A mass cash-out operation using cloned cards is the most plausible explanation of the Tesco Bank breach earlier this month which saw crooks steal around £2.5 million from 9000 customer accounts, according to an analysis from Digital Shadows.
Criminals drained the money from current accounts in what Tesco Bank CEO Benny Higgins has called "a systematic, sophisticated attack". Details have yet to be revealed but the National Crime Agency (NCA) is leading an investigation.
Cybersecurity specialist Digital Shadows has applied the techniques of the Analysis of Competing Hypothesis (ACH) to the publically available details, weighing the consistency and inconsistency of all available data points with four possible hypotheses.
Based on its analysis, the company says that two hypotheses, the use of a banking Trojan and cash-out operation using aggregated card information, are less likely. The use of a Trojan seems particularly unlikely, given that the National Cyber Security Centre says that it is “unaware” of any threat to the wider UK banking sector as a result of the Tesco attack.
More likely explanations for the incident are a payment system compromise or a cash-out operations using cloned cards. Digital Shadows says that it cannot determine which is more likely to be the right explanation but that a cash-out scam would likely have been simpler to execute with "fewer moving parts".
"While this cannot be counted as a concrete data point, it was assessed to potentially indicate that H3 (cash-out of cloned cards) may be the more plausible scenario," says the firm, which also warns that crooks are likely to try to sell the account information they have and that customers should be on the lookout for phishing emails.