The Tesco Bank Attack..Yet another incident of Security Failure

tesco_bankThe UK based Tesco Bank recently observed suspicious transactions in around  40000 Current Accounts and had to temporarily shut down transactions in the accounts. Subsequently it was indicated that about 9000 accounts saw fraudulent withdrawals to the total extent of about UK Sterling 2.5 million (About Rs 21 crores). The average loss per account was around Rs 21000/-.

Some reports allege that over 21000 accounts have seen the fraudulent withdrawals putting the potential loss at over Rs 50 crores.

Most of the fraudulent transactions occurred overseas such as Spain and Brazil.

The exact nature of the breach is yet to be ascertained/published. However it appears to be a hacking of the Bank’s systems at some level caused by failure of internal processes including negligence of intermediary service providers. An investigation by the national crime agency s underway. We may not be surprised if this breach finally leads to some BPO located outside UK hopefully not India.

For More information: Guardian.com report

It is expected that regulators may impose a multi million pound fine. (See report) The share prices have also been adversely affected. Tesco has been offering 3% interest to the current account customers and hence provided competition to other bigger Banks. But this incident could put a brake on its business growth for some time. The general allegation is that the Bank has systematically neglected cyber security and the breach is a result of such compromise…much like the Indian Banks.

The Bank has after the incident taken steps to inform their customers through SMS and has also put up a note prominently on its website indicating the latest position.

tesco_bank_notice

tesco_bank_update

 Indian Banks often deliberately avoid notification of  breaches on their website and even to RBI. For such Banks it is important to notice the response of Tesco Bank to the breach.

The complete update as available on the website is available here

The update contains an apology, contact information, and an FAQ for further information. In contrast Indian banks fail to admit breach, refuse to refund the amount to the customer, deny their failure to notify customers individually and enter into a prolonged legal battle with the customers.

What RBI and Indian Banks should note

RBI should make a note of this incident and issue suitable instructions on “Data Breach Notification” for Indian Banks. Ofcourse we need to remind that it should not be a toothless advisory but an action oriented directive. RBI should also stop cheating the public with an issue of draft circular for public comment and going silent there after.

It is also recently found that RBI has not provided Banks with any guideline on Social Media Banking and Banks have started using Twitter and Facebook Banking on their own. Even after RBI was questioned in a RTI application, they have not taken any action to distinguish Internet Banking and Mobile Banking from the less secure Twitter and Facebook banking. This gross negligence on the part of RBI will come to haunt Mr Urjit Patel sooner than he may anticipate.

Presently the Banks are grappling with the “Note Exchange” program and in the process using “Mobile Centers” armed with “Micro ATMs”. Customers will be exposing their Banking credentials to these POS machines which could result in a new security risk.

We are not sure if Indian Banks and RBI are alert to the security issues. If the attitude of Vijaya Bank cashiers at M S Ramaiah Hospital in Bengaluru recently (Sitting in a Maruti Van with Open doors and dispensing cash instead of closing the doors and operating through the window) without any physical security, is any indication, Banks could be not even aware of the risks to which they are exposing themselves and their customers in a bid to satisfy the critical politicians of the opposition who are anyway habitual critics to be ignored.

Hope the current crisis in Indian banks pass off peacefully without a Tesco or SBI Card type of incident recurring.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.