Forum Home» Budgeting & Bank Accounts

MSE News: Huge Halifax and Bank of Scotland data security flaw exposed by MSE

New Post Advanced Search

MSE News: Huge Halifax and Bank of Scotland data security flaw exposed by MSE

edited 30 November -1 at 1:00AM in Budgeting & Bank Accounts
11 replies 2.6K views
Former_MSE_HelenFormer_MSE_Helen
2.4K posts
edited 30 November -1 at 1:00AM in Budgeting & Bank Accounts
A Halifax and Bank of Scotland online security flaw meant balances and transactions were left exposed for others to view...
Read the full story:

Huge Halifax and Bank of Scotland data security flaw exposed by MoneySavingExpert.com

OfficialStamp.gif


Click reply below to discuss. If you haven’t already, join the forum to reply. If you aren’t sure how it all works, read our New to Forum? Intro Guide.
«1

Replies

  • edited 15 October 2015 at 10:37AM
    reduxredux Forumite
    22.7K posts
    Part of the Furniture 10,000 Posts Name Dropper
    ✭✭✭✭✭
    edited 15 October 2015 at 10:37AM
    I've opened accounts online with two other banking organisations this year.

    Online access to one took a few minutes from the start, though an incoming transaction wasn't fully detailed until the next day, and the other 3 weeks, involving several postal items, visiting the branch to hand in a signed form, a second copy of the form to sign arriving 2 days later, over an hour on two phone calls, a missing report I'd handed in that form, and two different customer numbers, the first not recognised when I tried to log in, then after they told me the second customer number over the phone the online access asked me to repeat 3 items of security information I hadn't yet given.

    I also have a Halifax bank account. The only thing I've noticed before the very recent and not quite finished online format change is they stopped listing my credit card account about a year or so ago.
  • chris_mchris_m Forumite
    8.3K posts
    Part of the Furniture 1,000 Posts Name Dropper
    ✭✭✭✭
    redux wrote: »
    I've opened accounts online with two other banking organisations this year.

    Online access to one took a few minutes from the start, though an incoming transaction wasn't fully detailed until the next day, and the other 3 weeks, involving several postal items, visiting the branch to hand in a signed form, a second copy of the form to sign arriving 2 days later, over an hour on two phone calls, a missing report I'd handed in that form, and two different customer numbers, the first wrong.

    The second one wouldn't start with "N" and end with "E" would it?
    Apart from the hour on phone calls and the missing report, that mirrors my experience with an "organisation" which begins and ends with those letters - oh, apart from an email wanting me to take ID to a branch but when I did they told me that they didn't need it after all. I'm still awaiting my online banking login details so that I can check exactly what is what, let alone bung money in their direction.
  • reduxredux Forumite
    22.7K posts
    Part of the Furniture 10,000 Posts Name Dropper
    ✭✭✭✭✭
    chris_m wrote: »
    The second one wouldn't start with "N" and end with "E" would it?
    Apart from the hour on phone calls and the missing report, that mirrors my experience with an "organisation" which begins and ends with those letters - oh, apart from an email wanting me to take ID to a branch but when I did they told me that they didn't need it after all. I'm still awaiting my online banking login details so that I can check exactly what is what, let alone bung money in their direction.

    I think it might be the same.

    The sort code and account number did turn out to be correct, but while things were in mid air I did point out it was a good thing I hadn't sent any money to it yet. Also that it was good I'd paid a substantial cheque into an account somewhere else instead of wait for them

    Things seem to be working ok now, so just be patient.
  • You would have to be a customer who had not registered for online banking?

    I don't consider this "huge" at all. "Hugh" would be one customer having access to various other customers data at free will.

    Its now a flaw either, these systems were designed this way. Its not right that this was possible however and Im glad its "fixed".
  • alibean121alibean121 Forumite
    96 posts
    Fourth Anniversary 10 Posts
    Paul_1977 wrote: »
    You would have to be a customer who had not registered for online banking?

    I don't consider this "huge" at all. "Hugh" would be one customer having access to various other customers data at free will.

    Its now a flaw either, these systems were designed this way. Its not right that this was possible however and Im glad its "fixed".

    As far as I understand it, if I had a Halifax account, there's nothing to stop someone making an account for me at Bank of Scotland then viewing my Halifax account on there. Whether I access the Halifax account online is irrelevant.

    I guess the main thing is that the address has to match the correct address though so you would get a letter about the account. I'd imagine the matter could then be swiftly resolved without actual loss.
  • masonicmasonic Forumite
    14.4K posts
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    ✭✭✭✭✭
    Paul_1977 wrote: »
    You would have to be a customer who had not registered for online banking?
    You would have to be a customer who had not registered for online banking at both Halifax and BOS.

    I have Halifax accounts and have registered for online banking there, but I have not registered for online banking at BOS. So, anyone who knows my name and address and that I bank at Halifax, could apply for an account at BOS, create a separate BOS online banking login while the application is being processed and in the meantime see details of my Halifax transactions. I'd say that's a fairly serious flaw.
  • edited 21 October 2015 at 12:58PM
    tgroom57tgroom57 Forumite
    1.4K posts
    Tenth Anniversary 1,000 Posts Name Dropper
    ✭✭✭
    edited 21 October 2015 at 12:58PM
    It's not fixed at all !

    I think divorcing couples will find this a great boon -to discover the other party's banking arrangements.
    Anyone with access to your letterbox can still see what accounts you have and what's in them, even after this 'fix' of sending out a letter.

    Suppose Granny lives with you and has a susceptible account. Does she really want you going through her accounts ?

  • Archi_BaldArchi_Bald Forumite
    9.7K posts
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    ✭✭✭✭
    tgroom57 wrote: »
    It's not fixed at all !

    What isn't fixed?
  • bsodbsod Users Awaiting Email Confirmation
    1.2K posts
    ✭✭✭
    shouldn't the title be huge flaw exposed by member of the public.
    Don't you dare criticise what you cannot understand
  • edited 19 October 2015 at 12:20AM
    agarnettagarnett
    1.3K posts
    edited 19 October 2015 at 12:20AM
    Looks to me like huge flaw still exists and it almost certainly is not restricted to one bank.

    I got hit with an almost exactly similar Barclaycard security flaw a year or two back. A new account was set up, a new card and PIN sent out and the first I knew about it was a letter telling me I was over limit a couple of months later. I already had accounts with Barclaycard and none of the information on the new account matched other than my first and last name and address. My investigations led me to discover that the online application went through and "passed" a live Experian check too. Apparently stuff like DoB, employment status/income and time at current address ain't expected to be unique anymore - anything goes because applicants sometimes make mistakes and the inconvenience of having an application turned down for a typo or three is worse than the risk of a little bit of fraud occurring. Banks moderate their exposure (never mind ours!) by seemingly restricting the credit limit a bit until they are more confident it's really us who applied :rotfl:

    They could care less (and frequently do I think) about our exposure to organised crime being able to build databases with tabs on us all that vie with GCHQ's

    As I understand it from this latest MSE news piece, the "fix" is simply the sending out of a code (just like a PIN gets sent out). If the addressee isn't expecting it, then how is interception going to be prevented? Answer: it isn't unless the nation's army of letterbox dippers decides to have the day off.

    I fear that everyone's understanding of the real risks is flawed, that's banks and MSE reporters alike.
This discussion has been closed.

Quick links

Essential Money | Who & Where are you? | Work & Benefits | Household and travel | Shopping & Freebies | About MSE | The MoneySavers Arms | Covid-19 & Coronavirus Support