Lloyds Banking Group – a major financial outfit in the UK – has closed a security flaw that potentially exposed banking records on tens of thousands of Brits.
The vulnerability would have allowed criminals to open an account using only a person's name, address, and date of birth, and then view other accounts that person had with Halifax-Bank of Scotland (HBOS).
The flaw, now patched, involved a combination of poor account verification and a feature that linked Halifax and Bank of Scotland accounts online. An attacker could look up the date of birth and address of a person on social networking or other public websites, then open an account with any email address.
Once the account was created with either Halifax or Bank of Scotland, accounts from the other brand's site would also be viewable.
For example, an attacker could use the name, address, and DoB of a Bank of Scotland customer to open an online account on Halifax, which would then be linked with the target's Bank of Scotland account to make the details of both accounts, including account numbers and balances, viewable to the attacker.
Guy Anker, managing editor of personal finance advice site moneysavingexpert.com which broke the news, said his team withheld going public about the vulnerability until the issue was fixed: HBOS now requires the accounts to be verified with a code sent via post.
A Lloyds Banking Group spokesperson confirmed the security shortcoming to The Register, and said about 23,000 customers were affected by the issue, but no instances of fraud have been reported.
"We take the financial security of our customers extremely seriously and have advanced safeguards in place across our IT systems," the company told El Reg.
"All applications are scrutinized for anything suspicious, and this triggers further action immediately."
Word of the blunder comes on the heels of another security incident involving Lloyds Banking brands. In that case, it was discovered that fake banking sites mimicking Halifax and Natwest had mistakenly been awarded security certificates that could potentially be used to dupe users into handing over account details. ®