The cause of the Tesco bank hack is not yet known, although security firm Digital Shadows has been narrowing down the possible causes that led to the criminals siphoning off $3.1 million from customers’ bank accounts.
Tesco believed up to 20,000 customers may have been affected by the cyberattack on November 5 and 6, although the investigation into the attack has revealed that around 9,000 customers had funds taken out of their accounts.
The attackers first attempted to take a small amount of money from customers’ accounts – around $25. If that transaction was successful, a second, larger transaction occurred of between $620 and $990.
Tesco Bank is investigating the cyberattack, as is the National Crime Agency, although few details have so far been released on how the perpetrators managed to pull off such a major heist.
Digital Shadows has now completed its analysis, and while no possibilities have been eliminated, the company has managed to determine which methods were most likely used in the attack.
The analysis involved using the Analysis of Competing Hypothesis (ACH) to assess the consistency and inconsistency of all data points from a range of hypotheses.
According to Digital Shadows, “ACH uses a weighted inconsistency algorithm to assign numeric values, weighted by the assessed reliability and relevance of each data point, which represent the degree of inconsistency of the available evidence with a given hypothesis.”
Digital Shadows tested four hypotheses to determine the likelihood of each being used by the criminals. These were:
- H1 – A payment system compromise involving an internal or external intrusion
- H2: – A cash-out operation using a banking Trojan
- H3 – A cash-out operation using cloned bank cards
- H4 – A cash-out operation using bank card information obtained from multiple sources (third party site compromises or POS malware for example)
Digital Shadows determined that hypotheses H2 and H4 were less likely based on the information available. The most likely cause of the Tesco Bank hack was hypothesis 3: a cash-out operation using cloned bank cards. This was deemed to have been the easiest way that the attackers could have pulled off the attack, although hypothesis 1 was also considered to be a likely cause of the Tesco bank hack.
While the details are not known, Tesco has confirmed that customer data were not compromised and that the heist was not pulled off by a rogue employee. This suggests the hackers managed to infiltrate Tesco’s systems rather than obtaining customers’ account credentials.
According to Digital Shadows, “the actors responsible reportedly targeted 40,000 within a 48 hour period. This would likely have required substantial resources and a well-organized logistics network to support the process of cashing out the targeted accounts and laundering the money obtained within such a short timeframe.” This strongly suggests the attack was pulled off by a well-organized criminal group.