[ISN] Hole punched in UK bank's security

InfoSec News isn at c4i.org
Tue Oct 25 02:20:14 EDT 2005 

http://www.techworld.com/security/news/index.cfm?NewsID=4641

By John E. Dunn
Techworld
24 October 2005

Only days after trumpeting [1] a state-of-the-art online security
trial, UK bank Lloyds TSB has had its security systems beaten by no
more than a fake passport and a forged signature.

The identity fraud against an unnamed woman, reported at the weekend
by The Guardian newspaper [2], saw criminals empty her savings account
of a staggering £250,000 ($450,000) after presenting branch staff with
the fake documents.

The bank compounded this security disaster by refusing to explain to
her how such a fraud could have taken place. When she tried to open
another account at the same bank, she then discovered that her rating
had been "damaged" by the fraud, resulting in her request being
refused.

When Techworld spoke to the company's Internet banking director
Matthew Timms at the time of the BankSecure [3] authentication
announcement, he admitted that Lloyds TSB had seen increasing levels
of fraud in recent months.

Maintaining customer confidence was essential, he said, and "layering"  
security was one way to achieve that objective. Such a fraud
demonstrates how despite these assurances the bank.s security systems
can still fail calamitously.

Although the theft did not compromise the online banking security
directly - of which the BankSecure authentication system announcement
is an experimental part - that such a fraud can occur elsewhere in the
bank's systems is bound to undermine [4] the effectiveness of such
projects.

In another case reported to The Guardian at the same bank, a customer
had £1,414 ($2,500) stolen from his current account via debit card
fraud, despite the fact the theft occurred across 20 to 30 separate
transactions.

Again, although the BankSecure authentication was not involved in this
fraud, it raises more questions about the security practices of Lloyds
TSB. Banks are supposed to have fraud detection systems, whether
software-based or using staff monitoring, to pick up unusual spending
patterns. In this instance, they clearly didn.t.

Lloyds TSB were asked for comment but had not done so at the time of
going to press.

[1] http://www.techworld.com/security/news/index.cfm?NewsID=4583
[2] http://money.guardian.co.uk/weekly/story/0,16520,1597693,00.html
[3] http://www.lloydstsb.com/security.asp
[4] http://www.techworld.com/security/features/index.cfm?FeatureID=1878

More information about the ISN mailing list