The Tesco hack: Five important lessons from a modern-day cyber-attack
This week, the Financial Conduct Authority issued a fine of £16.4m in relation to a cyber-attack in 2016 which netted the criminals over £2m. But whilst the FCA report is damming, there are lessons for us all here.
This wasn’t your typical Hollywood cyber-attack. Expunge any notions of Jason Bourne or giant exploding computer screens from your mind. Neither was this a ‘computer hack’ in the traditional sense, despite early claims to the contrary, Tesco’s internal computer systems were never compromised, online and mobile accounts were untouched and no personal information was stolen.
No, this was a bank robbery pure and simple. A robbery involving a small army of money mules on the ground in Brazil who completed tens of thousands of card transactions over a single weekend. Although it was argued that this was a sophisticated attack, there is no denying that it relied on guesswork and a bit of luck too.
Having studied the FCA’s report in detail I am left in no doubt that mistakes were made. As a challenger bank, neither Tesco’s in-house experience nor their approach to risk was on point. In the heat of battle, basic errors compounded their problems.
Yet I am also left with an overwhelming feeling of déjà vu. I know from experience that businesses up and down the country will be making these very same mistakes every day. So, let’s put down the finger of blame and look in more detail at some of the things that went wrong over that fateful weekend in 2016. There are lessons here for everyone.
1. There is usually some intelligence prior to an attack
Visa had written an article about this very attack two years prior, with follow-up warnings issued to banks in 2015 and 2016. Most cyber-attacks aren’t novel, and statistics suggest that even those that are leverage vulnerabilities where patches had been available for over a year.
Industry and professional bodies regularly feature updates on the fraud and cyber risks faced by organisations. It’s 2018, and all businesses should take time to be aware of the current threat level and be streetwise to the methods being used.
If you operate within a sector under a specific threat – which includes accounting firms – you should already be on high alert. Get in touch with your local cybersecurity/fraud prevention group and join the Cybersecurity Information Sharing Partnership (CiSP) if you haven’t already done so.
2. Know that everything is insecure by default
In Europe, we’re quite familiar with contactless payments: you tap the point of sale terminal and wait for the bleep. Secure communication between the terminal and the chip in your card along with hard limits on the number and value of transactions help to protect you from fraud.
Outside of Europe, there is a second, less secure form of contactless payment referred to as ‘Contactless MSD’ or simply 'Pos 91'. Engineered as a mobile phone payment, there is no requirement for a physical card, PIN, signature or dynamic CVV (rotating security code). As it takes place under magnetic stripe rules there are also no limits on transaction numbers or value, which is exactly why this attack was so devastating. Whilst it was never intended that Tesco debit cards ever support this mode it is available to all Visa cards by default and it was never explicitly blocked.
In IT, you must assume that everything is insecure by default. All new systems, new hardware, new software and even an off-the-shelf debit card will come with a long list of features and settings which are intentionally weak to get you started quickly. A busy department may not have the time or even the organisational remit to fully explore these options. Cybercriminals, on the other hand, are adept at finding these kinds of flaws.
To the criminal this is the bread and butter of the work that they do: things left open that should have been closed, the option turned on which should be turned off, the weak default setting which should have been made more secure. It may take guesswork, an automated tool or a great deal of patience to find these exploits, but find them they will.
This is where things like penetration testing or full-blown red teaming come into their own: essentially where you pay a firm to break into your organisation. For large businesses like Tesco, a red team won’t be operating inside organisational norms and behaviours and is free to think like a criminal. A different set of eyes can be particularly good at challenging an overly-bureaucratic approach to something like cyber risk.
3. You are always vulnerable to brute-force attacks
Tesco issued their debit cards with random card numbers but did so from a relatively small pool of just 50,000. Subsequent batches were not released until the last pool was completely used up, so the net result was that thousands of valid debit cards were in circulation with sequential numbers. Although never intended, this meant that debit card numbers were relatively easy to guess.
Predictability is a common flaw within IT systems that criminals seek to uncover. Sequential numbering, or at least a finite set of possibilities, make the job of the cyber-criminal so much easier.
However long you think a password, a token, a filename or any form of identifier needs to be to be to be secure, it’s not enough. Cloud computing and shortcuts make it possible to guess a billion passwords in under a second these days. Researchers have proven that the three-digit ‘secret’ code on the back of a Visa card can be cracked with the help of 1,000 different online stores in just a few seconds.
Statistics suggest that over 50% of login traffic is people trying to break into accounts, so your systems need to be resilient against this constant brute-force barrage. Only additional, separate layers of protection such as two-factor authentication offer any possible protection against this type of risk.
4. All software has flaws
There were several coding errors which impacted both the transaction authorisation and the fraud screening stages of the card authorisation process at Tesco.
First off, the expiry date of the card was never checked against their internal record – only that it was some point in the future. This allowed any expiry date to work with a card number which had been guessed from the pool. Secondly, when the fraud strategy team initially coded the block to prevent further PoS 91 transactions, they made a typing error. Finally, the fraud detection software was operating at account level rather than card level which meant that when the blocking rules were eventually corrected, they proved ineffective against any accounts which had been issued with a replacement card.
Coding errors are a fact of life in IT. A complete range of test transactions which exercised the software end to end with incorrect card parameters, a full range of transaction types and both new and re-issued cards would have identified deficiencies. The resulting corrections to the software may have even killed this particular attack stone dead before it started. Following changes to the blocking rules, adequate monitoring would have quickly identified that the rule was ineffective and prompted a faster response.
Software development and configuration changes are all inherently error-prone activities. The pressure to get software out of the door or implement a ‘quick fix’ is naturally going to increase the risk of errors creeping in. The failure to patch software remains one of the leading causes of cyber insecurity. Once again, these are all mistakes that criminals regularly rely on – don’t fall foul of them.
5. You really haven’t done sufficient planning
During the Tesco attack, approximately 15 hours were lost because the fraud strategy team had been alerted by email rather than a phone call, which was against written procedures. When the out of hours team attempted to raise a P1 ‘highest level’ incident, the service desk refused to do so because the fraudulent transactions were not an IT matter. Attempts to contact the on-call Business Incident Manager failed because the rota did not list the correct telephone number. Finally, although there was a crisis management plan in place there was little in the way of clear guidance as to when it should be activated.
Major financial attacks happen out of hours and at weekends for a reason. Customers are asleep, day staff may not be contactable and the staff that are on duty may be thin on the ground or have insufficient authority or system access rights. Your planning is incomplete if you haven’t planned for an attack taking place whilst everyone is in bed. In short, you can never have ‘too much’ crisis planning.
Cybercrime is very much linked to organised crime. Attacking organisations large and small at scale for financial gain is rife. Criminals don’t care that you’re only a small firm of accountants or that you’re helping to cure cancer. The only want to part you from the money that’s in your bank account or use you to reach a suitably well-heeled customer and do the same.
You don’t have to rely on luck, however. The intelligence is out there. Use it and take the simple steps necessary to protect your business today.