WELWYN GARDEN CITY, U.K.–The November data breach announced by Tesco Bank was the result of issuing sequential debit card numbers, a practice most issuers avoid, according to one new report.
Some 9,000 customers had their accounts compromised, leading to £2.5m of losses. But Tesco’s practices exacerbated the problem, analysts say, because the practice of using sequential numbers allowed hackers to remain undetected while working quickly through thousands of cards, according to the Financial Times.
The Financial Times said that Tesco Bank refused to confirm whether it had issued sequential card numbers or if it had recently changed its practices in this area. It said in an emailed statement to the publication, “As this remains an ongoing investigation, we will not comment on specific questions regarding the incident. However, we will confirm that our first priority was, and remains, to ensure that our customers’ accounts are safe and secure, and that we communicate with our customers immediately and transparently.”
Cyber security experts and banking executives told the Financial Times that issuing sequential card numbers makes it easier for hackers to guess the expiry dates and security codes without alerting the bank that there is a risk of fraud.
The Financial Times further reported that researchers at Newcastle University said in a recent paper that they had identified a flaw in Visa’s security system, which allowed hackers to guess a customer’s card number, expiry date and security code in “as little as six seconds” by using an automated program to fire numbers at hundreds of websites until one worked.
Because Visa — unlike MasterCard — allows unlimited attempts to enter payment card details at different websites, hackers were likely to have used a “distributed guessing attack” to steal money from Tesco Bank customers, the researchers found, according to the Financial Times.