A security glitch that allowed customers to access other people's accounts by just entering a username and no password has been uncovered at internet bank Cahoot.

Computer programmer David Eade at multimedia agency blueberrytwist.com started contacting the bank over six months ago to inform them of potential security holes, but was assured that the bank was safe.

'I was looking into how to get into my site without details and it occurred to me that I had some security holes in my software that needed to be plugged, so I wondered how banks did it,' said Eade.

'So I wanted to see what happens if you do the same to their site as what bypassed my security and voila, they don't do it.'

Although Eade concedes that he is a computer expert, he claims that the hole in the Cahoot site was simple enough for anyone to stumble across, even just by clicking a few too many times in the right places.

12 days ago the bank did a software update to resolve the issue - and then shut the site down yesterday for about ten hours to carry out an emergency system upgrade.

But in an interview with the BBC this morning, Cahoot head Tim Sawyer tried to downplay the issue, insisting that no customer's money was at risk, as the glitch only allowed someone to view account information, not transfer any money.

However, Sawyer also claimed that anyone wishing to breach the site would need a confidential security ID or would have had to guess it.

'It would have been extremely difficult to do that,' he said.

Eade refutes this claim, saying that it was not nearly as difficult to access an account as the bank claims, adding that its relatively easy to guess someone's username.

The security breach was exposed when Eade contacted the BBC, telling them of the hole in the site.

In reply, Sawyer has conceded that the bank needs to closely review its processes.

'We did not fail as an organisation because there was no risk of financial loss, but we do need to learn lessons from this,' he said.

Professor Neil Barrett, a security expert that advised the BBC, has warned that other online banks could be at risk from the same problem.

Are we safe online

The news about Cahoot has raised the issue of online safety and whether or not major online brands are doing enough to protect their customers.

Around 650,000 have an online account with Cahoot, which is owned by High Street Bank Abbey, while a total of about 14m people in the UK bank online.

A recent MORI survey conducted on behalf of RSA Security says concerns over online banking is stopping a further 6 million people in the UK from banking online.

RSA Security strategic marketing director Tim Pickard says the incident is graphic proof of his firm's claim that username and password security is not adequate for safe online commerce.

'Strong, two-factor authentication, incorporating something that the user knows and something that the user has, would dramatically improve the security of consumers in this type of environment,' he said.

Another concern that has been raised is the issue of Data Protection Act (DPA) implications.

Tim Trent, a consultant at Marketing Improvement, is just one unhappy customer who says he will be contacting the Information Commissioner to complain about DPA implications of the Cahoot breach.

'This may not have put my money at risk, but if people can look at what transactions I'm conducting, that puts my privacy at risk,' he said.