Tesco Bank hit with £30m fine for computer breach

According to a Sky News exclusive, the FCA is set to clobber Tesco Bank with a fine of £30m over the data breach in late 2016, where £2.5m was snaffled from thousands of its customer’s current accounts. Except it turned out it wasn’t; only fifty accounts were actually plundered, not for very much, and it was all sorted.

So how does this warrant such a huge fine? It’s hard to see, but the first two theories I have are that Sky News has got of wrong, or the FCA has gone seriously bonkers. If they’re touching miscreant institutions for £600K per customer inconvenienced, RBS and NatWest are toast.

So what’s it all about? Well we don’t know what Tesco Bank actually did. My best guess is that someone cloned cards and cashed out at ATMs. That’s the easiest way, and there is no evidence this was widespread or sophisticated. And its interesting that only current accounts were hit; not credit – which is where the big money is in retail banking fraud.

But that’s just a guess. Why would the FCA be so exercised about some card fraud?

There is not shortage of other theories. There is the usual criticism of the patent company and its insecure non-banking systems. The usual unpatched server card is played. Yes, everyone knows Tesco self-checkouts use Windows XP. There ate criticisms of the lack of protective monitoring. Lack of AV. But this comes from commentators whose employer’s business is selling such things. There is talk of an inside job, which is possible but they didn’t take them for much if it was.

So if the FCA is really that cross with Tesco Bank, why?

The question no one is asking is why Tesco Bank announced a major breach, affecting so many people? Here I’m stacking guesses, but just for fun…

If I’m right about it being ATM bandits, could it be that staff investigating found something horrible and hairy, and jumped to the conclusion it was behind it? They did the right thing, and told everyone about the vulnerability, but the black hats hadn’t. The FCA would have been unimpressed, regardless of the consequences, and whacked them according.

If I’m right, it’s a bit rough on Tesco Bank, fined as a result of being robbed. But this is all one guess based on another. The truth may be still stranger.

Is HSBC’s voice identification really secure?

I was woken by Radio 4 this morning with news that HSBC (and First Direct) will be rolling out voice identification software as a replacement for the “cumbersome” password-based system currently in use. I’ve been using this cumbersome system for more than twenty years, and I can’t say I have any problem with it – ten seconds and you’re in; and time has proven it reasonably secure.

But this new biometric “voice-print” system sounds a tad more dodgy to me. It comes from Nuance Communications, and apparently it checks over 100 unique identifiers in someone’s voice, including speed and behavioural features and maps the sound it’s hearing back to physical features such as the shape of the larynx and nose. The technology might be better remembered as Dragon Dictate from the 1990’s, although Nuance has been working on the biometric aspects for some time, and recently announced Santander was going to use it in Mexico.

I’m naturally suspicious of any biometric identification method apart from retinae scans, having looked at many such schemes over the years. They’re generally vulnerable to amounts to “replay” attacks. Fingerprint or face recognition can usually be fooled relatively simply with a picture of the real thing. So what’s to stop a replay recording of someone’s voice? Nothing, as far as I can tell.

When the BBC asked about recordings being played back they were told that any recording process would lose the subtleties of live speech, and the BBC seemed happy with that. Well I’m not! The way telephones work these days, your voice is sampled, encoded in to very few bps and sent. How is this going to look any different to a recording? You can store and repeat a section of telephone call digital data easily enough and it’s bound to be indistinguishable.

I can see some solutions – the system could ask you to repeat some random phrase back instead, and word recognition could determine whether you said the right thing after the biometric recognition matched the voice print. But this isn’t the answer the BBC got.

I’m awaiting more information…

HSBC had a bad January with cyber-attacks. Is this some ill-conceived scheme to try and change the news agenda?


Chip and Pin is Definitely Not Safe

I’ve always had my doubts about Chip and Pin (or EMV to give it its proper name). We’ve all heard stories of people having cards stolen and used, when this should be impossible without the PIN. There are also credible stories of phantom withdrawals. The banks, as usual, stonewall; claiming that the victim allowed their PIN to be known, and that it was impossible for criminals to do this while you still had the card so someone close to you must be “borrowing” it.

In the old days it was very easily  to copy a card’s magnetic strip – to “clone” the card. Then all the criminals needed was the PIN, which could be obtained by looking over someone’s shoulder while they entered it. Cash could then be withdrawn with the cloned card, any time, any place, and the victim wouldn’t know anything about it. Chip and Pin was designed to thwart this, because you can’t clone a chip.

Well, it turns out that you don’t have to clone the card. All you need to do is send the bank the same code as the card would, and it will believe you’re using the card. In theory this isn’t possible, because the communications are secure between the card and the bank. A team of researchers at Cambridge University’s Computer Lab has just published a paper explaining why this communication isn’t secure at all.

I urge to you read the paper, but be warned, it’s unsettling. Basically, the problem is this:

The chip contains a password, which the bank knows (a symmetric key) and a transaction counter which is incremented each time the card is used. For an ATM withdrawal this data is encrypted and sent to the bank along with the details of the proposed transaction and the PIN, and the bank sends back a yes or no depending on whether it all checks out. It would be fairly easy to simply replay the transaction to the bank and have it send back the signal to dispense the money, except that a  random number (nonce) is added before its encrypted so no two transactions should be the same. If they are, the bank knows it’s a replay and does nothing.

What the researchers found was that with some ATMs, the random number was not random at all – it was predictable. All you need do is update your transaction with the next number  and send it to the bank, and out comes the dough. It’s not trivial, but its possible and criminals are known to be very resourceful when it comes to stealing money from ATMs.

What’s almost as scary is how the researchers found all this out: partly by examining ATM machines purchased on eBay! (I checked, there are machines for sale right now). There’s a bit of guidance on what random means in the latest EMV specification; the conformance test simply requires four transactions in a row to have different numbers.

It’s inconceivable to me that no one at the banks knew about this until they were tipped off by the researchers earlier this year. Anyone with the faintest clue about cryptography and security looking at code for these ATMs would have spotted the flaw. This begs the question, who the hell was developing the ATMs?

In the mean time, banks have been trying to pretend to customers than phantom withdrawals on their accounts must be their fault and refusing to refund the money, claiming that Chip and Pin is secure. It’s not, and a day of reckoning can’t come too soon.

Credit for the research goes to  Mike Bond, Omar Choudary, Steven J. Murdoch,Sergei Skorobogatov, and Ross Anderson at Cambridge. Unfortunately they’re probably not the first to discover it as it appears the criminals have know about it for some time already.


Overdraft charges ruling

“The People’s” wonderful new Supreme Court has ruled that the Office of Fair Trading can’t investigate the rip-off fees charged by banks for unauthorised overdrafts. “Quite right”, chorus the smug idiots, “we’ve always got enough money in our accounts!”

The British Bankers Association is, of course, delighted. It had been putting out the propaganda that customers would be charged for simply having bank accounts if they lost, because otherwise they wouldn’t be able to make a profit. Hello?!? That’s not how banks operate and they should be ashamed of themselves. And the smug rich people should be ashamed too – if their argument is correct then their free banking is being subsidised by the poor. (Incidentally, in case no one’s told you before, banks make a profit by paying savers a lower interest than borrowers, lending out considerably more than is deposited I might add, and pocketing the difference).

It’s a practical necessity to have a bank account if you live in this country, and banks are clearly exploiting this fact. Would the (old) Law Lords not have done something about this obvious problem?

And as for the numerous spokespersons for the banking industry trotting out statistics that this issue doesn’t affect most customers anyway, they must be joking! As well as the financially challenged, this affects everyone who’s paid in a cheque that’s bounced, everyone who’s suffered a bank error and everyone who’s employer has messed up the payroll run (often a problem with the bank themselves). It’s really easy to end up overdrawn on a current account, through no fault of your own, even if you have plenty of spare cash with the bank in a deposit account. This two-account approach is necessitated by the customer-unfriendly ‘financial product’ culture the banks themselves operate.

The people who are going to suffer from this are the normal hard-working types who operate through a current account and save a little for a rainy day. One simple mistake made by someone else and they’re stuck with a load of ridiculous charges. If you’ve got a lot of money in your deposit account, a quick call threatening to move your cash elsewhere gets rapid results. If you’re not in this happy position I wouldn’t rate your bargaining power.

The banks should be thoroughly ashamed of themselves, but I expect they’re too busy pocketing their taxpayer-underwritten bonuses to even notice.

It’s no surprise that New Labour is letting them get away with it, but there’s a deafening silence coming from the other parties too. Scared to upset the bankers?