Print
Discuss
Send to friend
RSS feeds
Daily news podcastA security hole in Lloyds TSB's internet banking service is finally to be fixed, nearly two months after a customer alerted the bank to the problem.
The hole was discovered in August by prominent IT services analyst Richard Holway, whose company is a Lloyds customer.
"The first thing I did was to telephone the customer care people, all the way up through these stupid lackeys giving me this party line that I could turn it off if I wished and that was up to me," he said.
"They only responded differently when I identified myself as an industry analyst."
Holway finally received a letter from Lloyds TSB dated 13 October saying that after an investigation, the 'AutoSave Password' feature is to be disabled from its service.
The flaw occurs if the AutoSave Password feature on a customer's desktop is enabled. A cookie that stores the Lloyds TSB account username and password allows anyone with access to the PC to enter the account.
"After logging in once, the username and password were automatically remembered. In other words, anyone using my PC had unrestricted access to my account," said Holway.
The flaw is similar to one discovered by Barclays' online customers in August, whereby using a browser's back button after logging out still took customers back into the account, without the need for logging in again.
Barclays said at the time it was working on a process to automatically delete the cache after logging out, but a spokeswoman this week said this would not be done until the next website update, sometime before the end of the year.
"It is something we are developing, and it will go live with our next release of software," she said.
First published in Computing
See also:
Roger Moore, who played British secret agent James Bond in the 1970s and 1980s, has had his Swiss bank account details published on the web following an error by bankers Credit Suisse. 09 Nov 2000All Hacking
del.icio.us
Digg this
reddit!
