The news is full of the US elections today, but yesterday there was a different headline.
‘Thousands of Tesco Bank Customers lose money’
Or similar to that.
Immediately the security world started to look into the reports. Within minutes links to previous issues were being pointed out, within hours a big old game of ‘join the dots’ was mostly complete.
So, what happened ?
Well quite a few things it would appear. Mostly, from guess work and taking the odd peak at the defences that Tesco put up is looks like this.
- The main web site – tescobank.com still supports TLS v1.0 – this is utterly stupid. TLS 1.0 is long deprecated due to the ease with with a malicious actor can perform a ‘Man in the Middle’ attack.
- There are literally hundreds of phishing sites that appear to be aimed at tesco. A simply search using a database of domains logged 214 domains added within the last six months that contain ‘tesco’, of which 12 of them appear to refer to bank or other financial products. None of these are owned by Tesco.
- The password requirements appear to be rather dumb – 6-10 characters, mix of letters and numbers, no special characters and upper/lower case treated the same.
- Getting the password wrong many times does not appear to lock out the account.
- There does not seem to be any place for multi-factor authentication (MFA)
Actually figuring out which of these vectors a malicious actor actually took is quite difficult.
In order to take advantage of the TLS 1.0 vulnerabilities, a POODLE attack (Man in the Middle) is pretty tough to pull off, but not impossible. I’d say that this is perhaps not the easiest vector, so lets leave that one. TLS1.0 is a serious vulnerability and it should be patched.
A phishing attach is dirt easy and highly likely, send out an official looking Tesco Bank e-mail to a list of possible customers, probably from one of the many lists of valid e-mail addresses that are floating around the internet, asking them to confirm their details, stick up a convincing looking landing page for them to login (or fail to a couple of times), harvest the ID and passwords entered and then store them for a while. This feels incredibly likely. But to have 9,000 users affected seems a little too good – this would be one of the more successful phishing attack I’ve ever heard of.
Brute-forcing passwords feels reasonably likely. As there is no limit to the amount of guesses, it is likely that this was fairly easy. But actually orchestrating this is somewhat tough. a 6-10 character password with a mere 35 possible characters really is not that safe – but again it feels slightly unlikely – that the thieves managed 9k accounts, rings alarm bells – this would mean that over a period of time, they would have needed to test and accrue the details, this feels slightly unlikely.
So that leave us with the one thing I did not mention, over the last couple of years, millions, perhaps billions of e-mail addresses, user-names and passwords have been leaked by various large companies. People are horribly bad at using different details for different services. It therefore seems feasible that the malicious actors simply loaded up a list of .co.uk, gmail, hotmail and yahoo e-mail addresses and their known passwords, leaked from the multitude of dumps and tried them all against the Tesco Bank services.
Or maybe it was a combination of the above. The more I think about it, the more I believe it probably was.
9,000 users does not feel like a huge number, if there are a couple of millions customers that have/had a Tesco bank account. But given the fantastically weak security, it quite easily could have been a lot more. If easy user lost £250, the malicious actors netted a couple of million pounds.
I would hope that Tesco bank and all other banks take notice, security is tough, but so is losing millions of pounds to a bunch of people that looked at the door and realised it was wide open…..
update: Tesco have now confirmed that there were nine thousand customers affected to the tune of around £2,500,000.