It’s interesting to explore why this happened to Tesco & what the attack might have looked like if it had been aimed at Monzo instead.
For starters, in this story -
the customer said they lost money from multiple accounts & the fact that Tesco
halted online payments for current account customers
but not ATM withdrawals, in store payments etc. suggests that the customer’s funds were used to make online payments. In which case, had these been Monzo accounts, users would have received notifications as soon as the payments were made & could have frozen their cards before more more transactions were attempted.
Since 40,000 accounts were breached, I assume that it took a while for Tesco to spot the fraud. If so Monzo users could have potentially alerted Monzo sooner.
Lastly Monzo is using a completely different technology stack than Tesco, who use
For credit card processing, the bank uses the TS2 processing platform provided by TSYS. TSYS provides Tesco Bank’s credit card business with full customer account management services. According to the reports in the national press, the provider may have also been targeted by cybercriminals.
& I prefer Monzo relying less on third party providers, as they have less control over those supplier’s security.
The attack on Tesco doesn’t cause me to be more concerned about security at Monzo because their technology is so different. These banks are being built with a much more modern infrastructure, see this post for more -
But I’m not 100% sure that Monzo is secure anyway, the only way that we can truly know that Monzo & the other ‘challenger’ banks are secure is if they stand up to the inevitable repeated attacks from criminals.
It’s also worth noting that according to the FT story on the same topic, which is referenced in the article you’ve posted
Ironically, all banks — not just those run by supermarkets or online challengers — are vulnerable to cyber security breaches. According to Financial Fraud Action UK, British consumers and financial institutions lost more than £750m last year — a jump of 26 per cent from 2014.
The reason I do have confidence in Monzo is mainly the amount of respect that the team (Oliver, Matt, Simon) have from their peers - judging by the talks that they’ve all been asked to give. Just to be clear, I’m sure everyone else is respected too, they just haven’t given talks
Jonas also mentioned recently that when you’re building a bank, you attract some really high quality security experts because they want the challenge of building a system which can protect such an attractive target.
Obviously there’s a limit to how much Monzo can share about their security systems, for peer review because they don’t want to give away information that attackers would find useful. But hopefully they will share more, through blog posts or talks like yesterday’s Building a Secure Bank (video please ).