Computer Crime Research Center

card/idtheft.jpg

New online fraud scare

Date: November 10, 2004
Source: This Is London
By: Jonathan Prynn

Fresh fears about the security of online banks were raised today after a major new loophole was exposed.

About one million Morgan Stanley credit card holders were told their accounts could have been accessed by fraudsters who would not have needed to know their passwords.

This is because Morgan Stanley cardholders can choose to let computers "remember" their password when they log in.

This means that security details are automatically entered by their computer when customers call up their accounts online.

The problem was first spotted by business consultant David Reese, who noticed that his account number appeared in full when he punched in the first digit.

At the same time - without his having to enter any more numbers- - his password also went in. He said: "I couldn't believe it. I thought maybe it's something I've done wrong or a quirk in the system.

"But I tried it on another computer, and another and another, and I found it worked on every computer I tried."

Professor Neil Barrett, a computer crime expert at Cranfield University, told the BBC's Breakfast TV programme: "It allows somebody to get access to your credit card. If you have ?15,000 on your credit card this will allow them to steal it.

"On that basis you have to say it's pretty serious."

It is the second security loophole to be exposed in a week, raising concerns about how secure Britain's 12 million banking accounts really are.

Four days ago the online bank Cahoot admitted that hackers could view its customers' account details without needing to know a password.

Today Morgan Stanley said it had taken urgent steps to close the loophole.

In a statement, a spokesman for the bank said: "Morgan Stanley has received no customer complaints or calls on this issue to date and to our knowledge, no accounts have been accessed improperly.

"Morgan Stanley is taking immediate steps to turn off the auto function to ensure that there are no possible security issues on the account centre. This change will take effect tonight."


Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo