Home Tags Tesco

Tag: Tesco

Tesco glitch causes online delivery chaos across the UK

Home deliveries are being canceled at random or delayed, and customers are not happy.

Tesco Renews Longstanding IT Services Contract with Sopra Steria

London, 1 June 2017 – Sopra Steria, the European leader in digital transformation, has today announced a renewal of its contract with leading global retailer Tesco.
Sopra Steria will continue its support and development of the retail giant's crucial IT services, including distribution, stock replenishment, product, pricing and payroll systems.

The three-year renewal, which extends a partnership dating back to 1985, recognises Sopra Steria's proven track record of continual management and enhancement of Tesco's core... Source: RealWire

Winners announced: 2016 UK & Ireland Employee Engagement Awards in Association...

Winners include: Virgin Trains, Tata Consultancy Services, McDonald’s Europe, Heathrow Airport and Tesco Bank The victorious were announced at a Gala ceremony at Wembley Stadium last nightLondon – January 27, 2017 – The 2016 UK Employee Engagement Awards in association with People Insight, today announces its winners - the companies that put workforce engagement at the heart of their business strategy.Founder and CEO Matt Manners said: “The world of engagement is evolving and creating positive... Source: RealWire

Rethink on bank cybersecurity rules might only follow major bank breach,...

Banks 'effectively unregulated on cybersecurity' It might take a major bank to fail as a result of a cyber attack for meaningful changes in cybersecurity practices, regulation and governance in the UK banking market to be implemented, a leading industry commentator has said. In an interview with Out-Law.com, professor Richard Benham, chairman of the National Cyber Management Centre, expanded on earlier comments he provided to the BBC. He reiterated his view that there will be a run on a bank in 2017 as a result of customers losing confidence in the security of their funds following a cyber attack, and said more formal regulation of cybersecurity is needed in UK banking. Benham said that, despite the existence of Bank of England guidance, the banking industry is currently "effectively unregulated on cybersecurity".

There is a lack of "mandated standards", he said, and that these should be put in place. "At the moment there is a tendency to leave banks to manage their own security," Benham said. The Tesco Bank incident, and the attacks carried out via the SWIFT banking system, such as those that affected Bangladesh’s central bank and Ecuadorian bank Banco del Austro, should "serve as a wake up call" to industry over cybersecurity vulnerabilities, he said. However, he said he believes some banks appear too willing to sacrifice an element of security when working on initiatives aimed at enhancing the customer experience, in response to consumers' demand for faster means of transferring money. Citing the greater regulation banks have faced since the "credit crunch" as an example, Benham predicted, though, that "it might take a major failure" of a bank, stemming from a successful cyber attack and subsequent run on the bank as customers seek to withdraw funds, to prompt tighter regulation of cybersecurity of banks by central banks, governments and regulators. Benham said that the Tesco Bank case showed that banks can fall victim to hackers and that leading industry figures admit that, should attacks be successful, it is inevitable customer funds will be stolen. Online-only banks are perhaps more vulnerable to reputational damage, loss of customer confidence and a subsequent run on funds, should a cyber attack knock-out their systems, Benham said. High street banks, able to deal with issues in-branch, might be able to better respond to customer concerns and issue refunds quicker in the event they are hit by such an attack, he said. The ability to reassure customers about the security of their funds, and issue refunds speedily, will be vital to a bank should they fall victim to a cyber attack, he said.

Bank customers are likely to show "a degree of apathy" towards a bank's cybersecurity failings if they are promptly refunded for any losses they have sustained, he said. At the moment, the true scale of losses banks suffer from cyber attacks is unknown, Benham said.

This is because banks are able to disguise figures under the generic 'fraud' label, he said. However, he said the forthcoming General Data Protection Regulation (GDPR), with its new data breach notification obligations, is likely to bring a greater number of such attacks to light, as well as more details about their impact. He said it is hard to predict what impact that might have on customer confidence and their eagerness to move money out of accounts. Last month, Andrew Tyrie, chair of the UK parliament's Treasury Select Committee, said the current "lines of responsibility and accountability for reducing cyber threats" in banking "appear to be somewhat opaque".

Tyrie said the UK should consider reorganising its governance of cyber risk in financial services so that there is "a single point of responsibility". Copyright © 2016, Out-Law.com Out-Law.com is part of international law firm Pinsent Masons. Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub

Distributed Guessing Attack Reels in Payment Card Data

Academics at Newcastle University have proven that an attacker in possession of a minimal amount of existing information can, in an automated way, guess payment card data by exploiting weaknesses in online payment processes. The issue lies in the fact that the global payment system lacks a centralized mechanism for monitoring invalid payment attempts across multiple websites. Using a purpose-built bot, an attacker can try multiple guesses on different websites until they land on all the necessary information without triggering a warning. The attack works only against Visa’s payment ecosystem, the researchers said, adding that their experiments against 400 of the top-rated Alexa websites, including PayPal and Amazon rendered card numbers, expiration dates, CVV numbers and additional data in a matter of seconds. The attack scales and is practical, the researchers caution.

The vulnerabilities and research were disclosed in advance to Visa and a number of the affected top websites, some of which have mitigated the attack.
Visa said that the paper “Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?” does not take into account its fraud prevention systems that protect against such attacks. Mohammed Aamir Ali, one of the report’s coauthors, said that the researchers does indeed demonstrate how advanced attackers could exploit Visa’s multiple layers of fraud protection. “This is about trying to stay one step ahead of the criminals, pushing the system, finding the flaws and learning from that,” Ali said. Ali and his coauthors Budi Arief, Martin Emms and Aad van Moorsel advocate for a centralized system of security checks across transactions to be implemented to prevent what the paper describes as a distributed guessing attack. “This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions,” the researchers wrote. “We will show that this attack would not be practical if all payment sites performed the same security checks.” It has been reported as well that the attack against Tesco, a U.K. retail bank, in which 20,000 account holders reported missing money, may have been carried out using this distributed guessing attack. “We don’t have enough evidence to support this claim,” Ali told Threatpost. The research was carried out against Visa and MasterCard; MasterCard has a centralized network that detects such guessing attacks after 10 tries, even if the 10 guesses are distributed across a number of sites.
Visa does not have such checks, the researchers wrote. “Attackers can just start with a laptop connected to the internet,” Ali said. “As a starting point, they will need the first six digits, also called the Bank Identification Number (BIN) of a bank, which is publicly available through the internet.” The paper points out that there are two weaknesses being exploited here, and standing alone, each is relatively benign. Used together, however, and the researchers believe they are a risk to the entire global payment system. Payment systems, the researchers wrote, often do not detect invalid payment requests on the same car from different websites. “Effectively, this implies that practically unlimited guesses can be made by distributing the guesses over many websites, even if individual websites limit the number of attempts,” the researchers wrote. The second weakness enables the attack to scare.

Different websites, for example, provide for different fields where card information can be entered; some merchants require a primary account number, expiration date, CVV number and address, while others require less information. “Starting with a valid card number (PAN), to guess the expiry date an attacker can utilize several merchants’ websites that check only two fields: the card number and the expiry date,” the researchers wrote. “Once the expiry date is known, the attacker can use it along with the card number to guess the CVV2 information using another set of websites that check 3 fields (the card number, the expiry date, and the CVV2).” The researchers built a bot and used automated scripts written in the Java Selenium browser automation framework to automate the guessing of card information across numerous sites.

The group’s experiments were run on Firefox and the bot did the heavy lifting of inputting and guessing values for each field.
The researchers said that CVV numbers can be obtained in fewer than 1,000 guesses, while the expiration date in 60 tries. “If all merchants would use three fields and ask for expiry date as well as CVV2, then it may take as many as 60 x 1,000 = 60,000 attempts,” the researchers wrote. “The difference between 1,060 and 60,000 is the difference between a quick and practical attack, and a tedious, close to impractical attack.” The researchers notified Visa and 36 of the top websites affected by the vulnerabilities. Within four weeks, they’d received 20 responses from people requesting more details, while the rest were automated responses.

Eight of the 36 websites patched the weakness by either adding delay or velocity filters, or CAPTCHAs, for example.

