Lloyds or Halifax bank accounts are easily stolen

Emily_Joy

Jeddy wrote: »

If I turn my phone off / take out the SIM, next time I turn my phone on I have to enter the SIM PIN as well as the phone SIM so I think transferring the SIM would stop a phone call from being received. I doubt however it stops data on the phone being accessed if you can get past the phone PIN however.

In most cases these PIN's are requested by SIM/Android OS. Therefore anyone who can intervent with bootloader process will bypass them without noticing.

Jeddy

OK, I've just done this a second time! This really is NOT SECURE. Please, someone else try it and confirm. You don'tneed to change any of your details, you can reset them to what they were previously if you prefer. I've taken screen grabs this time to take into branch on Monday.

To clarify. Go to Lloyds or Halifax website and go to sign on screen.
Click on Forgotten logon / signon details.
Close the pop up advising what you'll need.
Click on Forgotten username.
Enter a/c number and sort code (e.g. from bank card)
Enter first name, last name (e.g. from bank card)
Enter date of birth (e.g. from driving licence)
Continue
You're now reminded of your username!
Continue
Step 2, do you want to reset your password - Yes
Continue
Enter your new password twice
Continue
Step 3, do you want to reset your memorable information - Yes
Continue
Enter it twice
Continue
Step 4 Verify your identity
Pick one of the phone numbers - it'll be the one starting 07****nnn no doubt
We're calling you...
Answer the phone (no pin required), read the authentication number from the screen and type into the locked phone.
'You're now ready to sign onto online banking.'
'Sign on to online banking'
Enter
Welcome to online banking
Enter username you were advised of above
Enter password you reset above in step 2
Continue
Enter part of your memorable information you reset in step 3 above.
You are now logged on.
You can now setup new payees etc. by answering more phone calls and similarly entering the number from the locked phone onto online banking.
Now wave good-bye to all your money.

I suspect the problem I have is that no-one here who has a Lloyds / Halifax account believes it could be possible so isn't bothering to check, Lloyds / Halifax will no doubt be of the same opinion.

Jeddy

Emily_Joy wrote: »

In most cases these PIN's are requested by SIM/Android OS. Therefore anyone who can intervent with bootloader process will bypass them without noticing.

Thanks, I'll bow down to your superior knowledge on that. Now you've given me something else to worry about!

Emily_Joy

Jeddy wrote: »

Thanks, I'll bow down to your superior knowledge on that. Now you've given me something else to worry about!

I do have both accounts. I also do know that any transfer over 500GBP will be blocked by security team, as well as any suspicious activity such as a large number of transfers in unusual time of the day. Somehow I don't consider the risk high enough to worry about - I am more concerned by contactless working for months after the card was cancelled.

BooJewels

Jeddy wrote: »

Step 2, do you want to reset your password - Yes
Continue
Enter your new password twice

I haven't studied the rest of your procedure and I don't want to try it with my own account in case I lock myself out, but I don't think I've ever changed a password on anything, without having to enter the old password before a new one.

Jeddy

BooJewels wrote: »

I haven't studied the rest of your procedure and I don't want to try it with my own account in case I lock myself out, but I don't think I've ever changed a password on anything, without having to enter the old password before a new one.

You're resetting your password and memorable data from the I've forgotten it link so it can't ask you what your existing information was. The resetting of password and memorable data is authenticated via a received phone call to your (potentially locked) mobile.
I'd assume (but have not checked) that if at any point before copying the correct code from the website to the phone, you abort the process, it does so with none of your data having been changed. If you are interested in testing and are nervous, I agree, wait until you don't need your account for a few days and have a spare bit of time to go into branch - just in case.
In my case it was time to change my password etc. anyway and I was curious how the process worked so tested it in case I ever needed it. I wasn't expecting it to be as it is.

Jeddy

Emily_Joy wrote: »

I do have both accounts. I also do know that any transfer over 500GBP will be blocked by security team, as well as any suspicious activity such as a large number of transfers in unusual time of the day. Somehow I don't consider the risk high enough to worry about - I am more concerned by contactless working for months after the card was cancelled.

I suspect that may be account dependent. I recently opened a Tesco saving a/c and transferred a 5 figure sum into it with no trouble. A 5 figure sum is enough for me to worry about, but I agree that 500 is small enough I've got time to argue that while it gets sorted out without problem.

Vortigern

Jeddy wrote: »

OK, I've just done this a second time! This really is NOT SECURE.

What you say may well be true, but should you really be publishing detailed instructions on how to hack the banks on a public forum?

I hope the hackers don't read MSE. And I hope nobody uses your instructions to steal from their friends and relatives.

Present your findings to the CEO of the bank concerned?

Jeddy

Vortigern wrote: »

What you say may well be true, but should you really be publishing detailed instructions on how to hack the banks on a public forum?

I hope the hackers don't read MSE. And I hope nobody uses your instructions to steal from their friends and relatives.

Present your findings to the CEO of the bank concerned?

I tried contacting Lloyds and was simply sent a link to a website which talked about how secure they were and reassured there was no problem. The customer service people either weren't interested or didn't know how to handle the concern.
I am hoping by making it 'public' (it's hardly secret, it's just following their documented process) others may also complain and they may start to listen rather than just thinking it's one person who's confused.
I will try talking to the branch manager next week, but don't expect it will be easy to get an appointment as I'm not wanting to give them a large amount of money.
It has also been suggested I contact the fraud team, I'll do that, but given no fraud has taken place on my account yet I'm not sure they'll be able to handle it either.
I've also sent an email to BBC Moneybox in the hope they pick up the story and can help get the problem fixed.
I didn't want to go 'public', but I hope you can understand why I did.

Jeddy

For amusement, Lloyds said:
"Please be assured we employ many industry standard security measures which work in the background to help protect your account. As long as you don't share your log on details, your account will be safe. You'll find more information on how we keep your account safe via mobile banking here: http://spr.ly/6010Dnzga . I hope this helps."

He didn't even appear to understand I was talking about online banking rather than mobile banking. That's the problem when you're talking with someone who is dealing with 10 people at once they don't have time to do anything other than give generic replies.