Sequential card numbers may be to blame for the cyber attack on Tesco Bank, which resulted in 9,000 customers being hit by fraudulent transactions and costing the bank £2.5 million.
According to an article in The Financial Times this week, the Visa debit cards issued by Tesco Bank have a six-digit issuer identifier number, a nine-digit primary account number unique to each customer, and a single check digit.
But while, most banks use software to randomly generate a primary account number for each customer, at Tesco Bank these numbers were issued sequentially, according to executives at two rival banks and another person briefed on Tesco’s security operations who reportedly spoke to the newspaper.
The report goes on to claim that cyber security experts and banking executives say that issuing sequential card numbers makes it easier for hackers to guess the expiry dates and security codes without alerting the bank that there is a risk of fraud.
Tesco Bank however, has reportedly refused to confirm whether it issued sequential card numbers or if it had recently changed its practices in this area.
When Moneywise contacted the bank, it would only tell us the following: “As this remains an ongoing investigation, we will not comment on specific questions regarding the incident, however we will confirm that our first priority was, and remains, to ensure that our customers’ accounts are safe and secure, and that we communicate with our customers immediately and transparently.”
The Financial Times report goes on to state that since the attack on Tesco Bank, regulator the Financial Conduct Authority (FCA) has contacted several British lenders to check if they are also issuing sequential card numbers.
When Moneywise put this to the FCA, a spokesperson told us: “We can confirm that earlier this month the FCA alongside other authorities and agencies communicated with banks to highlight certain concerns regarding debit card payments. We do this as part of our business practices when needed. Due to the ongoing criminal investigation we can’t comment any further. The FCA believes that the banks contacted have responded appropriately.”
The spokesperson adds: “In general the FCA requires banks to have systems and controls to counter the risk that they are misused for the purposes of financial crime risk of all types including fraud, money laundering and data security breaches. A bank is required to refund all unauthorised transactions within 24 hours, providing that the transaction was not compromised by a customer or made over 13 months ago.”
Tesco Bank repaid all customers affected by the fraud at the time of the incident in early November. It also confirmed that personal data was not compromised as a result of the fraud.