Halifax, Bank Of Scotland Security Flaw Revealed

A major security flaw has been detected in an unspecified number of online bank accounts belonging to customers of the Halifax and Bank of Scotland.

The online security flaw was exposed, unusually, not by a dedicated security researcher but by the MoneySavingExpert.com website.

Responsible Disclosure

The vulnerability centres around the way that both banks allowed customers to see other bank accounts, without the need for specific passwords for the new accounts, just a correct name, data of birth and postal address, all easily discovered by social network mining or even bin diving.

“We unearthed the massive security glitch because a MoneySaver told us when they opened a Bank of Scotland account in their name they were able to view their Halifax current account online despite not having an online log-in for it,” said the website.

When a Halifax customer volunteer at MoneySaver tested it, and only used an accurate name, date of birth and postal address, they were able to open a new Bank of Scotland current account in their name, and didn’t apparently even have to put any money in the account.

Other questions were apparently asked, but the volunteer gave a number of incorrect answers to them. Once the log-in was generated, the volunteer was able to view their various Halifax accounts online.

MoneySavingExpert.com acted in a responsible manner and alerted both banks (both part of the Lloyds Banking Group) and waited for them to fix the problem before it published the article. The banks have apparently overhauled its processes so that new accounts will require a postal activation code first.

“We’d like to thank MoneySavingExpert.com for bringing this issue to our attention and providing us with the time to investigate this fully,” a Lloyds Banking Group spokesman was reported as saying.

“We take the financial security of our customers extremely seriously and have advanced safeguards in place across our IT systems,” said the spokesman. “We recognise that allowing customers to view linked accounts immediately following an online application could have been used inappropriately in certain, limited circumstances and this will no longer happen.”

“In a world where scammers and hackers are getting ever more powerful we need our banks to step up their action, this isn’t good enough,” said Martin Lewis, MoneySavingExpert.com founder. “The ability to easily view all of someone’s banking details is a criminal’s Christmas, never mind the potential privacy breach.”

“We are often told to protect ourselves but they need to act in a way that protects us too,” said Lewis. “This wasn’t some clever hacker finding a breach, it was simply a design flaw. If they’re not much more professional than phishing websites, how are we to judge who’s real and who’s a fraud?”

Ongoing Battle

The Information Commissioner’s Office (ICO) has been notified and is considering what next steps may be appropriate.

It remains to be seen whether MoneySavingExpert.com received a bug bounty for its troubles.

Banks have fighting a constant battle to upgrade their security.

A study this summer revealed that security is now the top priority for most most younger UK consumers when choosing a bank. Indeed, many would even consider providing a DNA sample in order to improve the security of remote banking access.

Trend Micro meanwhile has noted a rise in fraud targeting online banking services, with European infections of the Dyre banking malware surging in the first quarter of this year.

Are you a security pro? Try our quiz!