Leak on Aisle 12! An Analysis of Competing Hypotheses for the Tesco Bank Incident

Adam Lorimer | 11 November 2016

Tesco Bank Logo

On November 6, 2016 multiple UK media outlets reported that the UK-based Tesco Bank had informed approximately 40,000 customers that fraudulent activity had been detected on their accounts between November 5 and 6, 2016. It was initially reported that approximately 20,000 of these accounts had been the victim of successful fraudulent transactions. However, it was later reported that actual number of affected accounts was only approximately 9,000, from which an estimated £2.5 million GBP (approximately $3.1 million USD) had been stolen through fraudulent online transactions. On November 7, 2016 the UK National Cyber Security Centre (NCSC) issued a statement that announced that an investigation was underway, but that the organization was “unaware” of any threat to the wider UK banking sector as a result of this incident.

In addition to this media reporting, we have identified multiple instances of Tesco Bank customers claiming that fraudulent online transactions had been made from their accounts over the weekend. We identified multiple independent reports stating that a small transaction of around £20 GBP (approximately $25 USD) were initially made, followed by a larger transaction of between £500 and £800 GBP ($621-994 USD). We also identified one user claiming that cash had been fraudulently withdrawn from his account from an ATM located in Rio de Janeiro.

An examination of online criminal activity assessed to be potentially related to this incident indicated that in 2016, Tesco Bank login pages were included as a target in the config files of three major banking trojans: Vawtrak, Dridex and Retefe. In addition to this, we identified a user on the forum associated with the criminal marketplace AlphaBay claiming to be able to cash-out Tesco Bank accounts with the assistance of an insider at the bank. This post was dated September 2016.

Alphabay forum post tesco

Figure 1 - Screenshot of AlphaBay forum post referring to an insider at Tesco Bank.

At the time of writing, very little information had been released regarding how these thefts were conducted, though several sources have publically expressed theories regarding how the attack may have been achieved. In response to this ambiguous situation, Digital Shadows has applied the technique of the Analysis of Competing Hypothesis (ACH) to the available data. ACH is a structured analytical technique designed to enable analysts to establish the consistency and inconsistency of all available data points with a selection of possible hypotheses. ACH uses a weighted inconsistency algorithm to assign numeric values, weighted by the assessed reliability and relevance of each data point, which represent the degree of inconsistency of the available evidence with a given hypothesis. The following hypotheses relating to how the attack may have been accomplished were examined:

  • H1 - Tesco Bank’s payment system was compromised, either through an external intrusion or insider action.
  • H2 – The attack was a cash-out operation representing the culmination of a banking trojan campaign targeting Tesco Bank customers.
  • H3 – The attack was a cash-out operation targeting Tesco Bank cards cloned prior to being issued to customers.
  • H4 – The attack was a cash-out operation using Tesco Bank card information obtained from multiple sources, such as third-party site compromises or point of sale malware.

Tesco Bank ACH


Figure 2 – ACH diagram

Although it was not possible to definitively rule out any of the four hypotheses examined, we assess that the available information indicate that H2 (banking trojan) and H4 (cash-out using aggregated card information) are less consistent with the available information than H1 (payment system compromise) and H3 (cash-out of cloned cards). A number of data points were assessed to be inconsistent with these hypotheses, most notably the NCSC statement that the Tesco Bank incident did not represent a threat to the wider UK banking sector, the short timeframe of the attack and the reported focus on current accounts as opposed to credit accounts.

At the time of writing none of the available data points were assessed to be significantly inconsistent with either H1 (payment system compromise) or H3 (cash-out of cloned cards) so it was not possible to determine which of these hypotheses was more likely to be accurate. However, it was assessed that H3 (cash-out of cloned cards) would likely have been a simpler to execute than H1 (payment system compromise) and, in operational terms, would have involved fewer moving parts. While this cannot be counted as a concrete data point, it was assessed to potentially indicate that H3 (cash-out of cloned cards) may be the more plausible scenario. Although reporting from Tesco Bank has indicated that money was successfully stolen from only 9.000 accounts, the actors responsible reportedly targeted 40,000 within a 48 hour period. This would likely have required substantial resources and a well-organized logistics network to support the process of cashing out the targeted accounts and laundering the money obtained within such a short timeframe. Irrespective of the method employed, it was therefore assessed to be highly likely that these thefts were conducted by an organized criminal group.

Statements made by Tesco have indicated that the company is collaborating with the NCSC and the UK National Crime Agency (NCA) in investigating this incident. However, all three organizations have declined to provide substantive details regarding the incident, citing the need to preserve the integrity of the investigation. However, it was assessed to be likely that further information will be made available as the investigation continues.

It is a realistic possibility that the actors responsible for these thefts will attempt to further monetize any Tesco Bank account information in their possession by attempting to sell it within the criminal ecosystem.

In the immediate future, it’s likely Tesco Bank customers will be targeted with phishing emails imitating law enforcement or Tesco Bank customer support. Tesco Bank customers are advised to exercise caution when receiving calls or opening emails or SMS messages purporting to relate to this incident and to report any suspected phishing attempts to Tesco Bank via [email protected]