Rival lenders warn that Tesco Bank has left its customers exposed to cyber crime by issuing sequential debit card numbers, a practice most banks avoid because it lets hackers remain undetected. A sustained cyber attack on Tesco Bank last month forced the company to repay £2.5m of losses to 9,000 customers in a heist described as unprecedented by regulators.
Since then the Financial Conduct Authority has contacted several British lenders to check if they are also issuing sequential card numbers, according to executives at two of the banks contacted by the watchdog. Tesco Bank refused to confirm whether it had issued sequential card numbers or if it had recently changed its practices in this area. It said: “As this remains an ongoing investigation, we will not comment on specific questions regarding the incident. However, we will confirm that our first priority was, and remains, to ensure that our customers’ accounts are safe and secure, and that we communicate with our customers immediately and transparently.”
The financial offshoot of the UK’s largest supermarket group has not said how the money was stolen. But it has insisted that no customer data were lost and none of its systems were breached in the “highly sophisticated attack.” Cyber security experts and banking executives say that issuing sequential card numbers makes it easier for hackers to guess the expiry dates and security codes without alerting the bank that there is a risk of fraud. “It raises a question mark — it is not good,” said one.
Most banks use software to randomly generate a primary account number for each customer. But at Tesco Bank these numbers were issued sequentially, according to executives at two rival banks and another person briefed on Tesco’s security operations. The FCA declined to comment.
