February 2017

Is the Tesco Bank hack the wakeup call needed to make mobile security a priority?

The recent Tesco Bank hack has left the retail banking world reeling, searching for answers and more effective ways to secure networks against future attacks. It has been revealed weaknesses in the bank’s mobile applications left the door open for cybercriminals to brute force their way in and take more than £2.5 million of customers’ money. Worse still, the bank had been warned by several security experts of this weakness prior to the attack.

How Tesco got it so wrong

It was the largest ever cyber-attacks on a UK bank. One of the most significant things about the Tesco hack was that customer accounts were penetrated forcefully without any credentials, which hasn't happened before. Cybercriminals broke into Tesco Bank’s computer system and stole £2.5 million from the current accounts of 9,000 customers.

The result of this attack was the scenario many people are most afraid of ‒ waking up one morning and finding your bank account is completely empty. Tesco had a responsibility to protect its customers and, by not doing so, has led to an erosion of trust.

What has tarnished consumer trust is the revelation of vulnerabilities that penetration testers had warned Tesco of several times prior to the hack. While we now know Tesco was aware of the cracks in its security perimeter, it’s clear that it either wasn’t aware of the potential scale of the attack or it simply wasn’t equipped to deal with a cyber-attack at this level. In a moment of malicious compromise, Tesco should have had the appropriate detection and remediation protocols in place to stop the hackers before they could remove actual money from customer accounts.

Keeping pace with multiple threat vectors

With the increasing number of connected devices for cybercriminals to exploit, there are more threat vectors than ever for companies to protect. It has never been so easy for cybercriminals to obtain confidential information. With the proliferation of mobile devices, social media and social engineering, there are now a million and one ways to reach an individual and gain the keys to the kingdom.

Platform firewalls can easily be misconfigured, creating backdoors for hackers to find vulnerabilities and exploit them. The more complex the network, the greater the likelihood they will make it in undetected.

The edgeless perimeter

Risks are now increasingly extending beyond the perimeter to the individual user via social engineering. We have already seen compromised chip sets, backdoors in operating systems, and rogue apps placing malware on the device. The greatest element of concern in 2017 is how expanded attack vectors allow for lateral movement, with the bad guys looking to utilise mobile platforms as a means of gaining access to the core of the network.

While the Tesco Bank breach will elevate security further towards being thought of as a high ticket item, many are left questioning how the industry will act together to resolve the issue. Like the Heartland breach in America in 2015, the company thought it was fully compliant and was still compromised, resulting in a year-long rehabilitation campaign. Instead, we should be asking what the industry is doing wrong? The industry at large has not embraced the notion of hyper-connectivity, which means users and clients alike are all individual vectors of threat.

Mobile platforms must be treated as an extension of the network.

Securing devices and the traffic they create needs to be treated in the same way you would treat devices within the traditional network perimeter. Just like locking your doors every time you leave the house, you would never set up a network without a firewall ‒ but firewalls are no longer enough to protect the 'edgeless perimeter'.

What happened to Tesco could happen to any company, of any size, in any sector.

Financial services are accustomed to being in their own seemingly secure bubble. Now, however, that bubble has well and truly burst. Devices connected to each other via not only mobile networks but the Internet of Things has expanded the risk to all customer devices becoming compromised or attacked. The financial services industry has a great responsibility to safeguard people’s money and it is heavily regulated because of this. It is imperative, therefore, that it goes further than just basic blocking and tackling of threats within the firewall to encompass the new attack vectors associated with the myriad of connected devices.

Kirsten Bay, President and CEO, Cyber adAPT





Whitepapers

22/10/2019 Headlines

Police Seize $15K Crypto Thief After He Mistakenly Disclosed Identity

Connecticut police caught a man who had stolen over $15,000 worth of digital currency in a mobile phone theft after he mistakenly sent an apology email to a det.....Read More

Report Exposes Lack of Sufficient Data Security Amongst Employees

The Insider Data Breach Survey 2019 found that 95% of IT leaders acknowledged that insider threats were a serious concern within their business while 55% of emp.....Read More

Data of 90K Mastercard Priceless Specials Members Shared Online

A database containing sensitive information of about 90,000 German Mastercard "Priceless Specials" loyalty program members shared online following a breach disc.....Read More

Phishing Targeting Executives Now the Number One Cause of Cyber Security Insurance Claims

Spear-phishing has overtaken ransomware as the number one driver of cyber security insurance claims, according to AIG.

Phishing, also known as business e.....Read More

Could Your Kid Be The Next GBP 20 Million Cybersecurity Superhero?

Back in 2017, the U.K. government issued a tender to run a GBP 20 million Cyber Schools Programme as part of the National Cyber Security Strategy 2016-2021 crea.....Read More


Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication