Computer Crime Research Center

hack/x_cyber.gif

Security breach at Cahoot bank

Date: November 06, 2004
Source: This Is London


The website for online bank Cahoot was shut down for around ten hours yesterday after the discovery of a major security breach that meant customers could log onto other people's accounts without using a password.

Customers could access other people's account details by entering only a username into the system and bypassing other security information.

Cahoot, owned by Abbey National, said that while account information could be viewed, no money could be moved.

The security breach was exposed when a Cahoot user contacted the BBC. He said he had stumbled upon a way of getting into his account with just his username.

Neil Barrett, a professor of computer crime, told the BBC he was shocked at how simple it was to bypass the Cahoot security measures.

The BBC said Cahoot engineers shut the site down when the flaw was discovered. It was traced back to a system upgrade 12 days ago.

Tim Sawyer, head of Cahoot, said: 'People would have needed a confidential security ID or they would have had to guess it. It would have been extremely difficult to do that.'

He conceeded that Cahoot needed to review its security procedures and they had conducted a complete review of the website.

Around 650,000 have an online account with Cahoot, and around 12m people in the UK do their banking online.

The online banking industry has been stung by string of security scares over the past year. Sophisticated 'phishing' scams have cost financial institutions around £60m.

The fraudsters use random emails that direct recipients to what appear to be the websites of reputable financial institutions and ask them to reveal account details, passwords and Pin numbers for cash machines. In fact, these are spoof websites set up by the criminals to steal banking details.

Most people ignore the mail because they are suspicious or because they do not have an account with that organisation. But a small minority reveal their account details, and in some cases have lost thousands of pounds.

Police believe the gangs are recruiting technology and language specialists to improve the quality of their bogus sites and mail.

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2008-10-15 05:26:17 - The Cahoot website is still down,... John
Total 1 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo