Tesco Bank hit with £30m fine for computer breach

According to a Sky News exclusive, the FCA is set to clobber Tesco Bank with a fine of £30m over the data breach in late 2016, where £2.5m was snaffled from thousands of its customer’s current accounts. Except it turned out it wasn’t; only fifty accounts were actually plundered, not for very much, and it was all sorted.

So how does this warrant such a huge fine? It’s hard to see, but the first two theories I have are that Sky News has got of wrong, or the FCA has gone seriously bonkers. If they’re touching miscreant institutions for £600K per customer inconvenienced, RBS and NatWest are toast.

So what’s it all about? Well we don’t know what Tesco Bank actually did. My best guess is that someone cloned cards and cashed out at ATMs. That’s the easiest way, and there is no evidence this was widespread or sophisticated. And its interesting that only current accounts were hit; not credit – which is where the big money is in retail banking fraud.

But that’s just a guess. Why would the FCA be so exercised about some card fraud?

There is not shortage of other theories. There is the usual criticism of the patent company and its insecure non-banking systems. The usual unpatched server card is played. Yes, everyone knows Tesco self-checkouts use Windows XP. There ate criticisms of the lack of protective monitoring. Lack of AV. But this comes from commentators whose employer’s business is selling such things. There is talk of an inside job, which is possible but they didn’t take them for much if it was.

So if the FCA is really that cross with Tesco Bank, why?

The question no one is asking is why Tesco Bank announced a major breach, affecting so many people? Here I’m stacking guesses, but just for fun…

If I’m right about it being ATM bandits, could it be that staff investigating found something horrible and hairy, and jumped to the conclusion it was behind it? They did the right thing, and told everyone about the vulnerability, but the black hats hadn’t. The FCA would have been unimpressed, regardless of the consequences, and whacked them according.

If I’m right, it’s a bit rough on Tesco Bank, fined as a result of being robbed. But this is all one guess based on another. The truth may be still stranger.

Are you a Tesco bank customer? Please verify your details. Spam meets salami.

I’m surprised I haven’t seen any phishing emails targeting hapless Tesco Bank customers following the publicity surrounding the weekend’s account raids. Give them a few more minutes.

Details on what happened are very thin on the ground. This morning on R4 Today they were saying a few thousand, but less than 10K customers had been affected. Estimates are now going up to 20K. But what’s interesting is this appears to be close to a good old fashioned salami raid, a term that the newbies in security may not even have heard of.

A salami raid got its name from thinly cut salami (a kind of foul-smelling sausage). If you cut off a thin slice, no one will notice, and if you do this to a large number of unfortunately sausages, none of their owners are likely to spot it but you’ll end up with a lot of processed meat.

Traditionally this approach was employed by computer programmers diverting pennies from a large number of accounts in to their own, but its unlikely to be the case with Tesco. The spotlight is likely to fall on people making use of the on-line banking facility to enrich themselves using other people’s logins, although I find it curious that accounts weren’t emptied while they had the chance.

Google Nexus TV uses Atom

The Nexus TV box that Google just announced is the company’s latest attempt to take over the living room (after Chromecast). This one runs Android 5, so punters can download and run apps from Google Play. This will include games, of course, and there is to be an optional games hand controller. However, what no one seems to have noticed is that the NExus TV box has an Intel processor, not an ARM.

Although simple Apps are written in CPU independent Java code, or, strictly speaking, a similar VM either Dalvik or ART depending on which version of Android you. It’s interpreted on the target platform, and therefore slow. When high performance is needed then code has to be written C and compiled to native code (i.e. using the NDK). This hasn’t been a problem thus far, as all Android devices on the market used the ARM core, and were machine-code compatible. I wonder how many games are written this way? Quite a few, probably.

Tesco has also just launched a non-ARM Hudl tablet. The mass media had yet to comment.

Tesco really doesn’t like journalists

I just had a most interesting experience at Tesco in Watford. I went to take a picture with a mobile phone and was suddenly surrounded by burly security guards. Apparently it’s company policy that no one is to take pictures in Tesco, or even Tesco car parks. How odd!

Okay, it’s private property and they can make up whatever rules they like. If you need a shot of their pick and mix, you’ll need a long lens so you can stand on the road outside. But it begs the question, are they stark raving mad?

Luckily a manager turned up pronto (presumably someone pressed the panic alarm), and I persuaded her to send the security people away while she explained – in fact the outcome was very satisfactory from my perspective, and should I ever need to speak to a manager within 30 seconds again, I now have a sure-fire method.

As a long-time hack, I know what I’m about when it comes to taking pictures. Normally, when you’re taking photographs with a camera on a mobile phone, it’s pretty clear you’re not doing so for commercial reasons and it’s unusual for anyone to complain. Okay, if I had my big press camera with me, I’d certainly have asked permission to photograph/film. Or I’d have used a hidden camera. But it wasn’t like that – in fact I was shooting the contents of my shopping trolley as a record – obviously domestic use only, and I even mentioned to a member of staff nearby that I was getting a shot of that if he had no objections.

So can they do this? Well it’s not illegal. They can make up any rules they like about who can and who can’t enter their premises and if they want to ban people taking photographs, they can. They could get a court order and bar you from every Tesco store in the country. What they can’t do (if this happens to you) is make you delete any photographs you have already taken, and neither can they touch you or your camera – that’s common assault.

But why should it come to this? Surely Tesco doesn’t hate journalists? Actually, I doubt they even realised. But on asking around, they have form in this respect. Had of Patrick Collinson’s experiences I’d have been prepared, but he was writing in The Guardian when he was nabbed for noting down prices.

So is this a one store going bonkers (I’ve not had any bother at my local Tesco, although don’t often shop there these days)? I set out to find a security guard who’d talk, and it didn’t take long (but he’s not from Watford, in case anyone from Tesco is reading this!)

Apparently, the only photographs allowed are general ones of the exterior of the shop. If you’re audacious enough to snap something specific, like and advert, or one of their products, they’re instructions are to “ask you why, and ask you to stop”. Obviously the “why” is out of politeness. And if you’re inside the shop, forget it! You need special permission from the duty manager, sign-in and have to wear a visitor’s badge. Want to shoot some grocery or other and send it to your other half for approval? Not in Tesco, you don’t.

It gets worse! Should you try this and then refuse to stop, Tesco security is instructed to detain you, call the cops and try to have you charged under Blair’s masterpiece, the Prevention of Terrorism Act [2005]. [I think he may be confusing this with Regulation of Investigatory Power Act 2000]. Boggle! I asked if he thought someone was pulling his leg, but apparently Tesco reckons that people taking pictures may be doing so in order to choose locations for placing bombs. They had some bother in 2007 with bomb hoaxes, and therefore this policy is for “our” protection. Somehow, without photographs, it must be very difficult to leave a bomb behind. Doesn’t that make you feel safer?

Or perhaps they’re still smarting after that youtube video of the horseburger skit.

I’ve written to Tesco for a clarification of this, but they have so far declined to comment. I certainly can’t find anything to suggest this is a genuine policy in writing, and I don’t recall every seeing any “no photograph” signs up. But the my source was adamant. Perhaps it’s a myth. I hope so. One incident like this, or  Patrick Collinson’s won’t damage their business much in itself, but every little helps.