| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to the distributed guessing attack on the Visa card payment system that led to the Tesco Bank fraud of £2.5m is an example of a software failure incident that happened within the same organization (Tesco Bank) again. This incident was described as unprecedented and affected 9,000 customers, resulting in the theft of £2.5m [49573].
(b) The distributed guessing attack method identified by the Newcastle University team as a vulnerability in the Visa card payment system could potentially impact multiple organizations that use Visa cards for online transactions. The attack exploited vulnerabilities at Visa and hundreds of popular retail websites, indicating a broader risk for various organizations that rely on Visa for payment processing [49573]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be attributed to the flaws in the Visa card payment system that allowed for a cyber attack known as the "distributed guessing attack" to exploit vulnerabilities in the system. The attack method identified by the Newcastle University team involved criminals using merchants' payment websites to guess people's card details by generating different variations of a card's security data [49573].
(b) The software failure incident related to the operation phase can be seen in the Tesco Bank cyber-attack where criminals were able to defraud customers of £2.5m by exploiting the vulnerabilities in the Visa card payment system. The attack involved using software to automatically generate different variations of card security data and sending them to multiple websites to validate them, ultimately leading to the theft of funds from customer accounts [49573]. |
| Boundary (Internal/External) |
within_system |
(a) The software failure incident related to the Tesco Bank cyber-attack can be categorized as within_system. The incident involved a type of cyber attack known as a "distributed guessing attack" that exploited vulnerabilities within the Visa card payment system, allowing criminals to guess people's card details by exploiting flaws in the system [49573]. The attack method identified by the Newcastle University team involved using merchants' payment websites to guess card details, indicating that the failure originated from within the system's security mechanisms. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
The software failure incident reported in the articles was due to a type of cyber attack known as a "distributed guessing attack" that exploited vulnerabilities in the Visa card payment system [49573]. This attack method involved criminals using software to automatically generate different variations of a card's security data and sending them to multiple websites to guess people's card details. The attack was able to circumvent the security features put in place to protect online payments from fraud, highlighting a failure introduced by non-human actions in the form of cyber attacks.
(b) The software failure incident occurring due to human actions:
The incident involving the Tesco Bank cyber-attack, where £2.5m was stolen from 9,000 customers, was attributed to a hacking method that involved criminals exploiting vulnerabilities in the Visa payment system [49573]. The criminals used software tools and their own bank cards to carry out an experimental distributed guessing attack, demonstrating how human actions in the form of hacking activities led to the software failure incident. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident related to hardware:
- The incident reported in the article does not mention any hardware-related failures that contributed to the cyber attack on Tesco Bank customers [49573].
(b) The software failure incident related to software:
- The software failure incident reported in the article is primarily due to vulnerabilities in the Visa card payment system that were exploited by criminals using a distributed guessing attack method [49573]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident reported in the articles is malicious in nature. The incident involved a cyber attack on the Visa card payment system that exploited flaws to defraud Tesco Bank customers of £2.5m. The attack was described as an unprecedented attack on Tesco Bank's online accounts, affecting 9,000 customers and resulting in the theft of funds. The attack utilized a distributed guessing attack method to guess people's card details and make fraudulent transactions. The attack was carried out by criminals using software to automatically generate variations of card security data and send them to multiple websites to validate the guesses [49573]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
[a49573] The software failure incident related to the Tesco Bank cyber-attack was primarily due to poor decisions made in the design and implementation of the Visa card payment system. The incident was caused by an unsophisticated type of cyber attack that exploited flaws in the Visa system, allowing criminals to easily guess and obtain card details within seconds. The vulnerabilities in the system, such as the inability to detect multiple invalid payment requests on the same card from different websites, contributed to the success of the attack. Additionally, the lack of robust security features and the failure to prevent such distributed guessing attacks highlighted poor decisions in the system's architecture and defenses. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident related to development incompetence is evident in the case of the Tesco Bank cyber-attack. The attack exploited vulnerabilities in the Visa card payment system, allowing criminals to guess and obtain card details within seconds, leading to the theft of £2.5m from Tesco Bank customers [49573].
(b) The software failure incident was accidental in the sense that the distributed guessing attack method used by criminals to defraud Tesco Bank customers was not a deliberate design flaw in the payment system but rather a vulnerability that was exploited by hackers. The attack was described as "frighteningly easy" to carry out with just a laptop and an internet connection, highlighting the accidental nature of the vulnerability [49573]. |
| Duration |
temporary |
(a) The software failure incident in this case was temporary. The incident involved a cyber attack that exploited flaws in the Visa card payment system, allowing criminals to defraud Tesco Bank customers of £2.5m. The attack was described as a distributed guessing attack method that could circumvent security features and exploit vulnerabilities at Visa and various retail websites. The attack involved criminals using software to automatically generate different variations of card security data and sending them to multiple websites to guess people's card details. The attack was successful in stealing money from 9,000 customers but was not a permanent failure as it was due to specific vulnerabilities in the system that were exploited by the attackers [49573]. |
| Behaviour |
value, other |
(a) crash: The incident reported in the article does not involve a crash where the system loses state and stops performing its intended functions. The software in question continued to operate, allowing the criminals to exploit the vulnerabilities in the Visa card payment system without the system crashing [49573].
(b) omission: The software failure incident is not related to the system omitting to perform its intended functions at an instance(s). Instead, the incident involves criminals exploiting vulnerabilities in the system to obtain card details and conduct fraudulent transactions [49573].
(c) timing: The failure is not related to the system performing its intended functions too late or too early. The criminals were able to exploit the system's vulnerabilities in real-time to quickly obtain the necessary card details for fraudulent transactions [49573].
(d) value: The software failure incident is related to the system performing its intended functions incorrectly. Criminals were able to use the distributed guessing attack method to obtain card details and conduct fraudulent transactions, indicating a failure in the system's security measures [49573].
(e) byzantine: The incident does not involve the system behaving erroneously with inconsistent responses and interactions. The criminals' actions were systematic and targeted, exploiting specific vulnerabilities in the Visa card payment system to carry out fraudulent activities [49573].
(f) other: The behavior of the software failure incident can be categorized as a security vulnerability exploit. Criminals utilized a specific method, the distributed guessing attack, to exploit flaws in the Visa card payment system and successfully defraud Tesco Bank customers. This behavior highlights a critical security weakness in the system that allowed unauthorized access and fraudulent transactions to occur [49573]. |