Tesco Bank hack: how to make your account saferSix steps to protect your bank account from fraudsters
09 November 2016
Tesco Bank is seeking to reassure customers that normal service has resumed following Saturday's 'sophisticated, systemic attack' against its online banking operation.
The hack, during which 9,000 customers had money stolen from their accounts, was an ‘unprecedented’ attack on the UK banking sector, according to the Financial Conduct Authority.
Tesco Bank has now paid out a total of £2.5m to affected customers.
How did the hack happen?
The new National Cyber Security Center, based out of GCHQ, is now investigating who was behind the attack. But whether it was a criminal gang operating out of Brazil, state-sponsored hackers from North Korea, or a well-placed bank employee, the growing complexity of all our banks’ online security is now under scrutiny.
The Tesco Bank hack could have ‘broader implications’ for the entire banking sector, the FCA’s chief executive Andrew Bailey reportedly told the Treasury Select Committee.
How to protect your account
With the prospect that other UK banks could be next, what could we all be doing to better protect our accounts? Against the sort of coordinated attack perpetrated against Tesco, the answer - unfortunately - is 'next to nothing.'
But there are plenty of other steps we can all take to protect ourselves against smaller scale attacks and opportunistic scammers.
1. Check your inbox
Watch out for emails purporting to be from Tesco Bank and delete them immediately. Never click on links in emails unless you’re sure they’re genuine. Scammers will now be looking to exploit the publicity and fear generated by the hack.
2. Don't sacrifice security for convenience
Until someone invents an unhackable system, there will always be a trade off between security and inconvenience. As long as customers complain about inconvenience, banks will sacrifice security to reduce the hassle factor.
If you want to improve the security of your own accounts you have to accept a higher degree of inconvenience. If your bank offers two-factor authentication for login, for example, activate it immediately.
We recently tested the customer-facing online security of 11 leading banks. You can see the results here.
3. Scrutinise your statements
As with the Tesco hack, fraudsters will often take small amounts from a large number of people to minimise, or slow down, detection. Scrutinise your statements closely and frequently and immediately query any suspect transactions.
4. Be extra vigilant on Fridays
It’s common for hackers and scammers to attack on Friday afternoons or over the weekend. In the case of Tesco there was little customers could do but endure the excruciating long wait times to reach customer service.
Be exceptionally vigilant on Friday afternoons, particularly if you get an email claiming to be your builder with new account details, or a call purporting to be from your bank’s fraud department
5. Strengthen your passwords
Hackers know people often use the same password for different accounts so will try to use details obtained from the hack of one site to access accounts on a different site. Use a different password for every online account. The more sensitive the account - such as online banking or email – the more complex the password should be.
Beware using information for your passwords and passcodes that hackers could find online, such as birthdays and anniversaries. Invent answers to memorable questions, such as place of birth, to further confound would-be hackers. Consider using a password manager to help you keep track.
6. Know your rights
You have greater protection against some type of fraud than others. Where the fault is with the bank, as with the Tesco hack, you will get your money back.
Regardless of whether it's been caused by a hack, your bank must reimburse you for unauthorised payments, unless it has evidence that you acted with gross negligence or fraudulently.
Banks are under no such obligation if you make a voluntary bank transfer. You should never transfer money directly unless you’re convinced the recipient is who they claim to be.