Jump to content
House Price Crash Forum

Archived

This topic is now archived and is closed to further replies.

tyres

Hacking Case Exposes Potential Flaw In Halifax And Lloyds' Security

Recommended Posts

Hackers have found a way to get round a crucial step in Halifax and Lloyds online safety check

A Guardian Money reader has exposed a potentially major flaw in the security of the 22m current accounts operated by Lloyds and Halifax after hackers attempted to empty his account of £7,200.

Fraudsters have developed a way to get round one of the banks' crucial security checks for online account holders. While some banks give special anti-fraud card readers to customers to use at home, which generate a passcode for each significant online transaction, Lloyds and Halifax call the home phone or mobile of the account holder to check and authorise a payment.

more here...

Share this post


Link to post
Share on other sites

The problem with the Lloyds approach is that they don't strongly verify the identity of the caller when they call to confirm a transaction.

They assume that if the phone number matches their records and the answering party has a one-time code, then they are the account holder. As we have seen with this attempted theft, this is not reliable, particularly if a robust method of 2-factor authentication has not been used (e.g. pin sentry device, RSA secureID or similar). A lot of companies have taken to using a phone call as a method of 2FA, but with the availability of diversion services, this is not robust (interestingly, there is no viable method for text message diversion, so a one-time PIN sent by text message which could be entered into the site would avoid this problem - but open a new problem which is that the loss of a smart phone could be catastrophic).

For what it's worth, I when I wanted to make a large payment, my bank phoned me up and then proceeded to ask 5 further security questions to verify my identity, even though they had called my mobile number, and the original log in was made using 2FA.

Share this post


Link to post
Share on other sites

I have finally been able to shutdown down what was a Halifax phone account from 10+ years ago.

It took me 3 months - complaint off in the post.

They'd managed to keep my home address for the statement but not update my security address.

When I rang in, they were sending off security mail to the wrong address.

10 long phone calls to resolve all this.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • The Prime Minister stated that there were three Brexit options available to the UK:   206 members have voted

    1. 1. Which of the Prime Minister's options would you choose?


      • Leave with the negotiated deal
      • Remain
      • Leave with no deal

    Please sign in or register to vote in this poll. View topic


×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.