MSE News: Santander calms online banking hack fears

edited 30 November -1 at 1:00AM in Budgeting & Bank Accounts
13 replies 4.7K views
MSE_GuyMSE_Guy MSE Staff
1.7K Posts
I've been Money Tipped! Newshound! Chutzpah Haggler
edited 30 November -1 at 1:00AM in Budgeting & Bank Accounts
This is the discussion thread for the following MSE News Story:

"The banks says no customer data is at risk after the failure of one of its online systems ..."
Read the full story:
Santander calms online banking hack fears


OfficialStamp.gif

See the original thread which contained rumours of a potential hack.
«1

Replies

  • corbyboycorbyboy Forumite
    1.2K Posts
    Part of the Furniture
    ✭✭✭
    I call !!!!!!!! on this response.

    There were some very specific details in the original message by mattcodes this morning (who was unfairly hammered by other posters by the way). The Santander statement does nothing to answer these details.

    Can Santander confirm or deny that there was an injection of code linked to polycache.com within the advanced-web-analytics.com code?
  • jamesdjamesd Forumite
    25.4K Posts
    Part of the Furniture 10,000 Posts Name Dropper
    ✭✭✭✭✭
    All, there's no need to worry about the security of the script being injected if A&L says it's from a trusted source and is the script that they expect to have run. That is: don't expect it to be a hack to steal login details from A&L online banking and don't worry about the security of your online A&L banking today just because of this.

    What's interesting and not commented on by A&L is what the script that has multiple online banking URLs was doing with them. Possibilities include checking whether you've used those sites and stealing that personal information about what other sites you use. That wouldn't be a security issue for the A&L site but would still be objectionable.

    It is a security concern because the use of third party sites increases the number of sites that can be attacked and which could then compromise the security of the A&L site if the script provided by one of them was changed. But this is a general security issue, not something that means that A&L's site was hacked.


    As an aside, did you know that by using A&L's online banking you agree to call their security breach contact number if you write someone a cheque or tell someone when you were born? The requirement comes because you're required to contact them if you disclose details that are used for online or phone banking and that information sometimes includes your account number or sort code. Both of those pieces of information are on a cheque, so giving someone a check is also giving them that security information.

    You're also required to keep secret your date of birth, so no showing of your passport or other document that contains it.

    The requirement comes from this combination:

    '"Security Details" means the security information which You will need to access the Online Banking service. These will include :- a passcode; a personal identification number, or Customer ID a registration number or Customer PIN any item of memorable information which we ask You to confirm (for example , place of birth); and any other security requirements which we may notify to You;'

    "6.1 You must:-
    a) Memorise your Security Details and securely destroy anything containing Security Details as soon as you receive it;
    b) Not write down or record the Security Details on any documents relating to your Account. If you do write down or record your Security Details, you must disguise your Security Details so that they cannot be understood by anyone else.
    c) Keep the Security Details secret and take reasonable steps to prevent anyone else finding out the Security Details;"

    "6.2 You must tell Us as soon as you can by phoning the telephone number provided in section 7.2 if:
    a) You become aware of any error or any suspected error in the Online Banking service or in any transaction resulting from using it. You should check your Account statements carefully; or
    b) you suspect or discover that someone else knows Your Security Details or you believe that your Security Details may have been misused"

    It appears that whoever wrote about what you can't do with security details was thinking of login ID and PIN, while whoever wrote the definition of what security details were didn't pay much attention to all the ways the things that are considered to be security details are normally disclosed.
  • Joe_BloggsJoe_Bloggs Forumite
    4.5K Posts
    @Jamesd
    Re: The Aside. Do you think that this includes the recent census that involved the compulsory effluence of personal information ?
    J_B.
    'Biographical security is a joke', a quote from Lord Byron's
    autobiography Vol 2a (My pets and fiends).
  • edited 19 April 2011 at 3:32PM
    jamesdjamesd Forumite
    25.4K Posts
    Part of the Furniture 10,000 Posts Name Dropper
    ✭✭✭✭✭
    edited 19 April 2011 at 3:32PM
    Joe_Bloggs, since we were required by law to disclose the information and prohibited from disclosing it by a civil contract with A&L I assume that most adult A&L customers breached their agreement rather than breaking the census law, as the lesser of the two evils.

    The number you have to call is a premium rate number, so maybe it's intended as a profit generator? :) (A joke, it's just a badly written agreement).
  • DegenerateDegenerate Forumite
    2.2K Posts
    If Santander aren't just bullsh!tting us here then they're guilty of such technical incompetence that I'm not sure anyone should feel any safer.
  • Joe_BloggsJoe_Bloggs Forumite
    4.5K Posts
    @jamesd
    Perhaps the A&L customers should have confessed their participation in the census to whatever is the equivalent of the A&L confession box.
    J_B.
  • jamesdjamesd Forumite
    25.4K Posts
    Part of the Furniture 10,000 Posts Name Dropper
    ✭✭✭✭✭
    Perhaps, but not by using the phone number, since that makes A&L money. The online messaging system seems like a better choice of method.
  • scott_lithgowsscott_lithgows Forumite
    1.4K Posts
    Part of the Furniture 1,000 Posts Photogenic Combo Breaker
    ✭✭✭
    Dont have any accounts with them,clever me.
    I have a deep burning indifference
  • Two weeks ago my internet account was hacked into for the second time in two years, but this time someone telephoned Santander and successfully removed money from my account. Apparently there was 'an issue' with the receiving account which flagged up concerns and my account was frozen. Unfortunately I wasn't told about this, but after my card had been refused twice I went online and checked my account! As soon as I saw the fraudulent transactions I called the bank, but they couldn't/wouldn't do anything and insisted I go into the nearest branch with photo id to sort things out. As this was Saturday afternoon I had to wait until Monday to go into the branch. After telling an advisor at the branch about my problems she duly called someone as she didn't know what to do. So having to repeat my story through the advisor to another person who also seemed unsure as what to do, she took details of my driving licence to prove I was who I said I was and was told to go home and wait for someone to call. The following day (five days after the fraudulent transactions) I received a letter informing me that my account had been frozen due to suspicious transactions. I was instructed to call them (the fraud department) to discuss. I called the number on the letter only to find I was being put through to some techie in Belfast! He listened to my story again and put me on hold while he spoke to the fraud department. The fraud department refused to talk to me on the phone and insisted I go into the branch with photo id to sort it out! I said that I had already done that the previous day, but they had no record of me doing that. It took me 10 minutes to get to the branch, I spoke to the same person I had spoken to the previous day who was just as confused as I was. She spoke to the same person she had spoken to the day before who seemed to have forgotten that the conversation had happened. I was, again, instructed to go home and await a phone call. My account would be closed and a new one opened. Within an hour of arriving home I had a call to tell me that my account would be closed and they would open a new one and transfer all my direct debits, oh and the money taken from my account had been repaid, phew! So two weeks since the fraudulent transactions had occurred I still can't access my money, its pay day today, the banks will not be open again until next Tuesday, so I won't be able to draw any money or pay any bills until then at least!

    Can anyone recommend another bank?
This discussion has been closed.
Latest News and Guides