Banking shortcomings make cyber crime the consumer’s problem

Tesco Bank’s unprecedented cyber attack is showing up major weaknesses in the armour that should protect UK consumers. 

Kate Hughes
Money Editor
Tuesday 08 November 2016 20:25 GMT
Every little helps: a new pin and password could help save your money from fraudsters while the banking industry catches up with today's threat
Every little helps: a new pin and password could help save your money from fraudsters while the banking industry catches up with today's threat (Reuters)

Support truly
independent journalism

Our mission is to deliver unbiased, fact-based reporting that holds power to account and exposes the truth.

Whether $5 or $50, every contribution counts.

Support us to deliver journalism without an agenda.

Louise Thomas

Louise Thomas


The chances are you weren’t one of the 20,000 Tesco Bank customers who had cash swiped from their account over the weekend. But if there’s one thing the experts appear to agree on, it is that, as this latest “unprecedented and serious” attack shows, the cyber-crime threat to our financial lives is growing as the number of online purchases and other transactions soar.

The Centre for Economic and Business Research estimates that cybercrime now costs the economy £34bn a year. So if the hackers only have to be lucky once while businesses, government and even consumers scramble to respond with a unified approach that actually works, what measures are in place to protect your cash? And what rights and responsibilities do you have if you get stung?

How worried should we be?

It has quickly been labelled the biggest cyber bank robbery in British history, though 20,000 confirmed cases of lost cash is around one in seven of the bank’s current account holders and a tiny proportion of its 7.8 million total customer accounts.

Compare the scale of the damage to that of Yahoo!’s latest hit only a few weeks ago that revealed the email credentials of more than 500 million users in what has been dubbed the worst ever hack of a company and it seems small change.

The key difference is that this time it’s the theft of cold hard cash from a significant number of accounts (cyber criminals are more likely to target the accounts of a lone individual or two), rather than the vague, if alarming, threat that comes with the stealing of information – however much more damaging that could actually turn out to be in the long-run.

It’s an understandable reaction. Steal your information and it’s unnerving at the very least. Steal your money and it could be an instant, very real problem, even if, as in the Tesco case, you should be refunded if the security breach is no fault of your own.

But as a study last year by Deloitte showed, more people now purchase goods and services online than have an email account. As the way we consume continues to evolve, so too does the direct threat to our cash.

“Our research shows one in ten people's bank accounts had fallen foul of a cyber-attack over the past year – the equivalent of 4.5 million accounts - and had an average of £475 stolen,” warns Jody Baker, head of money at “A large number of these attacks would have been the result of cyber breaches of online transactions – so a move to clamp down on this type of criminal activity is urgently needed.”

Picking up the pieces

Meanwhile, for Tesco and its customers, two investigations now kick in. The criminal investigation is being led by the National Crime Agency, which deals with serious and organised crime, drawing on resources from other law enforcement bodies– not least the new National Cyber Security Centre – to understand what exactly has happened and “bring it to a conclusion” as necessary before beginning the process of investigation.

Then there’s the question of adequate security measures, and the Financial Conduct Authority is “working with” Tesco Bank while the Information Commissioner’s Office, the independent authority charged with upholding information rights and data privacy has also said they will be looking into the matter.

Chinks in the armour

"We do not yet know how so many personal accounts were accessed, but it is clear that this was a more sophisticated attack targeted at the bank's systems rather than its individual customers,” says Stewart James, partner in the commercial team at Ashfords LLP.

“Consequently, it is very likely that the attack amounts to a breach of the Computer Misuse Act 1990, highlighting the failure of the criminal law to deter cyber criminals and especially those operating from outside the jurisdiction.

“Customers have been relatively benign in response to previous breaches, such as the PlayStation and Sony Christmas hacks, but TalkTalk has proved to be a watershed with its reputational damage potentially greater than the financial damage caused.

“There is no single solution, but prior preparation needs to consider a range of technical, organisational, procedural and process issues,” he adds. “For a financial institution, this will include compliance with a number of reporting and security obligations, including meeting technical standards under the Payments Services Directive as well as general obligations under data protection legislation."

But that may not be straightforward with Andrew Bailey, chief executive of the Financial Conduct Authority, admitting to the Treasury Select Committee this week that there aren’t enough suitable technology staff within the banking sector, for example.

“Millions of customers remain unnecessarily exposed to the risks of IT failures, including delays in paying bills and an inability to access their own money,” he said. “We can't carry on like this.”

Taking control

Which for now at least seems to imply self preservation is crucial.

“With the busy Christmas period soon upon us – not to mention ‘Cyber Monday’ later this month – we would expect to see a spike in the number of online frauds in the coming weeks. It is a good idea to regularly check your bank statements for any unusual activity as criminals often make small but regular thefts which are harder to spot than larger one-off purchases,” adds Baker.

Password and PIN dos and don’ts:

• Mix it up – use a mixture of upper and lower case letters, numbers and symbols such as !£?

• Change letters to numbers or symbols – for example E becomes 3, S becomes 5

• Create long passwords of at least six characters, the longer the better. These are harder for criminals to crack

• Do use different passwords and PINs on different accounts

• If you suspect someone else knows your password or PIN, change it

• If you need to write passwords down in order to remember them, encrypt them so they are indecipherable to other people

• Don’t use easy to guess information such as your name, the names of other family members, your pets’ names as your password

• Don’t use the word ‘password’ as your password

• When creating a PIN avoid using ascending or descending numbers, for example 1234 or 4321, repeated numbers (e.g. 9999) or easily recog nisable keypad patterns such as 12369 or 2580

• Don't use the same password across different sites. If one site gets hacked and your password is stolen, hackers will often try it on other sites

• Don’t disclose your passwords or PINs to anyone else

Source: Money

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in