCA press release goes into a bit more detail than Tesco do, but unsurprisingly nobody is going to spell out the detail*.

Interestingly the FCA criticise Tesco "because it failed to exercise due skill, care and diligence to [...] respond to the November 2016 cyber attack with sufficient rigour, skill and urgency", which doesn't bode well for TSB - after the weekend attack, Tesco claimed to have reinstated all services and reimbursed all affected customers by the Tuesday evening, which, certainly relative to TSB's efforts, doesn't sound like an unreasonable response, although I may have felt differently had I been one of the customers affected....

* except the FCA in its detailed report, duh!

colsten

eskbanker wrote: »

Tesco claimed to have reinstated all services and reimbursed all affected customers by the Tuesday evening[/URL], which, certainly relative to TSB's efforts, doesn't sound like an unreasonable response, although I may have felt differently had I been one of the customers affected....

One of my accounts was affected but they had fixed it all by Monday, following the attack on Saturday evening. Like all others affected, I did not lose a penny, not even in interest. I haven't heard of anyone who had actually not been able to make purchases with their debit card, or who had bill payments bounced. What was unimpressive, aside from the debacle being allowed to happen, was the lack of communication. It took them ages to give their CS a script about the issue, and to put out a statement to inform all their account holders.

By Thursday of the same week, I had also been paid compensation equal to about a year's worth of interest on a fully loaded Tesco current account. Not sure how much others got - I suppose it varied from case to case.

karlie88 wrote:

£2.26m taken via 34 fraudulent transactions? I don't believe a word of that

Me neither. The numbers don't add up.

SnowTiger

eskbanker wrote: »

The FCA press release goes into a bit more detail than Tesco do, but unsurprisingly nobody is going to spell out the detail.

Interestingly the FCA criticise Tesco "because it failed to exercise due skill, care and diligence to [...] respond to the November 2016 cyber attack with sufficient rigour, skill and urgency", which doesn't bode well for TSB - after the weekend attack, Tesco claimed to have reinstated all services and reimbursed all affected customers by the Tuesday evening, which, certainly relative to TSB's efforts, doesn't sound like an unreasonable response, although I may have felt differently had I been one of the customers affected....

There is quite a lot of detail in the FCA's full report here:

4.58. The amount of fraudulent transactions made on individuals’ personal current accounts varied. Over 600 customers’ personal account balances were temporarily reduced, but not actually debited, by between £500 and £1000. Some 646 customers had fraudulent transactions exceeding £1,000 on their personal current accounts. Twenty-three customers had between £5,000 and £10,000 in fraudulent transactions on their personal current accounts. One customer had 22 fraudulent transactions totalling £65,000 on his account. Over 5,000 customers had £0 transactions “approvals” which included hotel check-in authorisation charges, situations where authorisation was received, but the transaction did not settle and where the merchant or acquirer reversed the transaction.

4.59. Tesco Bank’s systems automatically applied around £9,000 in charges and interest to customers’ accounts and account balance reductions led to 668 unpaid direct debits on customers’ accounts. As set out below, Tesco Bank promptly reimbursed customers for these charges as part of its redress programme.

4.60. The way in which 8,261 personal current accounts were affected was that when a customer reviewed his or her account balance, it appeared to the customer that the account balance had been reduced by the amount of the unauthorised transaction. In fact, Tesco Bank delayed posting most of transactions arising from the Cyber Attack. By delaying the posting, it meant that of the 8,261 accounts affected, Tesco Bank only debited 34 accounts a total of only £1,830 and made good the amounts debited from those customers’ accounts by 10 November. The net loss to Tesco Bank was £700,000.

The figures are a little confusing, though.

It appears that 8,281 accounts were affected; and a total of £1,830 was actually taken from 34 of those accounts. The report mentions that Tesco Bank stopped most of the transactions being debited from customers' accounts and, itself, suffered a net loss of £700,000.

What isn't clear is where the figure of £2.26 million comes from. The FCA uses the term 'attackers netted £2.26 million'. It doesn't say that was Tesco Bank's loss.

My thinking is that the 'attackers' got £2.26 million, Tesco bank directly lost £700,000 and the other losses were made by merchants. The report mentions the fraudsters were making contaless payments in Brazil and the US that followed megnetic strip rules. As far as I'm aware, these offer merchants far less protection from fraudulent transactions:

Once the Fraud Strategy Team had been alerted, it determined that the majority of fraudulent transactions were coming from Brazil using a payment method known as “PoS 91”. PoS 91 is an industry code which indicated that the attackers were making Contactless MSD transactions, transactions which rely on magnetic stripe rules which carry identifying information about the debit card.