eConsultancy Article regarding Tesco Bank attack and how it impacts Monzo and the like

Just came across this article this morning on Econsultancy regarding the attacks on Tesco bank and how it may impact startup banks, considering they themselves are a relatively new bank.

What do you think, does the attack on Tesco cause you concern about Monzo or is it a risk you a prepared to take given the current state of banking?

One thing that I think the article omitted was the infrastructure being used. Most banks use legacy systems so with Monzo being a little different I’d like to think Monzo we’re going about it the right way.

Link to article- https://econsultancy.com/blog/68500-will-the-tesco-bank-attack-dent-trust-in-startup-banks

It’s interesting to explore why this happened to Tesco & what the attack might have looked like if it had been aimed at Monzo instead.

For starters, in this story -

the customer said they lost money from multiple accounts & the fact that Tesco

halted online payments for current account customers

but not ATM withdrawals, in store payments etc. suggests that the customer’s funds were used to make online payments. In which case, had these been Monzo accounts, users would have received notifications as soon as the payments were made & could have frozen their cards before more more transactions were attempted.

Since 40,000 accounts were breached, I assume that it took a while for Tesco to spot the fraud. If so Monzo users could have potentially alerted Monzo sooner.

Lastly Monzo is using a completely different technology stack than Tesco, who use

For credit card processing, the bank uses the TS2 processing platform provided by TSYS. TSYS provides Tesco Bank’s credit card business with full customer account management services. According to the reports in the national press, the provider may have also been targeted by cybercriminals.

& I prefer Monzo relying less on third party providers, as they have less control over those supplier’s security.

The attack on Tesco doesn’t cause me to be more concerned about security at Monzo because their technology is so different. These banks are being built with a much more modern infrastructure, see this post for more -

But I’m not 100% sure that Monzo is secure anyway, the only way that we can truly know that Monzo & the other ‘challenger’ banks are secure is if they stand up to the inevitable repeated attacks from criminals.

It’s also worth noting that according to the FT story on the same topic, which is referenced in the article you’ve posted

Ironically, all banks — not just those run by supermarkets or online challengers — are vulnerable to cyber security breaches. According to Financial Fraud Action UK, British consumers and financial institutions lost more than £750m last year — a jump of 26 per cent from 2014.

The reason I do have confidence in Monzo is mainly the amount of respect that the team (Oliver, Matt, Simon) have from their peers - judging by the talks that they’ve all been asked to give. Just to be clear, I’m sure everyone else is respected too, they just haven’t given talks

Jonas also mentioned recently that when you’re building a bank, you attract some really high quality security experts because they want the challenge of building a system which can protect such an attractive target.

Obviously there’s a limit to how much Monzo can share about their security systems, for peer review because they don’t want to give away information that attackers would find useful. But hopefully they will share more, through blog posts or talks like yesterday’s Building a Secure Bank (video please ).

Good point made there! Monzo users would be aware straight away with the instant notifications and that coupled with the speed of Monzo’s customers service I’d be confident an attack would be sorted much quicker than it was at Tesco.

My concern surrounding the Tesco attack was how they were able to make batch payments to new payees without any form of verification by the customer (perhaps through one of those calculator devices that the likes of Barclays use or through the use of a code texted to the customer’s mobile).

Just a thought; would it be possible for Monzo to allow customers to freeze payments to overseas banks in the same way that you can freeze and unfreeze your card? That way, customers could enable the option when they needed it (e.g. if on holiday) but have a reduced risk of fraud exposure for the rest of the time.

There’s a good article from 2014 about the lack of security that Tesco have.

Appears that not a lot has changed since then.

Are you sure that these were batch payments? It sounds like they might have just been online transactions…in which case, new merchants wouldn’t be an issue.

That is possible (other services offer that feature) but I’m not sure how feasible that is. You don’t always know where your merchant who takes the payment is located & payments made online are often delayed (Amazon doesn’t take payment until your order is dispatched, for example) so you couldn’t freeze your card while waiting for the payment to be taken…unless you ‘whitelisted’ some merchants…but that’s starting to get pretty complex.

main issue was it happening at weekend when less bank staff on duty compared with during the week

Important to remember that the article you have linked there is about Tesco online shopping, I would very much hope that Tesco Bank were not doing similar or they need a SERIOUS talking to by the regulators and their auditors removed.

