back to article UK's Lloyds Banking Group scrambles to patch account-snooping security hole

Lloyds Banking Group – a major financial outfit in the UK – has closed a security flaw that potentially exposed banking records on tens of thousands of Brits. The vulnerability would have allowed criminals to open an account using only a person's name, address, and date of birth, and then view other accounts that person had …

  1. Dadmin
    Happy

    let me help fix that quote, friend!

    "no instances of fraud have been reported" because the security hole in question was so obvious that most clever hackers thought it was a honeypot.

    Sorry, lads and ladies for all my extra chatter. I'll be quiet now.

  2. Camilla Smythe

    "We take...

    "We take the financial security of our customers extremely seriously and have advanced safeguards in place across our IT systems,"

    "We fucked up and have now fixed stuff... a bit... until the next time. We would also like to give our thanks to those who discovered our mistakes and acted responsibly by not disclosing those mistakes prior to telling us how to fix them and give us time to do so. In order to improve Share Holder value we are now Pro-actively waiting for others to inform us of other flaws that might exist within our systems."

    FTFY

    1. Anonymous Coward
      Anonymous Coward

      Re: "We take...

      "We take the financial security of our customers extremely seriously and have advanced safeguards in place across our IT systems,"

      Yeah and... So how did this bug happen? Why wasn't it found before the system went live? Why didn't these "advanced safeguards" stop it?

    2. Just a geek
      Facepalm

      Re: "We take...

      I asked halifax if they'd consider adding some sort of two factor and was told "We take security extremely seriously. We've made a note of your suggestion and thank you for contacting us".

      In other words "We take security seriously until we don't and that sounds like effort so bugger off".

  3. Bota

    We take the financial security of our customers extremely seriously

    Did they also work for Ashley Madison?

  4. frank ly

    Bank Of Scotland Halifax

    It's filthy and it's got pigeons nesting in it. I'm sorry but that picture offended my sense of decor(um).

  5. Martin Summers Silver badge

    This has surely got to be rated as one of the most major f*** ups seen this year and someone really should get the high jump. No doubt they had previously sacked people who knew what they were doing to get to this stage.

    1. VinceH

      Unfortunately, though, because it was found and dealt with before anyone lost anything significant - privacy of account contents notwithstanding - it will be looked upon as exactly the opposite.

      The logic being that flaw like that existing in the first place is a major fuck up, but they fixed it before anything happened that made it Big Newstm, so Joe Public (other than technical and security types) didn't get to hear about it. and that's a huge success. Fat bonuses all round.

  6. Anonymous Coward
    Anonymous Coward

    You say bug he says feature

    Wouldn't surprise me if this was pitched as a feature originally, sort of a look you can see all your info in one place thing, common login etc.

    1. Anonymous Coward
      Anonymous Coward

      Re: You say bug he says feature

      That's clearly what it is.

      The bug was not verifying that you are the person who's address and DOB you just entered, not the fantastic "all your accounts in one place" feature.

      1. Dale 3

        Re: You say bug he says feature

        It's not a technical bug, it's a problem with the process. Technically it worked as designed, just the design wasn't so well thought out.

        1. The Mole

          Re: You say bug he says feature

          Yes it is a bug. It may be a bug in the requirements and design but that is still a bug in the application. I'd agree it's not a coding bug but it is still basic functionality that the test team should have discovered and raised.

          1. Vic

            Re: You say bug he says feature

            it is still basic functionality that the test team should have discovered and raised.

            It should have been found and fixed long before it got anywhere near the test team...

            Vic.

  7. Peter 26

    Halifax has a similar bug a couple of years ago

    I noticed a similar bug a couple of years with Halifax. I set up a standing order to a friend to pay them some money. I put in the sort code and account number. Once complete it showed my friends account name in my standing order list (initials and surname), yet I had never entered it. (They were also a Halifax customer). I tried one other random account number changing the last digit till I got one that worked and sure enough it showed me their name...

    I wasn't really sure what I could do with this info, then a week later this "feature" had vanished.

  8. Anonymous Coward
    Anonymous Coward

    So a load of customers had their personal details put into the public domain ....

    ....but luckily a white hat told us before anything bad could happened so everything is cool?

    Oh it is okay "so far" there hasn't been any fraud (we know of) commited against those exposed so lets pretend it didnt happen

    I would presume they have notified these people that they have been exposed so they can have some proof when they do get credit black listed, HA yeah right

    I am betting that when these people find themselves victims of identy theft RBoS will walk quickly away whilst whistling and rolling their eyes.

    There should be a control of what information Banks are allowed to collect and store since they are clearly not putting their customers security first

    1. Alister

      Re: So a load of customers had their personal details put into the public domain ....

      @AC

      So a load of customers had their personal details put into the public domain

      Um no, not into the public domain, just accessible if you were able to set up a matching account.

      There should be a control of what information Banks are allowed to collect and store

      I rather think banks probably do need to collect and store name, address and account details for their customers, otherwise it would be quite difficult for them to identify the customer's accounts.

      Maybe if customers didn't splash their names, dates of birth and addresses all over social media, it would make life a bit more difficult for those with criminal intent.

      However, that doesn't excuse the bank's imbecility in linking accounts between the two businesses.

  9. Anonymous Coward
    Joke

    It's a bug they know about...

    ....it's caused by an interim step while they sort out the "Login Using Facebook" part sorted.

  10. Santa from Exeter

    Questionable link?

    Whilst I agree this is a pretty serious flaw, I hardly think it's appropriate to link it to the Certificate screwups as the article did. After all, HBOS et al had absolutely no control over that

  11. hatti

    Translation

    "We take the financial security of our customers extremely seriously and have advanced safeguards in place across our IT systems,"

    "We have stopped using work experience noobs and interns and have reluctantly paid for someone who can spell encrypshun and seKuritee to code over the cracks."

    1. Zmodem

      Re: Translation

      people who can`t spell are then ones who find 90% of exploits of those who can spell, every bit of software that is not opensource, probably has a thousand exploits in

  12. Zmodem

    tens of thousands is still better then millions

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon