The news is full of the US elections today, but yesterday there was a different headline.
‘Thousands of Tesco Bank Customers lose money’
Or similar to that.
Immediately the security world started to look into the reports. Within minutes links to previous issues were being pointed out, within hours a big old game of ‘join the dots’ was mostly complete.
So, what happened ?
Well quite a few things it would appear. Mostly, from guess work and taking the odd peak at the defences that Tesco put up is looks like this.
- The main web site – tescobank.com still supports TLS v1.0 – this is utterly stupid. TLS 1.0 is long deprecated due to the ease with with a malicious actor can perform a ‘Man in the Middle’ attack.
- There are literally hundreds of phishing sites that appear to be aimed at tesco. A simply search using a database of domains logged 214 domains added within the last six months that contain ‘tesco’, of which 12 of them appear to refer to bank or other financial products. None of these are owned by Tesco.
- The password requirements appear to be rather dumb – 6-10 characters, mix of letters and numbers, no special characters and upper/lower case treated the same.
- Getting the password wrong many times does not appear to lock out the account.
- There does not seem to be any place for multi-factor authentication (MFA)
Actually figuring out which of these vectors a malicious actor actually took is quite difficult.