Good point. I should have made that clear.

This is an interesting topic. I dont really know how those who are fearful of bank security would consider Monzo. Seems like there could be two competing different views

1. Monzo features such as instant notification of payment and card freeze help you keep control of your account and you can block fraud / report it easily
   or
2. People who are particularly cautious may be inclined not to trust a new/startup bank regardless of what security features they have

Personally I am not overly worried about bank security - I always keep a close watch on my accounts and I know that I will be recompensed for any fraud (and have backup accounts that I could use while waiting for the money to be returned). I am not a typical user though I suspect.

On the one hand, a ‘blank slate’ design of a banking backend system allows for modern security considerations to be built in form the start. If you’re operating a multi-decade-old system running on some Big Iron appliances, there are attack vectors that weren’t even possible (or even imagined) when the system was designed now need to be hardened against by retrofitting a live setup.
On the other hand, the most effective debugger is time. A system that has been live for several decades has had a long time for edge-case bugs to occur and be identified (and it’s hard to fix a bug you don;t know about). A new system is more likely to have flaws that have yet to be discovered.

Here’s the latest on this story

Also, to paraphrase Tom’s comment at last night’s panel discussion @ Stripe, on how to prevent this from happening again, it was simply - don’t let grocers run banks!

“The only thing that can be truly effective is a very diligent end user who knows what to look for. That means all the banks can do is offer tips on how to spot the fake sites collecting user data that the malware creates and hope the user is diligent enough to learn and watch for signs of the bad guys at work."

This won’t be an issue for smartphone enabled banks, especially Monzo. Communication to us about our accounts, with the exception of the magic login link received via email, has so far been via in-app notifications.

Maybe this is another point Monzo can raise when marketing the app, that it’s already probably more secure than the leading banks.

Edit: In response to @alexs next post.

Unfortunately that’s impossible to prove & there could be gaps in Monzo’s systems which have been overlooked…but I wouldn’t be surprised if you’re right!

More details on the Tesco hack

Tesco Bank debit cards risked cyber crime, warn rivals

Tesco Bank left its customers exposed to cyber crime by issuing sequential debit card numbers, a practice most banks avoid because it lets hackers remain undetected while working quickly through thousands of accounts, according to rival lenders.

:facepalm:

again…

Tesco Bank refused to confirm whether it had issued sequential card numbers or if it had recently changed its practices in this area.

…

The UK’s new National Cyber Security Centre and the National Crime Agency are leading a criminal probe into the hack. The FCA is also investigating. If the bank were shown to have sloppy cyber defences the FCA could consider launching an enforcement investigation.

The story also includes some interesting details on potential vulnerabilities in Visa’s fraud detection processes compared with MasterCard’s.

A key distinction with Monzo is that it’s not using the Visa network. Tesco uses Visa whose network security experts suggest is unable to identify high volume authorisation attempts to guess card numbers. (Helped if you just issue card numbers in sequence). The Mastercard network can detect multiple attempts across its whole network and block accounts where these attacks are identified. Mastercard is therefore less vulnerable to these types of attack.

Honestly, I’d trust Monzo a million times over to be more secure than the high street banks. Talking to the staff, reading the blog and some of @daniel’s posts make it clear security is a priority and the team know what they’re doing.

I have an RBS business account I also use and it:

• Asks for specific characters of the password (1st, 7th, 8th)
• Checks the password in a case-insensitive manner
• Wouldn’t let me use certain characters

There’s no way they’re using something like bcrypt, scrypt or PBKDF2. My guess is that it’s all just in plaintext (or perhaps just encrypted at rest, but still not ideal).

Same for Bank of Scotland (LBG).
I couldn’t believe it when I first read about it.

Metro Bank; whilst at least using Mastercard also won’t let you have any special characters in your password. Metro also force you to input certain numbers from an eight digit security code.

All of which doesn’t seem all that secure at all against either a key logger or screen grabber malware.

I was having trouble thinking of an 8 digit number so the Metro staff member suggested I use my 4 digit card pin twice