Twenty eight of the notified websites have yet to mitigate the issue. The researchers meanwhile suggest industry-wide changes such as merchant standardizing on the same payment interface, which would reduce the scale of the attack, or centralization where payment gateways or card payment networks have a full view of payment tries on its networks. “Neither standardization nor centralization naturally fit the flexibility and freedom of choice one associates with the Internet or successful commercial activity, but they will provide the required protection,” the researchers wrote. “It is up to the various stakeholders to determine the case for and timing of such solutions.”

Clients say they’ll take their money and run if service hacked...

Data breaches could cost firms business, Brits tell survey Further evidence has emerged that hacked firms might subsequently suffer a customer exodus.

After TalkTalk's famous data breach, 101,000 of its customers walked. Almost half (48 per cent) of the 1,000 Brits questioned by Onepoll claimed they would cancel accounts if a provider of theirs suffered a data breach. In addition, a 35 per cent said they would actively avoid choosing a company that had been hacked before if they were switching provider. Alex Mathews, EMEA technician manager at Positive Technologies, the cyber security firm that commissioned the survey, commented: "As people wake up to the sensitivity of the data stored about them by the companies which provide their phones, banking, healthcare, leisure and more, they become ever more protective. "These organisations are responsible for collecting and protecting massive amounts of data, yet the last 12 months have proven they can fall prey to hackers.

TalkTalk, Yahoo!, Three and even Tesco Bank are all respectable brands that have been compromised in some way, with customers left feeling violated. In the end, they vote with their feet and walk away. It takes a lot of time and money to acquire new customers, but only seconds to lose them." The study also found that 45 per cent of respondents said they would claim for damages if their personal details were stolen, with a further 24 per cent saying they would join with others to bring a class action. Of course, what UK consumers say to someone in a survey is not necessarily what will happen in practice.

Class lawsuits are far more common in the US and some have come as a direct result of security breaches. For example, Ronald Schwartz launched a lawsuit against Yahoo! on behalf of all its US customers shortly after it copped to a historic breach affecting millions.
Security breaches can also have a direct financial impact, as evidenced by the £2.5m stolen from 9,000 customer accounts at Tesco Bank at the start of November. A recent 54-country, 24,000-respondent survey by the Internet Society found that 40 per cent of users would avoid doing business with a company that had suffered a data breach.

The group has tabled a number of recommendations on resolving security problems, as previously reported. ® Sponsored: Customer Identity and Access Management

‘Tesco Bank’s major vulnerability is its ownership by Tesco,’ claims ex-employee

Links to supermarket's systems may have exposed vulnerability A former techie at Tesco Bank reckons the recent high-profile breach may be down to security shortcomings at the bank's parent supermarket. Earlier this month Tesco Bank admitted that an estimated £2.5m had been stolen from 9,000 customer accounts in the biggest cyber-heist of its kind to affect a UK bank.

The National Crime Agency (NCA), with technical support from the newly established UK National Cyber Security Centre (NCSC), is leading a criminal investigation into the breach. NCSC issued a statement saying it was "unaware" of any threat to the wider UK banking sector. Tesco Bank's security procedures were solid but the bank was exposed because of Tesco's "not-very-secure-at-all systems" – a weakness hackers might well have exploited, our informed source (who requested anonymity) speculates. TB [Tesco Bank] use all the standard security processes, and have significant numbers of ex-RBS staff.
Security architecture is sound, and vulnerabilities are patched in a timely manner.

Fraud monitoring systems are industry standard.

A full breach is very unlikely, and there are much bigger and better targets if a gang has access to relevant zero-days. All staff are vetted as per standard processes – TB is no more vulnerable to an internal breach than anyone else.

Again, bigger and better targets are available.

TB does have a problem with retaining experienced staff, and hoping that junior staff will step up when they leave, but that's not uncommon. TB had one breach when they first opened Current Accounts – someone in the card printers got a list of card numbers and sold them.
It was caught in time, and cards were destroyed. Presumably security at the printers has been improved, but I'd consider that to be a continuing possible vulnerability. However, TB's major vulnerability is its ownership by Tesco, and the links between its secure systems and Tesco's not-very-secure-at-all systems.

There was no evidence of patching and monitoring occurring in Tesco systems that we linked to at all.
I strongly suspect that the Clubcard system has been breached and a list of TB account numbers farmed from there.
I also suspect that nothing will be done to trace that possible route – TB has no influence over Tesco at all, due to relative scale, and the apparent bad relations between the chief executives. In a follow-up email the former Tesco Bank worker, who worked in IT for the bank and at one time on its anti-fraud system, offered more details on security failings at the parent retailer. I worked on a TB project that had to verify certain customer information on Tesco systems.

The Tesco system would fall over on a regular basis, and we would have to tell Tesco it was down – they wouldn't monitor it.
It later became clear that it was an app server running on a very outdated piece of middleware, completely unpatched.

This was standard for Tesco systems. [The] only exception was the credit card payment system, which was secure because it was regulated.
Separately I was aware of an effort to tie some TB systems more closely to Clubcard. However, it had to be abandoned once the architects discovered how insecure Clubcard itself was. Various theories about what might have caused the breach at Tesco Bank have already been suggested.
Security watchers have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach. Around 136,000 customers hold current accounts with Tesco Bank. Holders of other accounts were not affected by the breach. Security intelligence firm Digital Shadows recently applied techniques for the Analysis of Competing Hypothesis (ACH) to assess the likelihood of the various competing explanations on offer.
It concluded that either payment system compromise or the cash-out of cloned cards were the two theories that best matched the available facts.

Cash-out of cloned cards would likely have been simpler to execute than payment system compromise, according to Digital Shadows, prompting the firm to lean towards this theory while not ruling out other possibilities. El Reg ran insights from the former Tesco Bank techie past Digital Shadows.
In response, Digital Shadows said that it had seen nothing so far which would suggest security problems at Tesco supermarket was behind the breach before conceding that it was still investigating the breach. Ken Munro, a director at security consultancy Pen Test Partners, described the former Tesco staffer's theory as all too plausible, based on his years of experience in the IT biz rather than any direct knowledge of the supermarket's systems. "So often it's the incidental systems that cause issues," Munro told El Reg. "One builds a secure app, but then has to hook it up to an existing access/authorisation system, or something similar.
I remember a pen test a few years back of a network that was pretty much bulletproof – up to date, pretty well configured, reasonable passwords etc. "Then we found an old fax server that was on the same domain.
It didn't take long to compromise that flaky fax box and from there the domain controller.

All the good work was undone by some failed oversight of one box. "You're probably only as secure as your least secure system," Munro concluded. Tesco Bank provided this statement: "On 5 and 6 November, Tesco Bank was targeted by fraud, which affected 9000 of our customers and cost us £2.5m. "We identified the fraud quickly and communicated immediately with our customers, the Financial Conduct Authority and National Crime Agency.

This remains a criminal investigation. "We refunded each customer account in full and have taken steps to help reassure our customers that they can bank safely and securely at Tesco Bank." ® Sponsored: Customer Identity and Access Management

Analysts apply Occam’s razor to Tesco Bank breach

Unexpected items in the banking area Analysis Security analysts have narrowed down the range of possible explanations for the Tesco Bank breach. Earlier this month Tesco Bank was obliged to admit that an estimated £2.5m had been looted from 9,000 accounts.
Initially it was feared that money had been taken from 20,000 accounts, but this figure was revised downwards days after the breach was disclosed. Tesco Bank temporarily froze online account operations and contactless payments for its current account holders in the immediate aftermath of the breach, one of the worst to ever affect a British retail bank.

The bank reimbursed funds to defrauded customers. The newly established UK National Cyber Security Centre (NCSC) issued a statement on 7 November confirming that an investigation into the Tesco Bank breach was underway.
It said (by way of reassurance) it was “unaware” of any threat to the wider UK banking sector.

The ongoing investigation is being led by the National Crime Agency (NCA) with NCSC providing support and technical assistance. Security intelligence firm Digital Shadows claims it has identified “multiple instances” of Tesco Bank customers claiming that fraudulent online transactions had been made from their accounts.
Some of these reported small fraudulent transactions of around £20 before larger transactions of £500 or more were attempted.

Another report talked about cash had been fraudulently withdrawn from a customer’s account from an ATM in Rio de Janeiro, Brazil. Tesco Bank login pages were included as a target in the config files of three major banking trojans: Vawtrak, Dridex and Retefe.
In addition, Digital Shadows has identified a user on the forum linked to cybercrime bazaar AlphaBay claiming back in September that they were able to cash out Tesco Bank accounts with the assistance of an insider at the bank.

The claim remains unverified but nonetheless deserves to be taken seriously in the light of subsequent events. Several competing theories about what might have happened have sprung up in the wake of the incident.
Security pundits have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach. Digital Shadows has applied the technique of the Analysis of Competing Hypothesis (ACH) on the available data in an attempt to narrow down the possibilities between four competition theories. This work suggests that either banking trojan or the cash-out using aggregated card information sit badly with available evidence.

Two other potential explanations - payment system compromise) and cash-out of cloned cards - both offer more promising theories. NCSC’s statement that the Tesco Bank incident did not represent a threat to the wider UK banking sector, the short timeframe of the attack, and the focus of the breach on current accounts rather than credit accounts were key reference points that Digital Shadows applied to the competing theories it evaluated.

The digital intelligence firm is careful to say it was not possible to definitively rule out any of the four hypotheses examined.

Digital Shadows nonetheless reckons that cash-out of cloned cards is more likely than other possibilities it examined, essentially because it offered a simpler attack method. “Cash-out of cloned cards would likely have been a simpler to execute than payment system compromise and, in operational terms, would have involved fewer moving parts… [and] may be the more plausible scenario,” Digital Shadows concludes. The security intelligence firm further concludes that the heist was run by an organised criminal group that likely represents an ongoing threat. “It is a realistic possibility that the actors responsible for these thefts will attempt to further monetise any Tesco Bank account information in their possession by attempting to sell it within the criminal ecosystem,” Digital Shadows warns. “In the immediate future, it’s likely Tesco Bank customers will be targeted with phishing emails imitating law enforcement or Tesco Bank customer support.

Tesco Bank customers are advised to exercise caution when receiving calls or opening emails or SMS messages purporting to relate to this incident and to report any suspected phishing attempts to Tesco Bank via phishing@tescobank.com,” it adds. ® Sponsored: Customer Identity and Access Management

What went wrong at Tesco Bank?

Internal systems blamed for monster cyber-attack Tesco Bank has enlisted the help of recently established National Cyber Security Centre (NCSC) following the most serious cyber-attack ever launched against a UK bank. The attack against the supermarket giant's banking arm involved the theft of £2.5m from 9,000 customers' accounts, funds that the bank quickly reimbursed.
Initially theft against 20,000 accounts was feared but this figure was revised downwards late on Tuesday night.

At the same time Tesco announced that it was restoring normal service following the suspension of online and contactless transactions from current accounts applied in the immediate wake of the breach last weekend. NCSC is working alongside the National Crime Agency to look into the cyber-attack, which is believed to be the biggest of its kind in the history of British banking. Ian Mann, chief exec of cyber-security service ECSC, said the size of the breach indicates that is it likely either Tesco's internal systems, or their mobile application, have been hacked.

Tesco Bank's method of access for customers is "weak for this type of system", according to Mann. "Username is your email by default, and you only need digits from a numeric PIN.

By requiring limited digits from the PIN on login, they make it virtually impossible to hash (encrypt) the PINs they have stored. This means a compromise of their customer database will reveal all logins and passwords to the attacker." Tesco Bank manages around 136,000 current accounts.
Security pundits have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach. Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, said: "While the details are still patchy, there's no doubt that this was a hugely sophisticated, coordinated and advanced attack – and as recent months have proven, no organisation is immune from similar attacks going forward. With cloud computing, hackers have so many more points of entry, and organisations need to put security in place to guarantee the safety of data, even if it falls into the wrong hands.
In practice, this means putting multiple layers of control around their most sensitive data and closely monitoring access to stop theft on the way out rather than betting on the 'hard shell' approach with a sealed perimeter." Tesco might face a huge fine under the recently revamped EU data protection rules over the breach, according to Hawthorn. "When it comes to data security, the silent spectre of EU General Data Protection Regulation is slowly kicking organisations into action, and incidents such as this will only accelerate this trend," Hawthorn said. "One estimate is that Tesco Bank could be fined nearly £2bn under GDPR rules for this incident.

The bottom line is that data security is no longer simply an issue for the IT department to tackle, and organisations can no longer sit back and ignore it.

The stakes are higher than they have ever been, so when it comes to reviewing your security position, tomorrow may just be too late." ® Sponsored: Customer Identity and Access Management

Tesco Bank Stops Online Transactions After Money Missing from 20K Accounts

Tesco Bank, a U.K. retail bank, today put a halt to online transactions from current accounts after some customers reported over the weekend money missing from their accounts. The bank, which has more than seven million customers, told the BBC that 40,000 accounts were accessed and half of which reported missing money. “While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal,” chief executive Benny Higgins said in a statement this morning. “We are working hard to resume normal service on current accounts as soon as possible.” Higgins said that law enforcement and regulators are investigating; no further details on the attack were released, though Higgins told the BBC he knew what the attack was. “We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible,” Higgins said. Tesco Bank is co-owned by U.K.’s largest supermarket and the Royal Bank of Scotland. “We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts,” Higgins said. Customers, meanwhile, complained loudly on social media about the bank’s responsiveness to the situation. @tescobankhelp why is money still being taken out of my account fraudulently ?? My supposedly FROZEN bank account that I can't access???? — Kirsty Brown (@kirstyktweet) November 6, 2016 This getting more and more farcical.
Still no money still no way for my kids to eat in school tomorrow Tesco are beyond a joke — SamAllenAVFC (@samallen72) November 7, 2016

U.K. bank suspends online payments after fraud hits 20,000 accounts

The banking arm of U.K. supermarket chain Tesco has suspended online payments for its 136,000 checking account customers following a spate of fraudulent transactions. The bank suspended its payment service for all checking account customers after 40,00...

Bank halts online transactions after money stolen from 20,000 accounts

EnlargeTesco Bank reader comments 22 Share this story Tesco Bank has been forced to suspend its online transactions after fraudulent criminal activity was spotted on thousands of its customer accounts over the weekend. A total of 40,000 current accounts were hit by suspicious transactions. Money was pinched from 20,000 of the affected current accounts, Tesco Bank said on Monday morning. "We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts," said the bank's chief, Benny Higgins. He added that Tesco was taking "a precautionary measure" by temporarily taking current account transactions offline. Higgins said: While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments, and direct debits will continue as normal. We are working hard to resume normal service on current accounts as soon as possible. Tesco Bank has promised to refund any accounts affected by the fraud and added that it was working with police and regulators to help track down the malefactors behind the crime.

The Financial Conduct Authority says it gives "higher priority to the protection of consumers as potential victims of fraud than to the protection of firms themselves as potential victims." Put another way, banks are expected to act swiftly when such fraudulent activity is detected. Higgins told the BBC that the bank has around eight million customer accounts. He added that the number of customers hit by fraud was big but not huge. "It's 20,000 customers, we think it would be relatively small amounts that have come out but we're still working on that." On Sunday, Tesco Bank said that it had "notified some customers that we have blocked their cards to protect their account." However, some customers complained on social media about access to their current accounts being frozen without them first being informed of the fraudulent activity. @tescobankhelp this has left me unable to feed my kids in school tomorrow can't put money on their dinner accounts can't buy sandwich stuff — SamAllenAVFC (@samallen72) November 6, 2016 my account @tescobankhelp @TescoBankNews has been hacked over the W/E & you text me at 7:21am today, but I cant log on to check how much 😣 — 👀 (@iWaveBack) November 7, 2016 Tesco Bank said it was trying to quickly refund all of the affected accounts, but it didn't reveal when the service would return to normal following the attack. This post originated on Ars Technica UK