http://www.techworld.com/security/news/index.cfm?NewsID=4641 By John E. Dunn Techworld 24 October 2005 Only days after trumpeting [1] a state-of-the-art online security trial, UK bank Lloyds TSB has had its security systems beaten by no more than a fake passport and a forged signature. The identity fraud against an unnamed woman, reported at the weekend by The Guardian newspaper [2], saw criminals empty her savings account of a staggering £250,000 ($450,000) after presenting branch staff with the fake documents. The bank compounded this security disaster by refusing to explain to her how such a fraud could have taken place. When she tried to open another account at the same bank, she then discovered that her rating had been "damaged" by the fraud, resulting in her request being refused. When Techworld spoke to the company's Internet banking director Matthew Timms at the time of the BankSecure [3] authentication announcement, he admitted that Lloyds TSB had seen increasing levels of fraud in recent months. Maintaining customer confidence was essential, he said, and "layering" security was one way to achieve that objective. Such a fraud demonstrates how despite these assurances the bank.s security systems can still fail calamitously. Although the theft did not compromise the online banking security directly - of which the BankSecure authentication system announcement is an experimental part - that such a fraud can occur elsewhere in the bank's systems is bound to undermine [4] the effectiveness of such projects. In another case reported to The Guardian at the same bank, a customer had £1,414 ($2,500) stolen from his current account via debit card fraud, despite the fact the theft occurred across 20 to 30 separate transactions. Again, although the BankSecure authentication was not involved in this fraud, it raises more questions about the security practices of Lloyds TSB. Banks are supposed to have fraud detection systems, whether software-based or using staff monitoring, to pick up unusual spending patterns. In this instance, they clearly didn.t. Lloyds TSB were asked for comment but had not done so at the time of going to press. [1] http://www.techworld.com/security/news/index.cfm?NewsID=4583 [2] http://money.guardian.co.uk/weekly/story/0,16520,1597693,00.html [3] http://www.lloydstsb.com/security.asp [4] http://www.techworld.com/security/features/index.cfm?FeatureID=1878 _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Oct 24 2005 - 23:37:41 PDT