Newsletter - sign up here
Search Webster
Webster's pieces from The Oldie
Webster's Webwatch

Robbing banks

January 2017

You will recall that round about Guy Fawkes day Tesco Bank was robbed; it detected “suspicious activity” in its current accounts and about 9,000 of them had money removed, resulting in a theft of about £2.5m in total.

I’ve never understood why Tesco feel they need to own a bank, anyway; it feels like hubris to me.  But then I still can’t get used to Marks and Spencer selling food, either; perhaps it’s just me. 

Tesco Bank has refunded the stolen money quickly but they have been tight lipped about what happened because there is a police investigation underway.  I should hope that there is.

I’ve been talking to some computer security experts, and the consensus is that this robbery was probably a very old fashioned inside job, rather than a cunning computer hack by a shady foreign power devised and delivered over the internet from afar.  In short, someone probably unlocked the electronic door to let the thieves in.

In the old days, when you robbed a bank, you might dig a tunnel into the vault, but far simpler was to have an accomplice in the bank who left a door open and gave you the combination of the safe. The customers of the bank were unaware; their bank statements did not reflect the theft; it was just up to the bank to call the police and then make sure that then had enough cash in hand to meet their customers’ instructions.

What’s different about the Tesco raid is that the thief changed the balances of 9,000 accounts in the bank’s books, sending cash electronically to goodness knows where.  This has two implications: first, it is harder for the bank to spot, as customers make these sorts of transactions all the time, and second, it’s quite possible that not all the thefts have been noticed yet.  Some people barely glance at bank statements if the number in the bottom right hand corner is about big enough.

However, it certainly points to the likely method used by the crooks.  Whilst the sheer number of transactions involved certainly indicates an electronic burglar, there was obviously a human Moriaty behind it, and he was almost certainly using leaked data about customers 

The most likely scenario, it is speculated, is that someone with access to the customer database (it need not be an employee, it could be a contractor) was able get hold of the passwords of 40,000 or more customers, and then an automated attempt was made to access all those accounts and transfer relatively modest amounts elsewhere.

Once 40,000 accounts had been attacked (and it may only have taken a few seconds) the bank commendably smelt a rat and shut things down.  Many of those attempts failed, perhaps because the list was elderly, and some passwords had been changed, but in 9,000 cases it succeeded, and the thieves made away with £2.5m, just as if they had tunnelled into the vault and helped themselves.

So, does this mean that banks that provide an online service are an unsafe place for your money?  No, it doesn’t; even before computers, they were at risk of a crooked clerk letting burglars in through the back door. 

However, it does suggest that all companies must take the security of their data more seriously than perhaps Tesco Bank did.    

It has long been a complaint of mine that not enough of the senior management of most companies understand how their computers work, or what risks they are running every day.  No organisation is immune from this sort of attack and they need to put security in place to guarantee the safety of their data, old and new, even if it should fall into the wrong hands.