A major account authentication flaw might have exposed as many as 23,000 customers of Halifax and Bank of Scotland to fraud and data theft for over six years.
The design flaw potentially exposed customer data, including savings, loan and credit card details, to fraudsters without them even hacking into the the banking system.
The flaw allowed any customer with a bank account at one of the two banks to create a new account at the other bank by just accurately answering three basic questions in a pool of other security questions, which a customer may answer wrong. Upon account approval, the customer would be instantly allowed online access to the banking website and could then see important account information, such as balances and account numbers, without having an approved online banking account for the other bank.
The two banks, which are part of the same parent company — Lloyds Banking Group — collectively have over 22 million customers, but the banks say the number of exposed accounts cannot be more than 23,000.
“We recognize that allowing customers to view linked accounts immediately following an online application could have been used inappropriately in certain, limited circumstances, and this will no longer happen,” said a spokesman for the Lloyds Banking Group.
While the Lloyds Banking Group said it believes no customers were actually affected, there still might be a good chance of a breach as the system that exposed customer details came into effect in 2009 and went unnoticed by the bank, according to MoneySavingExpert, the website which came across the breach and allowed the bank to fix it before reporting it.
The website reported the flaw to the bank when one of its readers tipped the website about being able to access account details for a Halifax account without having a login account for it through a newly opened Bank of Scotland account.
“In a world where scammers and hackers are getting ever more powerful, we need our banks to step up their action. This isn’t good enough. The ability to easily view all of someone’s banking details is a criminal’s Christmas, never mind the potential privacy breach,” said Martin Lewis, founder of MoneySavingExpert.
To check out what else is HOT in the world of payments, click here.